Technology / Ransomware: Is it time your security vendor put its money where its mouth is?

Ransomware: Is it time your security vendor put its money where its mouth is?

Ransomware victims paid out £159 million to hackers in the first quarter of 2016, despite many of them running security products. Should vendors be held accountable when their clients are hacked?

"We are basically trying to tackle one of the biggest cyber security issues of today, which is ransomware," says Tomer Weingarten, CEO and co-founder of SentinelOne, at a roundtable discussing his company's new security product guarantee.

If a company running its protection is hit by a ransomware attack that its products were unable to stop, it will cover them for $1,000 (£760) per endpoint, up to a total of $1 million (£760,000) - the first such "cyber threat protection guarantee" in existence.

"It is the first time ever that a security vendor would come and say, 'If you use this software you will not be hacked. We will insure your company for up to $1 million,'" Weingarten says.

"You do not buy a new car without a warranty, so this is something that needs to be changed in cyber security in general. We think it is a big step for the entire industry and we do hope that others will follow."

SentinelOne is under no illusion that it will never pay out on the guarantee – after all, threats are constantly evolving and no product is 100 per cent effective – but the move shows a confidence in its product that is as yet unmatched in the industry, and could spark a trend that changes the way businesses pay for damage caused by cyber breaches.

“We plan to back 500 enterprises with this first batch,” Weingarten explains. “But we do not believe in bulletproof security. Statistically speaking we are around 99 per cent, but it means that we will still have some payouts.”

For security expert Robert Schifreen, the guarantee represents a growing realism within the world of IT, where once the average user believed that installing an off-the-shelf anti-virus product would render them immune to attacks.

“When you buy a lock, when you buy an alarm system, when you buy an IT security product, what you are buying is peace of mind,” he says. “The IT industry has been selling peace of mind for a long time and customers have been believing it, and now we are accepting that the peace of mind we have been sold is not necessarily true.”

He says that as well as backing up that peace of mind, security product guarantees could make it easier for staff to pitch solution purchases to management, which was previously a challenge when the best outcome following a breach was to get the licence fee back.

“I can now say it is going to work and if it does not work they will pay for it,” he says.

For Graeme Newman, chief innovation officer at CFC Underwriting, ransomware is a big deal. In fact, it is involved in 90 per cent of his clients’ claims and has even sent one company under. He says he is “sick and tired” of the 80-page terms of use documents used by security firms to dodge responsibility, and can understand why some businesses opt to pay ransoms.

“People are backing up on a daily basis and a lot of these backups are quite sketchy,” he says. “They are not everything… You might be surprised at the number of people that pay up.”

But with a guarantee to cover their losses, firms may be less likely to pay cyber criminals. For Newman, SentinelOne’s decision to offer a guarantee is also reflective of a general shift towards recognising the value of intangible losses, like time, data and intellectual property. This includes the 300 year-old insurance industry’s move into cyber protection.

“For 299 of those 300 years we have focused solely on bricks and mortar – tangible property,” he says. “In the last year, the value of the world’s intangible property – its data – exceeded the value of its tangible property.” This means it needs similar protection.

It remains to be seen how the world’s first cyber threat protection guarantee will be received by businesses, but if the concept catches on then it could be time for security vendors to put their money where their mouths are and show their confidence in their products.

“You are not just buying peace of mind, you are buying someone saying, ‘If you get hacked, we will compensate you,'” Schifreen says. “It will probably evolve and the Ts and Cs will evolve, but I think we should welcome it.”



Get our latest features in your inbox

Join our community of business leaders