Security, from a lock on a door to the building, to a security guard, has always been an important part of any corporation's operation. However, security has tended to become the top priority only when something goes wrong.
"Many companies wait until they have been bitten to focus on security," says Brian Anderson, chief marketing officer, Access360, an Irvine, CA-based access control solutions provider. "Everyone knew that hydrogen was a flammable gas, but it took a major accident to stop people from putting it into blimps."
But after many widespread computer virus attacks, or so-called cyber-terrorism (not to mention post-9/11 fears of attacks on government and business systems), security is suddenly becoming an unavoidable consideration for insurance companies. In fact, according to a Computer Sciences Corp. (CSC, El Segundo, CA) study that was completed in August 2001, safeguarding information resources was the top IT issue that healthcare organization CIOs were facing. Executives at financial services companies, including insurers, also ranked it as their top priority, and, overall, CIOs at North American corporations ranked it number two.
CEOs Pay Attention
In fact, systems security is no longer just an IT issue. CEOs are even now asking about security, with good reason. A survey conducted by the FBI and the Computer Security Institute (CSI, San Francisco) reveals that 186 companies reported a total of $377.8 million in financiallosses from computer security breaches and that 85 percentprimarily large corporations and government organizationsdetected computer security breaches last year.
"Even the CEOs are now looking at security," says Rusine Mitchell-Sinclair, general manager of the recently established IBM Global Services Safety and Security Practice (Armonk, NY). "Security is now being looked at as a component of everything a company does."
One reason why C-level executives are focusing on security is the recent attention consumers, and the press, have given to the security of financial information. "How much is it worth to a company to keep its name out of the Wall Street Journal when its customer's credit card numbers are stolen?" asks Dan Himmerich, vice president, marketing, financial services security solutions, CSC. "Something like that is devastating." CSC's study also revealed that consumers have shown a 35 percent increase in concern over security, compared to previous editions of the study.
Top executives should treat security issues as they do other parts of the insurance company, contends Himmerich. "CFOs contract with high-priced auditing firms to look at the company's books," he says. "Insurers should contract with experts to do a security analysis. Auditing security is just as important as auditing the books."
Auditing a system should not just be the first step for a carrier, it should be a recurring process, stresses Randy Taylor, vice president of strategic development at Digital Defense (San Antonio), a network assessment, penetration testing and security consulting provider. "An insurer should have recurring scans of all its systems" for possible security shortcomings, he says.
In fact, observes Jim Reavis, chief marketing officer, VIGILANTe (Melville, NY), a provider of IT vulnerability assessment, many companies are increasing the frequency of security audits. "Companies would traditionally simply audit systems annually," he says. "But doing that now is no longer effective. Systems are always changing and threats are always changing. Companies are moving to monthly, weekly and even to real-time scanning."
The constantly changing cyber-threats are a challenge for all companies, says Ty R. Sagalow, chief operating officer, AIG e-Business Risk Solutions, the division of New York-based AIG ($268 billion in assets) that sells cyber-liability and network security insurance. "The biggest challenge of all is that the ball keeps on moving," he says. "It is a digital hurricane that is intelligent. The threat changes just as you think your systems are secure. The recent Nimda virus was 10 times more sophisticated, and dangerous, than CodeRed."
And just when insurance companies think they have figured out what they have to do to be secure, the playing field is bound to shift again. Finding out exactly what security concerns a company has is important for CIOs, especially considering the infinite number of access points potential cyber threats can jeopardize. "Before the Internet, all a company had to do was, essentially, secure the LAN, and security was ready," says Sagalow. "With the Internet, you are open to the entire world."
Opening up an insurer, even just to its policyholdersmuch less the entire worldis an extremely foreign idea to most carriers. "Most insurance companies have traditionally been inwardly focused," says Johnathan Hyler, enterprise security architect, UnumProvident (Chattanooga, Portland, ME, $40.3 billion in assets). "Policyholders now want instant access to information over the Net. This has driven carriers to be outwardly focused, but insurers have to do it securely. Every time a customer's private information becomes public, it usually makes big headlines in the papers," not something any CEO want to see over their morning cup of coffee.
Policyholders are not the only people outside of an insurance company who now are accessing a carrier's system. "There is an overall increase in electronic interchange of data between companies," says CSC's Himmerich. "As the network of partners increases, carriers have to be aware that all could be a potential intrusion point."
