InsureTrust Ensures Network Security

• 06/14/2000

InsureTrust LLC (www.insuretrust.com ) acknowledges the importance and vulnerability of information assets by evaluating corporate networks for security, and certifying them for insurance from a handful of providers.

But insuring corporate networks can be a challenge, especially when it comes to bridging the gaps between IT and the insurance industry. The computer and insurance fields have profoundly different assumptions and perspectives on the world, creating communication difficulties. "There’s a huge information disconnect between technical security guys and insurance," says Mary Bieker, president of InsureTrust.

InsureTrust does not insure networks, but it translates security risks into financial risks. InsureTrust’s experts evaluate networks for weaknesses, and approves or declines a system for insurance.

"If there are any major vulnerabilities, it does affect their insurability," Bieker says. If a system is declined, InsureTrust can suggest improvements that will make the network more secure.

InsureTrust is partnered with Internet Security Systems Inc. (www.iss.net) to provide security solutions to vulnerable systems. InsureTrust hopes the partnership will simplify bringing networks up to par.

A recent IDC (www.idc.com) report suggests that security will become essential to all businesses. Networks have become both a major liability and a fundamental tools for enterprises. Securing these networks will emerge as a priority for successful businesses.

"Companies that continue to regard security as a necessary evil will be forced out of business by companies who use security technologies to launch high-value applications," says Abner Germanow, an analyst at IDC.

The recent distributed denial of service (DDoS) attacks launched on major Internet sites illustrate the potential liability for businesses with shoddy or nonexistent security practices. The DDoS attackers used agents placed on insecure machines to launch a large volume of network noise, causing sites to crash. While the attacks were fairly obscure when they first grabbed headlines, business that allow machines to be deployed in an attack could be held accountable.

In addition, customers of business-to-business organizations may be reluctant to deal with enterprises that have networks with little or no assurance of security. As extranets, virtual private networks, and other e-business strategies lubricate business, customers will want to be sure that their data is protected from intrusions and malicious code. Harming a customer’s system is the last thing an e-business wants to do.

Richard Dean, an analyst at IDC, says programs like InsureTrust’s can alleviate some of the financial risk of e-business. "A Web site insurance plan, supported by a tangible and interrelated security consulting, integration, and monitoring program, does provide a maximum level of protection," he says.

InsureTrust provides these services for enterprises that lack the expertise to develop a security plan or the confidence to assume the risk of security themselves. InsureTrust can provide value to businesses whether or not the business already has a security program in place.

Dean points out, however, that security, rather than the immediate financial risk, should be the focus of businesses concerned about the consequences of security. "Insurance alone cannot repair the subsequent damage to a vendor’s reputation and the erosion of customer confidence that often accompanies such an attack," he says. Insurance can only cover tangible assets lost in an intrusion, not assets such as branding or reputation.

Insurance aside, InsureTrust also offers an advantage to administrators interested deploying a security program. There is a guarantee that the security program is adequate, and the dollar and cents figures they place on security risks may help administrators convince their bosses that security is essential.