Q: What are the essential components of a security infrastructure? What innovations are improving security and cost-effectiveness?
A: David MacLeod, The Regence Group: The most essential components of an information protection program are those dedicated to educating the people who have the most frequent access to information and the supporting technologies - generally, our customers (also known as "users"). It is the uninformed and unaware user who opens a virus-laden e-mail or downloads malicious code from a "cool" Web site that is responsible for most security incidents. The "innovations" that are improving security and cost effectiveness aren't really innovative at all. These improvements are being driven from the recognition that security is not something you buy and "bolt on" to systems and applications, but rather it is a way of doing things (a culture of empowerment, accountability and protection). The innovation is the realization that security is everyone's job!
A: Glenn Watt, Backbone Security: Effective security is based on "Defense in Depth" from five core capabilities. Each one builds on the other. First is strong border protection with correctly configured firewalls. Second is situational awareness, achieved with an intrusion detection/prevention system. Third is a properly designed operational network architecture that supports good security (i.e., routers and switches that segment and compartmentalize the internal organization). Fourth is properly configured servers and workstations with all security patches applied. The fifth essential component is a security awareness and training program. When these components are used together, an organization has "Defense in Depth."
A: Bill Tyson, AGIA: Essential components include assessment of security posture to establish a baseline - where are we today/where should we be?; immediate improvement to address threats and vulnerabilities using tools, best practices and techniques; a go-forward security plan and security policy development, including the action plan; execution of the plan; testing, staging and deployment of solutions and training (and enforcement of the security policy); continuous audit and assessment; and an insurance policy to provide protection in the event that a hacker is successful and your firm sustains a loss.
Q: How can insurers balance good-quality customer service with the need to limit exposure to online threats?
A: MacLeod, The Regence Group: Balancing customer service and managing threat exposures are not mutually exclusive. No customer will feel well-served if his or her personal healthcare information is compromised. Appropriate protection of customer information and the systems that support the services they expect from us is our obligation as trusted stewards of information and technology.
A: Watt, Backbone Security: Quality customer service is unachievable without limiting online threat exposure for both your own enterprise and your customer's connection to your site. Has your company had a vulnerability assessment performed along with the remediation required to address any discovered problems? Do you have a certified cyber security firm providing 24/7 monitoring of your data communications to actively separate and protect your valuable customers from cyber hoodlums? If the answer to any of these questions is no, you're not really providing the good-quality customer service you think you are.
A: Brian Cincera, Greenwich Technology Partners: Enhancing customer service and reducing security exposure are not incompatible goals, although there is a cost implication for those who seek both. An increasing number of (non-insurance) organizations are beginning to approach threat management "like an insurance company." They are evaluating risk as a function of business impact and event likelihood. This economic valuation technique allows organizations to consider the benefits of efforts that limit financial, legal, regulatory, customer satisfaction and service-quality risk. Threat modeling can help organizations keep their commitment to customer satisfaction without exposing their businesses to undue risk.
Q: This year saw an increase of hacking activity against financial services companies. What is the security threat to insurance companies today compared with the recent past? Is the problem getting worse?
A: MacLeod, The Regence Group: The level of threat against insurance companies has dramatically increased, but probably not for the reasons you might expect. Hackers are looking for targets of opportunity, and they are not particular about the industry or institution supported by those information assets. An unprotected platform, or any other opportunity for system compromises, is the trophy they seek. It provides a platform for other, more interesting malicious activities.
A: Watt, Backbone Security: Phishing fraud and e-mail scams grew by more than 50 percent in January, with an average of 5.7 new attacks sent out to millions of online users each day. Although the risk to consumers is significant, the damage to corporate brand integrity can be far more widespread. From our observations, this is a growing problem. The heart of the issue is distinguishing legitimate business communications from fraudulent phishing e-mails. The hackers' shift from nuisance "script kiddies" to financial crime and identity theft has certainly created a real and present security threat to financial services in the form of customer brand confidence.
A: Cincera, Greenwich Technology Partners: The ever-changing security-threat environment places all organizations at risk. Insurers may be no more vulnerable than companies in other industries, although they are likely the target of more attack attempts by virtue of the personally identifiable information that insurers maintain. Identity theft attacks have increased dramatically in the last few years. The explosive growth in the use of automated exploit tools is, in large part, the reason why attacks are becoming more frequent and more damaging.
Q: How much of a cost burden are information privacy and security standards and regulatory compliance on insurance companies? What are insurers doing to control these costs while meeting requirements?
A: Watt, Backbone Security: As businesses have become larger and more network-reliant, the scope for fraud has also grown. Sarbanes-Oxley, the Gramm-Leach-Bliley Act, HIPAA and other regulatory compliance legislation ultimately assigns privacy and fraud risk responsibility with the board of directors. The increased attention to corporate governance arising from recent scandals reinforces this assertion. Current cost burdens for establishing and maintaining compliance in the cyber security area is about 5 to 6 percent of the total IT budget. The real question is one of due diligence. Many firms elect to ignore the threat as a cost-controlling measure. Do they actually believe they will never be hacked? Like a natural disaster, a cyber disaster can strike, often without warning. If adequate measures to protect a customer's data are lacking, the cost of recovery could easily soar over the cost of prevention, not to mention the loss of customer confidence in your electronic correspondence.
A: Tyson, AGIA: Information security is demanded by HIPAA and GLBA. While I'm no compliance person, I think the rule of thumb is to meet a "prudent man" standard, which involves deploying security measures and a clearly defined risk mitigation process that a normally prudent company would deploy. This is no one-time install. So, it means that you need to keep up with evolving, changing and increasing threats as you go. Information security requires vigilance, internal and external independent auditing, outside/objective peer reviews, etc. This standard varies by industry - i.e., a defense company or bank would have a higher standard of security than a donut shop.
A: Cincera, Greenwich Technology Partners: The cost of regulatory compliance is steadily growing - a trend that is unlikely to abate. Most regulations do not demand specific security measures. Instead, they stipulate that certain conditions and capabilities be met by an organization's people, processes and technologies. Proofs can be elusive and subject to interpretation, making compliance assurance a big challenge. Some organizations are implementing new tools that make compliance information more accessible to both internal and external auditors. Such tools lower the cost and increase the value of compliance actions by removing subjectivity, reducing audit gaps, improving process repeatability and delivering executive-level decision support information.
This Month's Experts
Chief Information Security Officer & Director of Security
The Regence Group; Chief Information Security Officer
Medicare Northwest (Portland, Ore.)
President and CEO Backbone Security (Fairmont, W. Va.)
Chief Marketing Officer and SVP
AGIA (Carpenteria, Calif.)
Security Practice Director
Greenwich Technology Partners (New York, N.Y.)
Peggy Bresnick Kendler has been a writer for 30 years. She has worked as an editor, publicist and school district technology coordinator. During the past decade, Bresnick Kendler has worked for UBM TechWeb on special financialservices technology-centered ... View Full Bio