As I learned last month, when I began my first real job out of school, being an adult is mostly about buying insurance—health insurance, dental insurance, vision insurance, life insurance, accidental death and dismemberment insurance, disability insurance, and pet insurance. So it was with some fatigue that I read the story in Sunday’s Wall Street Journal headlined “Do Individuals Need Cybersecurity Insurance?” (What next, pet cyberinsurance?)
I’ve written before about why it’s difficult to insure large companies against computer security incidents and large-scale data breaches effectively. Corporate cybersecurity insurance is undoubtedly a growing and important market—though there’s a lot we still need to figure out in order to assess the risks and costs associated with these incidents in a meaningful way.
Cybersecurity insurance for individuals, however, seems more misguided. For one thing, the intelligent, efficient criminal probably won’t go after an individual—he is much more likely to go after a collection of many thousands—or millions—of people’s data stored in one place, like the servers belonging to a retail chain, or a large government agency, or a health insurance company. So if your data is breached, it probably won’t be because of a flaw in your personal systems and computers (though it’s certainly possible for someone to exploit your home wireless network or your weak passwords).
But the Journal cites one company that offers clients a one-day audit of their home networks starting at $1,500, as well as monitoring home networks for intrusions at a cost of $500 to $3,000 monthly, and a $2,500 “social engineering assessment” that “analyzes how criminals could exploit publicly available information on a client.” That basically amounts to paying someone $2,500 to Google you and tell you what they learned. And self-Googling is a service most of us already provide ourselves at no charge.
Having someone come in to audit your home computer security and systems is unlikely to effectively address the real targets—the many hundreds, or thousands, of third parties who store your sensitive data on servers all over the world. That’s not to say you shouldn’t practice good computer hygiene at home—of course you should! But purchasing an insurance policy to protect the risk of your laptop or smartphone from being compromised isn’t likely to get you very far.
There are probably some people out there for whom it would make sense to hire professionals to monitor and audit their home computer security—multibillionaires and high-profile politicians (especially ones who use home servers to store all their work emails) might be sufficiently attractive targets to warrant the extra investment.
But for most of us, the benefits of trying to lock down our home computer networks are just too trivial to warrant a $1,500 audit or a $3,000 monthly monitoring fee.
That’s not to trivialize the risks or the costs associated with having your personal information stolen. The Journal quotes Atherton, California, Mayor Rick DeGolia, who has purchased an audit of his home computer systems, as saying, “I’m more worried about [hacking] than I’m worried about a fire.” He’s probably not wrong about that—the odds that his data will be breached may well be higher than the odds of his house burning down.
But it’s unlikely that that breach will occur because of a vulnerability in DeGolia’s personal security measures or because he’s failed to adequately protect his own devices or home network. Much more likely is that he’ll receive a letter, of the sort we’ve all grown far too accustomed to receiving, notifying him that his grocery store/health insurance company/employer/favorite website has been breached and some of his information may or may not have been leaked and he may want to sign up for an identity theft service or exercise extra caution.
Securing data and networks doesn’t begin at home. It begins at large organizations that have large enough volumes of sensitive information to be high-profile targets and sufficient resources to understand and address those threats accordingly. These aren’t entirely unrelated problems, of course—it’s possible to compromise an employee’s home network or personal device to steal credentials that can then be used to access the employer’s networks—but the greater onus should be on organizations to establish security practices and insure their employees and clients against risk rather than vice versa.
So I’d steer clear of personal cyberinsurance and home security audits, at least for the time being, and spend more time worrying about all the other places that your data is stored outside your own home. On the bright side, you now have a reason to Google yourself without guilt.
