Cyber-Crime Fighters: Recognizing their own vulnerabilities, insurers tighten security for their online operations. (Technology).
The "2001 Computer Grime and Security Survey" found that 85% of respondents detected computer security breaches within the last 12 months. The survey--conducted by the Computer Security Institute, an organization that trains information-, computer- and network-security professionals--polled more than 530 computer-security practitioners in U.S. corporations, financial institutions, government agencies, medical institutions and universities.
"Because the market has been driven by being the first to get online, companies have pushed security aside in the rush. However, now that they depend on this source of revenue for operations, they are starting to wake up about the risks associated with being online," said Rick Fleming, vice president of security operations for Digital Defense Inc., which provides vulnerability assessments and security services to companies with online access.
Conning & Co. recently released "Cyber-Security for Insurers: The Virtual Fortress?" to evaluate insurers' security measures for their online operations and propose ways for them to protect themselves against cyber-attacks. "It is critical that insurers address their cyber-security vulnerabilities, because of the substantial costs associated with breaches and reputational damage that could occur," said Conning Vice President Clint Harris, the author of the study. According to the study, losses associated with cyber-security breaches for all U.S. businesses are projected to increase to $43.6 billion by 2005, more than double the amount in 2000.
Insurers as Targets
Insurers were early adopters of technology and have used technology extensively to support their business operations, said William Fandrich, president and chief operating officer of Cogentric, a developer of products that identify and prevent e-commerce infrastructure risks. "The nature of the information they retain in their systems, their size and their dependency on technology increase their susceptibility to cyber-attacks." For example, insurers' management of substantial amounts of liquid financial assets--both their own and those of others--makes them likely targets of cyberattacks. In addition insurers 'familiar brand names and their reliance on legacy systems to store vast amounts of confidential information--such as medical histories, policy applications and credit-card numbers--increase their risk of succumbing to these costly events.
"Insurers have a serious dependence on systems to run their businesses, and carriers spend billions of dollars on computer systems to manage their operations and their reporting agencies at the state level," said Phil Pierson, vice president of technology products and founder of Irvine, Calif.-based e-Sher Underwriting Managers, a division of Sherwood Insurance Services. As a result, insurers face the daily challenge of protecting this process.
Insurers' interconnectivity across the globe, such as network connections to national and international offices, also increases their vulnerability to computer-related crimes. "Not only does greater use of the Internet expose them to more types of vulnerabilities, but security may not have been adequately incorporated in their haste to catch up to other industries' use of the Internet," Harris said. Effective security must be part of the e-business planning process from the beginning and not bolted on at the end, he said.
Every time a company allows an outside entity, such as a client or partner, into its network, it opens a hole, said Thubten Comerford, chief executive officer of White Hat Technologies Inc., which provides internal and external network integrity audits for companies. A growing number of customers, partners, vendors and competitors venture onto insurers' Web sites and across their networks each day, escalating insurers' vulnerabilities to computer-related attacks.
Consultants and those working closely with insurers on cyber-security believe it is crucial that insurers begin their protection process by evaluating their vulnerabilities. But lack of expertise and knowledge about complex security systems has caused some insurers to forgo such evaluation measures. "Because of the inherent complexity of most computer systems, many people, including trained information-technology staff, trust software vendors to build secure systems. However, very little software is built from the ground up with security in mind," said Digital Defense's Fleming.
Conning found that some insurers are not properly evaluating their security needs, because they haven't fallen victim to these attacks in the past, and they are denying their risks. Insurers argue that they spent millions of dollars on Y2K, which didn't occur, and they have no intention of repeating that, Harris said. New exposures, including more robust viruses and denial-of-service attacks, however, have hit the market since the turn of the century, placing insurers at even greater risk for new types of attacks and breaches. Advances in computer technology have increased complexity and, therefore, vulnerabilities to attacks. In addition, in the wake of the terrorist attacks of Sept. 11, insurers must consider the potential for cyber-terrorism.
In its study, Conning points to a "cyber-security cycle" as a way for insurers to evaluate the vulnerabilities in their online operations continuously and determine the level of protection they need.
The cycle begins with an assessment of an insurer's vulnerabilities, threats and estimate of potential losses. Conning advises insurers to then develop an enterprisewide security policy, which should be published publicly and explained to everyone within the business, including partners, customers and employees, to educate them about their part in the security process.
Insurers then should define and refine specific security rules, standards and procedures from the security policy, Harris said. This information, however, should not be made public, he said.
