“Who watches the Watchmen?”
You may remember the dark, grisly 2009 alt-superhero movie “The Watchmen.” Or you may remember the source graphic novel from long before that (and declare blasphemy at people who reference the movie first, like me.)
The story follows a group of crimefighters who each have their own questionable track records. We see the words “Who watches the Watchmen?” spray-painted on a wall at some point, a fair question from concerned citizens. A Google search informed me that it’s a play on the Latin phrase “Quis custodiet ipsos custodes?” — or “Who will guard the guards themselves?” — originally from the “Satires,” a Roman poetry collection far older than any comic book.
Watchmen and watchwomen have existed for as long as people have needed watching over. One modern incarnation is those who help keep our technology (and by extension, our lives) protected from emerging threats. The mad dash to adopt sound cybersecurity is our generation’s version of hiring palace guards or blasting a Bat-Signal toward the sky. Daily news alerts about large-scale attacks, such as the recent ransomware incident targeting hospitals, only reinforce the need — and now, not later.
This panic can lend itself to rash decisions, and an entirely new set of potential problems. We can fail to consider who is guarding the guards themselves — who is watching the watchmen. “Quis custodiet ipsos custodes?” We can forget that these people are human just like the rest of us. Even if they show up wearing a cape, they may not all be as super as they claim to be. So before handing the keys to your car over, it’s prudent to take the extra bit of time and effort in getting to know the would-be drivers.
If you’re researching cybersecurity providers for your company, you should check their paper credentials first and foremost, as you would a lifeguard in regards to CPR training (or, for that matter, a doctor concerning a medical degree). For cybersecurity services, qualifications such as Certified Information Systems Security Professional (CISSP) and ISO 27001 are standard indicators of regulation compliance and general know-how. There are also a number of certificates related to IT security software that can help buyers have confidence in their purchases. The ideal certifications vary based on which sector of security is being covered.
Many companies display certification information publicly on their websites; in other cases, finding this information may require a phone call or email. Providers should have no problem offering proof of their qualifications. If they hesitate, it may be a clue that they have something to hide…or nothing to show. Open and honest communication is a telling sign — here as with anywhere else. Any “used-car salesman” vibe should be a red flag, especially if putting your family’s or company’s critical information in someone else’s hands.
The next advisable step is to do some personal research on the company’s history, looking for any worrisome events or news coverage. Many security providers, even some of the biggest names, have faced charges of mishandled information or suffered their own breaches. Even though background checks are routine (or should be routine) in these companies’ hiring processes, bad eggs can slip through the cracks and create a disturbance, like Veruca Salt in the Egg Room with the Golden Geese.
“Bad eggs can slip through the cracks and create a disturbance, like Veruca Salt in the Egg Room with the Golden Geese.”
While one exception shouldn’t undo years or even decades of success in protecting clients, incidents like these should not be overlooked. The actions of one employee, both on and off the clock, can be indicative of company ethics on a whole. In recent happenings, a team leader at Russian security firm Kasperky Lab was arrested on charges of treason. Soon after, the FBI launched an investigation into the company for suspected involvement in the U.S. election.
Back on U.S. soil, major players like 5i Solutions and FireEye have endured employees “going rogue” with classified information, putting the companies and all their clients in harm’s way. In all fairness, every successful company — quite literally — has human-shaped blemishes on their outfit, regardless of how hard they’ve worked to wash them out. But the size and quantity of such blemishes are factors to consider before entering a professional relationship.
Studies show that 50 percent of security incidents originate from the inside. This is equally true for non-security-related companies: Disgruntled employees often take out their frustrations by abusing access to company data. And for every corrupt insider that gets caught, there are likely others who fly under the radar. Past cases of this “cyber extortion” have cost companies millions in damages.
For this and every other reason under the sun, including the off-chance your protective services go awry, the spotlight is swiftly turning on the cyber insurance industry. Agencies like Chubb and Lloyd’s are defining this hot, high-pressure space, while other household-name insurance providers are expanding their expertise to nab a piece of the pie. As these companies race to lay the foundation for this industry, the ceaseless flux of new threats and regulations has not allowed the wet cement to dry. An insured company may never know if it is covered from tomorrow’s news, let alone if it is receiving fair rates — just one more headache in the effort to stay safe.
Regardless, the cement keeps pouring: More than $1.3 billion in cyber coverage was sold in 2016 in the U.S. alone. According to Fitch Ratings, this market could be worth $14 billion by 2022. Just as with cybersecurity vendors and providers, it will require an extra effort on everyone’s part to do research, speak up and keep these companies honest and accountable.
There is an ocean of minutiae to keep track of, and it’s rising every day. It will take a collective effort and a watchful mindset to minimize the losses and distress caused by cybercrime — and the cyber-superheroes as well. If no one else, we must watch the Watchmen. Capes optional.