The Road to Security
There are different ways to approach information security, and many of them are wrong, in the view of David MacLeod, director of security and chief information security officer of Portland, Ore.-based regional Blue Cross Blue Shield insurer The Regence Group ($6.7 billion in revenue), which has operations in Oregon, Washington, Utah and Idaho. Some look at security as a project -- something that you implement, something that you get done. Others focus on the technological aspect of security, dwelling on firewalls and intrusion-detection systems, to the exclusion of administrative safeguards and the human side of security. Still others take what MacLeod calls an "academic purist" approach whereby security executives make security an end in itself and become something like the corporate police. And some even see security as what you hire a consultant to do for you and, says MacLeod, "When they're done, you're done -- you've got security!"
All those approaches fail, according to MacLeod. "Though it may sound like a cliché, security really is a journey -- it is a constant and evolving discipline," he insists. "As the outside world changes, threats change; also, business needs change and business technology changes, and so must the things you do to protect it." If, as MacLeod suggests, the observation is obvious, it nonetheless is crucial in a world where information technology is evolving so quickly and -- in pursuit of providing greater service to internal clients, distributors, business partners and customers -- insurers have deliberately exposed their internal functionality through Web-based technology (as well as involuntarily through wireless technologies). >>
Further, financial services companies also face more-sophisticated external attacks, as the typical hacker profile has evolved from the teenaged, joy-riding "script kiddie" to organized criminals and even hostile foreign government operatives. In the early days of e-commerce, it was enough for many hackers simply to embarrass companies, notes Jonathan Gossels, president, SystemExperts, a Sudbury, Mass.-based provider of network security services. Today, he says, "Attacks are much more oriented to actual gain or physical or intellectual property loss."
Understanding the Criminal Mind
Defense against such attacks are, one might reasonably observe, the bread and butter of security professionals. And yet, high-profile security breaches continue to happen. One cause is narrow thinking on the part of security executives, experts agree. For example, in mid-June, New York-based AIG ($109 billion in revenue) acknowledged the theft of the personal data of almost a million people. Firewalls and intrusion were not an issue -- thieves simply broke into a midwestern regional office and physically carried off a server, along with a laptop.
Such opportunities are keeping security consultants -- such as David Taylor, VP, data security, for data security management consulting firm Protegrity (Stamford, Conn.) -- busy. Taylor relates that he recently was brought in to help a large financial institution that has about 10,000 small servers -- often containing very sensitive information -- scattered around the globe. "Stealing a server is more difficult than, say, stealing a laptop, but the reward for doing so is substantially greater," he remarks. Such hardware items, he adds, "are treasure troves of information, and particularly in certain countries around the world, we've found that they're not very well protected. In many cases they are not even in locked rooms."
Taylor says he studies organizations not just from a policy standpoint, but from a day-to-day procedural standpoint. "That's where things fall down -- there are huge gaps in policies as they're written and day-to-day practices," he contends. "And the further from corporate you are, the more variation we tend to find."
Lack of appreciation of the motives of cyber criminals also can result in vulnerability. For example, The Regence Group's MacLeod says business executives who might doubt the interest of organized criminals in a health insurer's information may need further education. Identity theft is only one of its attractions, MacLeod explains. "Let's assume for a moment they didn't care about identity theft; they still might care about the free computing services they can steal from us to access other sites that may have information of direct value to them, so they can obfuscate where they've come from while enjoying free computer services," he says. "There isn't a computing platform with public connectivity to the Internet that isn't at risk for that exact same kind of theft."
Nevertheless, security officers remain more confident about defending against external cyber attacks than internally caused attacks and data/information breaches. Deloitte's (New York) "2006 Global Security Survey" -- whose respondents were major global financial institutions, including 31 percent of the top 50 global insurance companies -- found that 74 percent of respondents said they were either very confident or extremely confident in their ability to defend against external threats, an increase of 5 percent over 2005. When it came to internal threats, however, only 41 percent were either very confident or extremely confident compared to 50 percent last year.
Unfortunately, bad guys can lurk within a company as well as outside it, and there is a malicious element, affirms Protegrity's Taylor. "But I'm more concerned about what the careless individual could accidentally do to expose his or her organization to substantial risk," he says. "We trust people a bit too much."
Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio
Tweet This