In fact, the security issue today resembles the problem all companies faced when they were preparing for Y2K. A company's systems may have been Y2K compliant, but what wouldhappen if business partners' systems were not? The same applies to security, says VigelantE's Reavis. "Many executives say to me, 'We know our systems are secure, but we can't guarantee our partners are doing the same,'" he reports. "Companies have to have in-depth security" that not only provides a good front line of defense, but also a good back-up.
It all comes back to the challenge that, just as carriers get their perimeter set up, the perimeter moves. Today, companies also have to worry about a distributed workforce, where some employees are traveling constantly and using dial-up connections, and others are located permanently in a home office (including telecommuters with high-speed connections).
Jeff Christianson, a systems analyst who worked on the development of a virtual private network (VPN) application for remote workers at Seattle-based SAFECO ($31.5 billion in assets), says "a distributed workforce creates a huge exposure, mainly because of the different connections, locations and platforms." SAFECO's remote workers "run the gamut of business and IT users," according to Robert Driscoll, senior systems analyst. "And they all want the same access to the same information that they would have in the office."
In order to provide remote users with secure access to information, SAFECO decided to install a VPN to enable high-speed access. But, along with the VPN, it was decided that all remote users should have a personal firewall, whether on a laptop or desktop. "We wanted to have comparable security for our remote workers," reports Christianson. SAFECO chose a personal firewall product called CyberArmor from InfoExpress, a Mountain View, CA-based Internet security solutions provider.
"When we were switching to the VPN, we discovered that we had an exposure that was not covered with the corporate security systems or its firewalls," according to Christianson.
And although a VPN may be a costly expense for carriers, it can actually provide a cost savingssomething that contradicts the standard assumption that security is a "necessary expense," according to UnumProvident's Hyler. In fact, a VPN can also show a strong ROI, which is especially important at a time when insurance executives are demanding high returns on spending. "On the Internet, a VPN secures data," Hyler says. "At the same time, it can have a positive economic benefit."
For instance, if a user had to use a dial-up line, there would be phone charges and the user would have a slow connection, hurting productivity. "Our VPN works over a high-speed line. Users can do the same thing, with the same productivity as they could have in the office," Hyler adds.
In fact, the VPN project was driven by both security and cost benefits. "Having users dial in and pay for the services made no sense," Hyler adds. "As the VPN market matured, we felt comfortable implementing the technology."
However, just focusing on the perimeter security technology, such as firewalls, is a commonand sometimes costlymistake many companies make. A complete enterprise-wide security policyone that covers technical development, security procedures, disaster recovery and user access authorizationis needed to make a company's systems, and the information they contain, secure.
"Many companies' security precautions are hard on the outside, but they are soft and chewy on the inside," says Digital Defense's Taylor. "It takes more than a good firewall to have good security."
In reality, all of the fancy, cutting-edge security technology that money could buy would be essentially useless without a strong enterprise-wide security policy. "The bottom line is that security is not about the technology, it is about the process," according to CSC's Himmerich. "If you don't have a good management process that monitors and updates all of the security technology, the technology does not do much good."
The Hartford's ($170.6 billion in assets, Hartford) security policy has been developed over many years, says Jack Stoddard, assistant vice president, enterprise information security. "We have a comprehensive security policy," he says. "The security policy is a constantly evolving, living document that changes as security issues change." Stoddard explains that The Hartford has policies from a high level, such as standards and access controls, down to a lower level, such as specific procedures on how to "harden" specific operating systems or develop certain applications.
At UnumProvident security is centrally managed, reports Hyler. "Centrally managed security is very important for a company. Each group within a company cannot decide on their own security rules," he says. "We have a central security policy that plays a vital role. Everything is derived from that policy. Without the security policy, the security technology could not operate. Without the technology, th policy would be useless."
For instance, Hyler explains, UnumProvident's policy even defines how employees should react to specific security breaches. "An intrusion-detection system is very important," he says. "But someone has to monitor the intrusion system and they have to know how to react when an intrusion is detected: 'With what kind of intrusion should law enforcement be notified?'"
UnumProvident has had a separate security department in place since 1997, although security has always been a part of the operation, Hyler says. "Security was mainframe-focused years ago," according to Hyler. "Today it is more strategic."
Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio