Cybersecurity Secrets Unveiled for the Insurance World: Not All Vulnerabilities are Created Equally.

• Author: Soble, Stephen M.
• Position: CYBER UPDATE

This is the first in a series of regular columns on topical issues relating to cybersecurity for the insurance industry, from Stephen M. Soble, a cybersecurity thought leader. His article, "Cyber Risk Beyond Compliance" was the cover story of our June 15 issue, and it has received wide acclaim. We hope you enjoy and benefit from Steve's contributions.--SA

Whether it is the buzz over the WannaCry, Petya or NotPetya ran-somware, Russian hackers, North Korean hackers or whatever todays news headline about cybersecurity might hold, we constantly hear the word "vulnerability." But, what is a cybersecurity vulnerability? And why should you even care?

Just when you think you know the meaning of this common English word, the digital world shifts the sands of perception and understanding. Let's explore.

Not all Vulnerabilities are Created Equal

In common usage, a vulnerability is a weakness, a corner of our emotional life susceptible to a minor hurt. People don't die from vulnerabilities, save for the "death from a broken heart" predicament of a Jane Austen protagonist. Dying is reserved for disease, virus, and unforeseen calamity. But everyone suffers some hurt of the heart because of their personal vulnerabilities. And sometimes we even say that vulnerabilities--which can lead to injury--strengthens our character, improves our heart and is a necessary growing pain.

The kind of vulnerability which lives in the hardcore engineering cyber world appears in many flavors:

* Poor software development or coding practices

* Defective or weak system design

* Dangerous gaps in network connections

* Ineffective or unsecured interaction of hardware and/or software on the network

* Gaping holes in deployed software that can be readily exploited--some so wide open that a Mack truck without power steering can slip through the hole.

HP's Cyber Risk Report 70% NTT Global Threat Report 76% Software Engineering Institute 90% Strategic Security Survey 97% Verizon Data Breach Investigations Report 99.9% Attacks against known software vulnerabilities Other Attacks Note: Table made from bar graph. In software development, "vulnerabilities" typically mean a defect in the code that can be exploited by a hacker. There are many scanning tools that can detect these poor code defects. Some are very reliable. When we look at the network system and operations, the interaction of various devices on the network with one another, we might see vulnerabilities, too. But here the...