07:47 AM
The New Look of Security
Team ""Safety""
In order to develop comprehensive security polices, insurance companies must have a so-called security staff or team. However, good systems security experts are hard to find, and when they are found they are generally expensive, says Digital Defense's Taylor. ""Most IT staffs are understaffed to begin with,"" he says. ""They are just trying to keep the systems running. They don't have time to monitor security concerns, pay attention to virus alerts or install firewall patches from the manufacturer."" Even in a small organization, a company will need at least one security ""expert,"" contends Taylor. ""Larger companies will need more, obviously.""
According to Robert Hughes, president and CEO of Atlanta-based GuardedNet, a developer of the threat management and information security operations software, finding qualified security people is becoming easier. ""Finding top-level security experts is a hard task, but it is getting easier,"" he contends. ""A year ago it was harder and I don't know if it was the dot-bomb, but there seem to be more capable people available today.""
SAFECO's security team meets regularly, Christianson reports. ""We have a full-time security team that meets weekly to discuss new threats, such as viruses,"" he says, or to discuss potential attacks the company's detection systems uncovered.
Despite the difficulty in bringing security expertise in house, one thing that insurance companies are not doing, despite a growing vendor market offering the service, is to outsource the company's IT security to a third party. ""The outsourcing of security has not gained momentum,"" according to GuardedNet's Hughes. ""The MSSP sector, or Managed Security Service Providers, is not growing because companies do not want to push security out the door,"" he says.
At The Hartford, the company does not outsource security, Stoddard says, but it will do a cost-of-ownership study on security next year to determine if its security is cost effective for the amount of protection it provides. ""The Hartford has been good on funding security,"" he says. ""Security is very strategic and we don't want to outsource strategic things.""
However, Access360's Anderson suggests that for certain elements of a company's security it makes sense to outsource. ""In insurance, there are a large number of non-employees accessing an insurance company's systems,"" such as agents and other business partners, he says. ""An insurance company may have thousands of contacts with brokers and each broker may have 10, 20 or 100 people that need to access an insurance company's systems. Does a carrier really want to manage all of the access privileges and passwords?""
Part of the problem associated with allowing agents and policyholders access to company systems is that the insurance company sometime does not really know who is signing on. For instance, an insurance company may give an agency access rights to view policy files or rating information, but that agency may have 50 employees. If one of the agency's employees quits or is fired, how does the carrier make sure that employee's access privileges are revoked?
""Managing all of the passwords is a huge task,"" contends Anderson. ""There is an anonymity issue. A disgruntled employee can cause a lot of damage."" Access360 can track all of a user's passwords on multiple systems and, more importantly, can delete access rights across all systems easily.
Managing passwords is just as important inside the insurance company's walls. ""We have a lot of different environments and each one requires a password,"" says The Hartford's Stoddard. ""If a user requires 10 passwords, the passwords are not going to be 'strong.'"" By ""strong,"" Stoddard means that requiring too many passwords forces users to make passwords easier to remember-such as the user's first name or a sequence of numbers, 1-2-3-4. ""Worse yet, when there are too many passwords to remember, a user commonly uses Post-Its and sticks the passwords to their computer monitor.""
Strengthen Your Passwords
To overcome this problem, The Hartford is working on synching IDs to reduce the number of passwords a user has to remember. ""We are moving down that path so users can sign on once in the morning and be signed-in all day,"" he says. ""A user may have to enter a password five times to enter five systems, but it will be a single, stronger password."" The Hartford is using password best practices to come up with a single sign-on solution. For instance, explains Stoddard, the strength of a password is measured in terms of how quickly it can be broken. A computer will take a few seconds to break a password that is a person's name, two minutes to break a password if the word is found in the dictionary and ""much, much longer to figure out a password if it is a combination of letters and numbers,"" he says.
But even with strong passwords, a company's greatest threat may not come for cyber-terrorists. It could come from Rosie in accounting. ""Conventional wisdom says that 80 percent of security problems are due to insiders,"" according to the CSI/FBI study. However, only 31 percent of respondents to the study cited internal systems as a frequent point of attack, with 70 percent citing the Internet as the most common point. (The report does say that the low, 31 percent response could be due to an increase in the overall rates of attack and that companies should not underestimate internal vulnerabilities.)
""Probably 60 percent of attacks occur internally,"" according to GuardedNet's Hughes. ""Companies are constantly focused on their external vulnerabilities and they don't pay attention to internal threats.""
According to Hyler of UnumProvident, internal security breaches may not necessarily be the work of criminals. ""Internal breaches are not usually from hacking,"" he says. ""They usually stem from loose controls in the company. A user may have too broad of access to systems and might see information which they are not authorized to see.""
Hughes says that users commonly leave computers unattended. ""I can walk through many offices and find empty workstations that have access to secure systems,"" he says. ""A key issue is security awareness training for employees.""
Digital Defense's Taylor says that unguarded systems invite trouble. ""Most companies have secure perimeters but their internal security is lax,"" he says. ""Systems are left logged-on overnight and most cleaning crews that haven't had background checks could easily gain access. Tightening internal security is especially important now that we are seeing layoffs. Internal sabotage is usually more costly than external attacks,"" mainly because an internal saboteur knows exactly what systems to ""hit"" to cause the most damage.
But even with tight internal controls and a seemingly secure perimeter, security breaches will occur and companies have to be ready to detect intruders. ""A hacker intrusion takes between nine and 15 minutes,"" reports GuardedNet's Hughes. ""If you are only capable of reviewing the breach the next day, what good does that do? The damage may already be done. A real-time response is important.""
Another way to prevent breaches is to prevent internal users from accessing questionable Web sites that may contain things like viruses. ""Companies are setting up more stringent rules for employees when it comes to Web surfing,"" says Reavis of VIGILANTe. ""Companies are blocking certain URLs and limiting where people can go. Many companies are also not allowing customers to download executable files.""
UnumProvident is using Scotts Valley, CA-based SurfControl's SuperScout Web Filter 4.0 to screen out inappropriate Web sites and viruses. ""People are going to use the Net for personal reasons, just like they occasionally use the telephone for personal calls,"" Hyler says. ""That is acceptable, but it isn't acceptable when Internet use threatens the security of the company.""
Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio