Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security

04:25 PM
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

The Road to Security

As business technology evolves, so do the threats it faces. While financial services firms tend to do a very good job of protecting information, frequent, high-profile data breaches show that the work is never done.

'White-Hat Hacking'

Larger organizations are especially vulnerable to what Taylor calls "white-hat hacking," meaning working around impossibly complex and cumbersome policies and procedures. Taylor says, "If access controls exist, I always ask, 'Well, what do people have to do?'" He then interviews the rank-and-file employees as to their awareness of the policies and often finds that awareness somewhat vague. And even where awareness of policy and procedure prevails, it's not necessarily the case that compliance matches it. "I'll ask, 'How can you possibly get your job done when you have to observe all these access controls?'" Taylor relates. "Probably eight out of 10 people will say, 'Oh, I figured out a way around that.'"

Security policies need to include explicit and rigorous enforcement procedures, Taylor stresses. "If all they're doing is management oversight and they don't have any more-detailed enforcement procedures than that, they're not serious," he pronounces.

Some of the best security policies and procedures are the ones for which nobody has to do anything in order to follow. "Sometimes you need a mandatory technical security control that can't be subverted," says Brian Serra, senior security consultant, Forsythe Solutions Group (Skokie, Ill.), a technology consulting and reselling firm. Such controls have long existed in perimeter security solutions, but recent breaches -- such as the AIG server theft or the theft of a Veterans Administration laptop in May 2006 containing the personal information of 2.2 million service personnel -- demonstrate the importance of another type of control that has been underutilized: data encryption.

"The current state of many companies, even some of the larger institutions, is that their data is currently not encrypted," Serra says. "If someone were able to compromise a database or application, they would have free access to its contents."

Companies have put off encryption because of the cost and time required to pull it off, as well as misunderstandings about the degree of vulnerability they face, according to Serra. "Previously, it was thought that if your front-end application, such as a Web site, was secured, then the data itself would be secured," he explains. "It turns out that's not necessarily the case because sometimes applications don't function as planned." Some applications, Serra adds, can be manipulated into gathering information from a database, which, if unencrypted, can be examined freely by the hacker.

Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio

Previous
2 of 6
Next
Register for Insurance & Technology Newsletters
Slideshows
Video