Finally, insurers should implement and enforce the process and then restart the cycle by conducting a reassessment, including reassessing vulnerabilities, ranking them by priority and updating the security policy, if necessary. "The overall policy probably won't change significantly. However, the rules, standards and procedures may change more frequently as exposures change," Harris said.
Because no company's system is 100% secure, it's important for insurers to put a series of steps in place to protect against Internet intrusions, breaches and denial-of-service attacks. Neil Bryden, a national partner champion for information security services for the professional services firm KPMG LLP, believes protection against these attacks can be achieved through a balanced approach in three areas--people, processes and technology.
People Are Key
Conning recommends that insurers designate an employee to a high-level, central position to develop, maintain and enforce cyber-security policies. "It takes that level of a position, because that individual has to create and enforce an enterprisewide and 'enterprisewise' policy incorporated into all aspects of business," Harris said. In addition, the high level of this position affirms the importance of cyber-security to the company.
These individuals, who should report directly to the chief executive officer, should possess both technical and interpersonal expertise--the ability to work closely with the CEO and other executives--to create an effective security policy. In addition, Conning advises companies to designate individuals who have both relevant senior-level experience and professional certifications, such as the Systems Security Certified Practitioner, Certified Information System Security Professional or Global Incident Analysis Center Certified Intrusion Detection Analyst.
Many insurers have appointed teams or individuals to oversee computer-related security responsibilities. "While this is commendable, the largest failure we see in this type of arrangement is not granting that person the authority to make procedural changes in the organization," Digital Defense's Fleming said.
In addition to security policies and the installation of various protective measures, cyber-security teams should pay particular attention to employees' technology activities. Seventy percent of all incidents occur within the network of a company's own employees, said Steven Haase, CEO of Insurectrust.com LLC of Alpharetta, Ga., which provides e-business risk management to corporate networked communities. Monitoring passwords and employees' internal and external use of the Internet are two ways companies can protect against potential internal intrusions.
"There is no way to make companies bulletproof, but the concentration now should be on the human-element policies and procedures training, including looking at the latest patches and configuration issues for software," Haase said.
"Insurers need to articulate security programs that contain policies driving overarching rules for everything--it's the linchpin between people and technology," said KPMG's Bryden. These programs include guidelines, standards, operational and monitoring procedures, and control mechanisms to ensure that security precautions are conducted effectively and in a continuous manner.
Insurers also should have appropriate nondisclosure agreements in place with partners and contractors so they know what information is proprietary and how to manage the information, said e-Sher's Pierson. In addition, insurers should incorporate procedures for employees to follow in the event that information "falls into the wrong hands," he said.
Due diligence, which requires companies to take prudent precautions and verify they are doing so, is another important process. Insurers should be able to prove that they're adhering to at least minimum required security standards, said Clint Kreitner, president and CEO of the Center for Internet Security, a nonprofit organization that helps businesses manage information security risks.
A trust relationship with outside entities, including business partners and contractors, requires due diligence to ensure that their systems meet insurers' security controls. Heavy reliance on outside entities for functions, such as Web hosting, creates new security vulnerabilities, and insurers need to perform background checks and determine what level of trust to put into connections with these outside contractors.
In addition, many outsourcing firms have indemnification clauses in their contracts to protect them in case their clients are attacked. Rob Hammesfahr, a managing attorney with Cozen O'Connor in Chicago, said that before insurers contract with outside vendors they should ask three questions--the scope of the idemnification that will be provided, the minimum operating or performance standards in the contract, and the security for the indemnification from the vendor, including quality, type and amount of insurance that will be maintained. If a company out-sources or contracts with an emerging technology business or any business with limited resources, an indemnity is only as secure as the business that provides it. If there is an insurance clause, the contract should provide that the company will be an additional named insured in the vendor's policies.
Technology Protects Technology
"Each year, more than 600 new vulnerabilities are identified in a multitude of software applications and operating systems, and in order to combat this threat, companies need to deploy technology that can assist them in performing a recurring assessment of their systems," said Digital Defense's Fleming.
Most insurers are using fire walls to protect themselves against intruders. It's important that these devices are properly configured to provide adequate protection and that they are installed at every possible point of entry.
Insurers also need to install fire walls and ensure that they are up to date, even if they're connecting to business partners through dedicated circuits. "This is very important, because these partners might be connected to the Internet without fire walls and if companies are not using these [devices], they are basically bridging themselves to the Internet with no protection mechanism," said Timothy Saltmarsh, corporate information security officer for CNA Group.
