The Connected Business of Insurance
June 25, 2015
Senior Vice President
IT and Cloud Services
Director of Information Security
Data security is more important than ever as information has become increasingly digital. Insurance professionals need to be aware of the risks to their business and how to safeguard their data against cyber threats. In this podcast, Tim Sander and David Gerlach of Applied Systems discuss data security in the insurance industry and how agencies and brokerages can protect their data against cyber threats. Sander and Gerlach speak to data security measures you can take at your agency or brokerage, including mobile security, software patches, antivirus solutions and best practices to create a safe working environment.
Here are highlights from our conversation:
- Applied Systems: Why is data security more important than ever?
- Tim Sander: Data security seems to be a very big topic for everybody. At this year’s World Economic Forum, cyber attacks landed on the global risk list for 2015. This risk is heavily evaluated in the United States and government is pushing corporate America to do more to protect their information. Yet, we continue to see an increased number of breaches. In the report by the California Attorney General there were 187 breaches documented within the state of California just in 2014 and 75% of those come from small to medium businesses. Hackers aren’t just targeting the large Home Depots, Target and the IRS (situations you hear about every day); this is a growing problem for all of corporate America. This means that we have to spend more time on educating, not only the general public, but also the insurance industry. Specifically, agents need to become more aware about what exposures are within their systems and how they can provide better coverage options for their insureds.
- Applied Systems: Do you think insurance professionals are generally aware of the risks their businesses face against cyber threats?
- Tim Sander: Overall, the industry is doing a better job addressing the needs of their customers as it comes to cyber risks with various policy options. However, I don’t believe that agencies and brokerages are necessarily taking the right amount of time to evaluate their own risks.Agency management system databases contain tens of thousands of records with personal information. With the cost of data breaches on the rise, (documented by the 2015 Ponemon Institute report) it’s now $259 per record for the financial services sector. This is a risk that can’t be overlooked.It’s no longer about hackers attempting to get to specific things. It’s more about hackers firing off a million requests in hope that they receive a 1% response. Whatever that information is, that data then becomes the subject for the next big story. This means that the old methods of placing a firewall and installing anti-virus software on a workstation or PC are no longer enough. Protecting against threats today requires continuous evaluation of the risks, the measures to protect those risks and requires investment in people, process and technology.
- Applied Systems: Are insurance professionals starting to take action to safeguard themselves against cyber threats?
- Tim Sander: I think there’s a false sense of protection that it (data breaches) “only happens to the big guys.” It’s important that we continue to evaluate what’s necessary to protect our own business. Applied can provide strategic counsel on how to help you evaluate and leverage technology to better protect data. We have solutions within our offerings that help decrease the risk by moving data out of localized environments.
- Applied Systems: How are we addressing some of these risks here within Applied, both from our own corporate perspective and then in our Applied environments?
- David Gerlach: One of the first things we do is we conduct a thorough risk assessment of the environment. We look at asset profiles. We look at the business impact of those profiles being compromised. We understand the threats that those assets face, as well as calculate that risk and then try to mitigate those risks.We’ve also moved into taking that information and really developing a strategic plan around our security program. As Tim had mentioned, Applied invests a significant amount of time and money and resources into continuing to improve our security program. A few things David noted from the security program:
Traditionally, a lot of companies leverage a paid backup system. We understand the risks around paid backup from both a security and a business continuity perspective and therefore we’ve moved to what we call a replicated disk-to-disk technology. What that allows us is two things. One, faster uptime, faster recovery. Two, getting away from taking tapes, a physical asset and sending them offsite and procuring a very detailed asset management program to understand where every tape is and where it’s offsite at. By moving away from those tapes, we’ve really killed two birds with one stone.
All our customer databases in our online environment today are encrypted with ADS-256 encryption. That really helps prevent any accidental loss of sensitive or protected information.
- Physical security controls:
Within our Applied online data centers, we have very advanced security facilities. We use biometrics, complex video surveillance and we have strict access control policies.
- Applied Systems: What should agencies do to address cyber threats?
- David Gerlach: It’s about understanding your risks. You need to identify those risks and have, what I would call, an in-depth risk assessment strategy.A few steps David mentioned to build a strategy to address cyber threats:
- Leverage cloud solutions
Leveraging technologies like the Cloud is really not a bad thing (as some people have come to think). It’s actually a good thing as long as it’s a reputable cloud solution.
- Understand your system and software
If you’re not securing your work stations, your laptops, your phones, etc. that’s a potential breach point for you.
- Know what your employees are downloading
One of the things we see in the security industry is a lot of people are downloading software from less than credible sites. Sometimes pirated sites. That software almost always includes additional items that you don’t know you are downloading. A lot of malicious software; viruses, spyware, malware, you name it. Always be very careful what you and your employees are downloading. Always make sure it’s credible.
- Educate your users
I was at a conference yesterday and the FBI was there and they said, “If we could just stop users from clicking on attachments, URLs and emails, we’d probably cut down 98% of malware that exists in the world today.” Before you click on that email, look at what that email says and who it’s to. If it seems malicious, urgent or just doesn’t seem right, don’t click on it. Just delete it.
- Create an acceptable use policy
What can they (your employees) do with the information they maintain and what can they do with the information assets that they’re using? What can they not do? That’s part of an acceptable use policy. Something that I’ve always encouraged every agency to pursue.
- Leverage cloud solutions