Tuesday, March 24, 2015

IT Risk Seminar, Zagreb March 2015

Left to right: Me and Jerko Burić
Last Thursday (19th of March 2015), I attended the local IT Risk Seminar together with my colleague Jerko Burić. As Jerko was giving his presentation on Cyberforensics I was networking and answering questions that came from insurance companies. Most questions were about how to raise awareness within different organizations regarding cyber risks and cyber and digital security.

As the initial post covering the goal of the event said: "The seminar is intended for IT Risk corporate sector, the IT sector and the insurance and banking and Croatian regions. The conference program is rich in speakers - top experts from the field of cyber security and IT security risks from the Croatian and Europe." It was an extremely interesting mix of presenters and attendees. It is not often that you find Digital Forensic experts in the same place as insurance companies and bank representatives.  I was rather surprised that there were only a few law enforcement agencies, but then again, this was targeting the insurance companies and forensic experts.

As I was aware of a local insurance company -which will remained unnamed- that has been working on fine-tuning a possible insurance policy covering Insurance for Cyber Crime for the last 4 years, it was interesting to see the presentation from the UK by Mike Shen. He really crunched down the numbers showing how much an actual incident would cost on all different levels, including the digital forensic related technical services. Only part of his presentation is available here.

The lectures from EUCert, our local Cert and law enforcement shows important development among all involved in the security investigation process. The key event was last year's Zeus malware outbursts, where all agencies involved were finally cooperating, from banks to clients and law enforcement agencies. Without which any policy would have been a failure!

The fun part of this event for me was when I was having a good laugh while witnessing the heated discussion panel. I can't remember being around people that got so fired up in public. Maybe I'm not supposed to mention this, but life is about being real. We have to give them credit for having the courage to sit together and discuss all this.

Conclusions from this event for me are that companies are now starting to see Digital and Cyber Security as a real threat.  If an insurance company intends to go into the deep and offer this insurance, covering the company's digital fortress, they'll have to take quite a lot into consideration, not only how to qualify a customer (like a health check) but how to insure the customer stayed healthy before they got hit. Just this idea and it's set up with an insurance company can give any engineer a good splitting headache. I believe it can be challenging to locate statistical information with regards to actual digital forensic incidents worldwide, as they are not all reported to one governing body. But, if there is a will there will be a way. Then again, facing business continuity plans and reality, we have to ask ourselves:  Which bank would go public saying they've been hacked, if they can keep it quite and deal with it as fast as possible?

Anyway, as a technical guy, it is best for me to leave the insurance policy set up to the insurance companies :) They'll know where to find me if they need detailed and outlined digital forensic processes and setups.




No comments:

Post a Comment