While fire walls play a key role in computer and network security, they are not a panacea or silver bullet-type solution, Fleming said. Many companies have Web servers behind their fire wall, but since the fire wall allows traffic to and from the server, it is imperative that the server also be secured against attack.
In addition to fire walls, many companies now are turning to intrusion-detection systems to increase their security protection. Operating much like virus scanners, intrusion-detection systems are used for such things as real-time attack monitoring and attack response. They also have been used in some situations to detect virus outbreaks, such as the recent "I Love You" computer virus that destroyed image files with a ".jpeg" suffix.
This year, more than 70% of respondents to the Computer Security Institute's survey cited their Internet connection as a frequent point of attack, compared with 59% last year. Recent viruses, such as the "Code Red" virus that infected an estimated 225,000 computer systems around the world, have paralyzed some companies' systems and resulted in time-consuming measures to remove them from infected computers.
Insurers should make sure their virus-protection plans include protection on every desktop and regular updates, in addition to filtering gateways to the Internet. "It is important to have products and systems in place to detect an intrusion immediately and find out where it occurred and get it fixed quickly," said Pierson of e-Sher. Systems without these protection capabilities can be down or damaged for days or even weeks while companies try to examine what happened and where the problem occurred.
Industries already are gearing up for potential broad-based, cyber-terrorism attacks against the United States, and those closely tied to the insurance industry believe insurers also may be at risk.
"The need for vigilance has never been greater, and the events of Sept. 11 clearly showed how vulnerable we are," said Fleming of Digital Defense. Therefore, companies need to make online security a top priority.
Financial institutions and insurers are preparing for cyber-attacks, said Tracy Vispoli, assistant vice president of Chubb Corp.'s Department of Financial Institutions, which this year introduced a policy specifically designed to protect insurance companies and other financial institutions against losses resulting from Internet-related security breaches. Since Sept. 11, many financial-services associations are warning member companies about the potential for cyber-terrorism and other related attacks and what they can do to protect themselves.
But insurers need to remain confident in their protective measures to set an example for other industries. "U.S. business in general depends on insurance, and if the insurance industry is shaken, then business is shaken," said White Hat Technologies' Comerford.
RELATED ARTICLES: Top 10 Internet Viruses in September 2001
W32/Nimda-A accounted for more than two-thirds of the viruses reported to Sophos, an anti-virus software vendor.
W32/Nimda-A is a Windows 32 virus that spreads via e-mail, network shares and Web sites.
W32/Sircam-A is a network-aware warm that spreads via e-mail and open network shares.
W32/Magistr-A specifically targets addresses from Outlook Express, Netscape Navigator and Internet Mail and News.
W32/Magistr-B is a variant of W32/Magistr-A, and is spread by infecting files and via e-mail.
W32/Hybris-B is a worm capable of updating its functionality over the Internet.
W32/Apology-B is a file-infecting virus with an e-mail-aware worm.
VBS/Kakworm is a visual basic script worm that exploits security vulnerabilities in Microsoft Internet Explorer and Microsoft Outlook.
W32/Flcss installs the virus in memory and then attempts to infect *[.EXE.sub.1]*.SCR and *.OCX 32-bit Windows files on the local hard drive and network directories.
W32/Bymer-A is a worm that propagates through open file shares.
W32/Badtrans-A arrives in an e-mail message with the text "Take a look at the attachment."
W32/Nimda-A 71.2% W32/Sircom-A 11.4% W32/Magistr-A 3.7% W32/Magistr-B 3.0% W32/Hybris-B 1.5% W32/Apology-B 0.7% VSB/Kakworm 0.7% W/32 Flcss 0.7% W32/Bymer-A 0.5% W32/Badtrans-A 0.4% Other 6.2% Source: Sophos
|Printer friendly Cite/link Email Feedback|
|Comment:||Cyber-Crime Fighters: Recognizing their own vulnerabilities, insurers tighten security for their online operations. (Technology).|
|Article Type:||Statistical Data Included|
|Date:||Dec 1, 2001|
|Previous Article:||Getting Together to Offer More Insurers need to partner with other financial institutions to provide clients with the customized financial services...|
|Next Article:||Busy Signals: Insurers are scrutinizing their call centers for potential improvements in cost savings and efficiency. (Technology).|