Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Trading Technology

11:00 AM
Connect Directly

IT Security Panel: "Wetware" in a Dangerous World

The vulnerability of open systems architecture, changing nature of cyber threats and the problem of careless users were among the topics discussed during the ISO Tech general session "Security Issues in the Insurance Industry," held on Tuesday, Nov. 14 in Orlando, Fla.

The vulnerability of open systems architecture, changing nature of cyber threats and the problem of careless users were among the topics discussed during the ISOTech general session "Security Issues in the Insurance Industry," held on Tuesday, Nov. 14, in Orlando, Fla. Invited to comment on whether a "war" on security threats could ever be one were Chuck Johnston, senior director, insurance industry strategy and marketing, Oracle; Tracy Pidola, senior insurance industry consultant, Teradata; Donald Light, analyst with Celent; Charles Mauney, business solutions professional, IBM; Bill Hartnett, general manager of insurance solutions, Microsoft; Judy Johnson, principal solutions architect, Patni.

"Security is a battle you will be fighting constantly," said Oracle's Johnston. Insurers are particularly vulnerable to denial of service (DOS) attacks, he said. "If someone is trying to take you down and out, it's hard to stop."

The security challenge must be addressed as a value/risk tradeoff, Johnston argued. Insurers need to ask themselves how they can constantly renovate their networks while being aware of unintended consequences. Many security measures, while mitigating risk, make it harder to do business, he asserted. "You have to be sure that the cure isn't worse than the disease."

Service-oriented architecture initiatives—now so popular in the insurance industry owing their potential benefit for enabling greater interactivity both between internal and external systems—have great potential for "breaking your security model," Johnston warned. "By adopting open standards we expose ourselves to security risks," he said. "How do you manage security in such an open environment?"

Johnston concluded with the observation that insurers' security decision making is tied up with privacy and related issues of regulatory compliance. Given the heightened dangers and potential consequences of security breaches, a disquieting question has emerged, Johnston suggested. "What happens if the interests of the government and your customer diverge?" he said. "You might have to make some hard choices from a cost and value perspective."

What makes the security challenge especially important for insurers is that they have no tangible product, according Teradata's Spidola. "What we sell is essentially a promise," she said.

Spidola remarked that data has become more vulnerable owing, among other things, to the prevalence of mobile devices, and recommended that security needed to be elevated to a corporate strategic level. "I don't know that there are very many chief security officers at insurance companies," she said.

Celent's Donald Light pointed to the potential consequences of malicious penetration of corporate networks, including image and brand damage, lost business, fines, stock value impact and loss of employee productivity.

"The network is one of the prime battlegrounds this war will be fought on," Light commented.

Light prescribed key measures to fortify network security, including upgrading from intrusion detection to intrusion prevention; introducing the concept of network access or administrative control; and installing software such as spyware and anomaly detection applications at the firewall.

IBM's Charles Mauney reiterated the conviction that the security "war" could never be conclusively won and extended the metaphor to recommend that insurers should adopt the tactics of "containment." They should aim for a state of "survivability," which Mauney defined as "the ability to deliver the essential services you need to deliver to your customers while under constant attack."

Maturing Threats Like good military strategists, insurers need to adopt to the enemy's changing tactics, Mauney suggested. In the infancy of computer hacking, the threat companies faced was what might be called "cyber-vandalism," he said. Today insurers face more-organized and malicious threats aimed at more-serious objectives, especially theft of various types.

Tactics Mauney recommended to counter today's threats included password/authentication technologies and procedures, user management, threat management, and establishing trust within the organization in order to foster compliance with security requirements.

Microsoft's Harnett drew an analogy to physical security, which he characterized as an ongoing task never completed. "You can't have absolute physical security and you can't have absolute data security either," he said.

Perhaps the greatest threat to security was careless use of assets by users—a challenge wryly referred to by IT security professionals as the "wetware" problem, Hartnett related. By way of example, he alleged that about one laptop gets left in a taxi every day in New York City alone.

Lost laptop-related security breaches have compromised the security of tens of millions of customer accounts, Patni's Johnson noted. However, she said, "We in the insurance industry haven't worried so much about this kind of thing." That, she speculated, was due to insurers' having believed that, "A, we didn't have that much data; B, that our data was not very interesting; and C, being intelligent people, we thought that it was probably wrong anyway."

Insurers cannot afford such insouciance today, Johnson warned, and in order to effectively deal with the challenge they also must realize that security is fundamentally not a technology problem.

"The majority of attacks aren't from outside master criminals but from plain stupidity within the organization," she said. "What does that mean? It means it's a business issue."

That doesn't mean that investing in technology isn't a good idea, Johnson said. However, she added, "It's more about spending time. Management needs to take a look at the risks their organizations face and recognize that they're mostly from the inside."

While acknowledging that the "wetware" problem could never be entirely resolved, Celent's Light suggested that there were opportunities to build in "forgiveness" to software and hardware, in the manner that highway and automobile engineers build roads and cars with features that diminish the chance of human error and mitigate its consequences.

Oracle's Johnson opined that introducing new ways of engineering security will require overcoming a kind of creative inertia common to both insurance and technology security professionals. "Security technicians are the kind of people who work by wrote," he said.

Teradata's Spidola implied that some remedies might be surprisingly simple, given the absurdity of some types of security exposure. Questions worth asking are, Spidola suggested, "What is all that sensitive data doing on those laptops anyway? And how can you protect information if you don't even know where it is?"

Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio

Register for Insurance & Technology Newsletters