@superruserr On the up side, insurance companies don't want to cover unreasonable risks, so they'll require some sort of security baseline in the fine print. (Which probably won't divert much from the kind of things that financial auditors want to see in place nowadays.)
@superruserr Yeah, I was thinking about that too, but don't have an answer. Some of our customers are in the 50 to 100 employees range - those usually have maybe two people of IT staff, and no one tasked with IT security. As an outsourcing partner, we can provide the basics - perimeter security, AV, content gateways - but it's difficult to even talk about more complex topics, never mind security management processes.
@superruserr ...and that's just old-style companies who run most of their services inside their own networks.
Having everything distributed over various SaaS platforms provides some security (as included with the SaaS offering), but also has a completely different risk profile.
@galaxis I agree with this, and something I have not thought of before. Also some interesting discussions in which your reply reminded me of - https://bsd.network/@cynicalsecurity/99987077788435510
@superruserr I'd seen the initial post of that thread but missed the reply of the AWS guy.
It's hard to argue against the "putting things on cloud services gives everyone access to the best defense" stance in general, because it's mostly true.
But when you export a bad security posture "to the cloud" (like maybe account sharing, or refusing to use 2FA), things are suddenly a lot worse now compared to when that was something that's hidden behind even the most laughable perimeter defenses.
@catdad @superruserr No one really cares how much security you actually have. It's probably possible to get ISO27k1 certified on paper defenses alone.
The insurance company though will be very happy to deny your claim when there's an incident and it turns out you provided them with false information upfront.