Q: What security measures should insurance companies implement to avoid computer viruses?
A: Adel Melek, Deloitte & Touche: Many of the risks arose from the misalignment between technology, people and processes, as well as [the lack of] an end-to-end enterprise process to address this issue. Many insurance companies and other organizations have robust technical components in place to defend themselves against worms and viruses. However, they are only as strong as their weakest link. Many of the worms and viruses take advantage of users with a weak sense of security, or a small number of vulnerable hosts within a large network. The introduction of a mobile force and the use of consultants and off-shoring are also relatively new trends, and the security associated with these trends is not up to the same standards utilized across the organizations. Proactive patch management, proper systems/patches testing, systems monitoring and enhanced user awareness of security are now required.
A: Eric G. Trapp, Accenture: The kinds of things insurers need to put in place are the software that's generally available to protect against viruses. This needs to be addressed not only in perimeter protection devices but also on every individual's PC and all servers within the organization. There need to be policies in place describing the requirements necessary for how employees and non-employees access insurance company resources through laptops and other remote devices.
A: Peter Firstbrook, META Group: The first thing is [that] all Microsoft PCs should have current antivirus software in auto-protect and auto-update mode. Less frequently attacked operating systems (e.g., Macintosh, Unix, SGI, Linux, Palm, Pocket PC) can also be included, depending on their importance (e.g., risk of loss, security zone). All laptops should also have personal firewalls. Almost all Microsoft servers and any other servers that can store Microsoft files should certainly have antivirus protection. Only a handful of viruses are currently circulating that specifically attack Unix and Linux servers, so deployment on these servers depends on a risk-versus-cost analysis. E-mail antivirus is the most important protection point for virus activity. Ninety percent of viruses are transmitted via e-mail, and a significant amount of attention should be applied to ensuring the e-mail server is adequately protected. The Web gateway is, so far, not a significantly exploited vector for virus propagation.
Q: How can insurance companies train both in-house employees and remote workers to guard against viruses? What policies should they institute to protect against viruses, and how can these policies be enforced?
A: Melek, Deloitte & Touche: Employees at all levels should be well-educated and advised about the potential impact of a virus outbreak. Strong policies should be in place and well-communicated to users at all levels, not just administrators. In addition, the enforcement of the policies is the key - technologies exist for the automated enforcement of the policies. However, this requires that companies have the resources to properly manage, maintain and monitor them. Many organizations are rolling out awareness and training programs to all their employees, and some organizations demand that their employees provide an annual sign-off that they have reviewed the policies, attended training and are in compliance with their organization's policies and practices.
A: Trapp, Accenture: Policies are absolutely important in the organization to establish consistent methods and procedures across the organization for virus protection, and for communication and awareness. It's always important to have the criteria or policy to point to, but then the organization needs to follow that up with periodic information going out to employees describing each individual's responsibility to protect the organization's assets. Insurance companies also must look at how viruses have impacted them in the past and take some time to understand what the financial and other impacts were to the organization. Then they can adjust their future actions in light of how viruses have impacted them in the past. When the virus does hit an organization, besides the systems it might bring down and business processes that are supported on those systems, it also impacts employees, productivity and, potentially, customer access as well.
A: Mark Horvath, Microsoft: Insurers should continue to enforce common sense approaches to virus elimination with guidance around things like e-mail attachments and spam filters. Most known viruses can be eliminated at the network edge through scanning and filtering, but they need to continue to stress care in handling attachments to e-mail, especially from sources outside the company. Don't auto-open attachments, always scan unsolicited e-mail and, when possible, build white-lists of e-mail addresses known to be safe. Simple but effective strategies like these can really make a difference in slowing or eliminating virus propagation.
Q: What requirements should insurers place on their technology partners to minimize the risk of viruses?
A: Trapp, Accenture: Contractors and vendors should be held to the same standards as employees. Too many cases have been cited recently where viruses are introduced into an organization by way of an outside business partner to not hold outside partners accountable to internal security mandates. Contractual provisions that address vendor responsibility should be secured by companies before a vendor is formally engaged.
A: Firstbrook, META Group: Consultants' and business partners' compliance to corporate antivirus policy should be a standard contract condition. Non-compliance that results in a virus infection should be sufficient grounds for contract termination. However, this clause is rarely enforced.
A: Melek, Deloitte & Touche: The same rigorous policies and processes should be enforced by any party that connects or provides support to the organization. This applies to extranet partners or contractors. At a minimum, the enforcement of security components, such as antivirus software, the latest system patches and appropriate firewalls, should be deployed. A strict process to update and keep the system current should also be emphasized. There are few organizations that have gone to the extreme, whereby they actually provide a corporate PC to all contractors and consultants. These PCs are configured and equipped with the corporate standards and software.
Q: How will evolving technologies change the fight against viruses and worms in the future?
A: Trapp, Accenture: The information security industry and the software providers are working to enhance the capability for truly protecting - not just detecting and responding to - viruses in more of an automatic way. First, software and solutions will identify the virus, identify systems that might be impacted or exploited, be able to provide patches to prevent against those breaches happening and unify those tools and systems to provide a suite that addresses the bigger picture of vulnerability management, which includes viruses.
A: Horvath, Microsoft: Antivirus software will continue to evolve as time goes on and will become a larger part of the insurer's security platform, almost in the same way that spell-checking works for their professional correspondence. Quarantine technologies are being developed, which will allow applications access to only limited parts of a network or run with only the minimum permissions it needs and no more. In short, antivirus technology will get closer to the applications, further from the users, self-adapting and aware of expected and unexpected behaviors. This will reduce the burden on the end-user while at the same time increasing the security of the system overall.
A: Firstbrook, META Group: Virus or virus-like programs are beginning to have commercial applications. These threats, sometimes called spyware, range from annoying pop-up ads to dangerous keystroke loggers. These programs generally do not fit the definition of a virus or worm because they typically have both good and bad properties and good and bad commercial uses.
Antivirus software has not yet addressed these proliferating threats. Viruses will spread to Linux as that platform gains popularity. Vendors of antivirus products will increasingly integrate intrusion detection, firewalls and antivirus products to form a more comprehensive and coordinated defense.
THIS MONTH'S EXPERTS
Adel Melek, Partner, Deloitte & Touche (Toronto)
Eric G. Trapp, Partner, Global Architecture and Core Technology - Security Solutions Group, Accenture (New York)
Mark Horvath, Commercial Sector Director of Security Mobilization, Microsoft (Redmond, Wash.)
Peter Firstbrook, Program Director, META Group (Stamford, Conn.)
Peggy Bresnick Kendler has been a writer for 30 years. She has worked as an editor, publicist and school district technology coordinator. During the past decade, Bresnick Kendler has worked for UBM TechWeb on special financialservices technology-centered ... View Full Bio