In the physical world, the most basic concept of security is making sure the doors are locked. But in the social networking world, the challenge for insurance CISOs is to keep the doors open while still securing sensitive data and intellectual property.
“From a security officer perspective, we need to find ways to say ‘yes’ to the business,” says Mike Dockery, CISO, Cincinnati Insurance Companies. “We need to enable our CIOs. If they want to use social media to connect with agents, employees, or customers, it’s my role to enable it in a secure fashion.”
Dockery realizes networking is going to happen regardless of what CISOs do. “It’s going on whether we like it or not, so we have to deal with it,” he says. “People have social media on their personal smart phones, their iPads and tablets, and they’re using those devices for personal purposes. There are limits to what a company can block or control.”
“One of the biggest fallacies companies operate under is that social media won’t affect them if they don’t ‘officially’ use it,” says Brad Keller, senior consultant and program director at The Santa Fe Group, which performs strategic consulting for financial services companies. “You have companies blocking network access to social media or pretending like it doesn’t exist, but it does exist. Companies may as well embrace that rather than trying to control [access to] those sites.”
Not all social media is public, but most insurers think of social media in terms of marketing and customer communications. According to Novarica, use of social media for that purpose has exploded over the past two years compared to other Web 2.0 technologies: 62 percent of carriers reported using social media for customer communications in 2011, versus just 23 percent in 2009. (See “Customer Communication,” chart).
“The field and field management have an increasing desire to use social media. Agents are asking for it as another way to connect with customers,” says Roy A. Haberman, corporate vice president, New York Life.
But in meeting that need, companies need to control risk. For insurers, the key security risks of social networking include potential data leakage of sensitive information, unintentional upload of malware, and targeting of individuals for social engineering attacks.
“Data being exposed that shouldn’t be out there is the single biggest issue risk managers are concerned about,” says Don Desiderato, principal in Novarica’s insurance practice.
At a basic level, these risks are the same as could be applied to any number of other networking technologies. “Purely from the standpoint of information security risk, social media is nothing new. Security practitioners have always had to worry about data leakage through what employees say or do,” says Gary Loveland, US advisory security leader, PwC.
The difference is that social media has made it easier to say and do things that put companies at risk. “Social media established a culture of sharing information,” Loveland says.
“If I have a conversation at the water cooler or with my friends over dinner and divulge some information that I shouldn’t, that conversation isn’t preserved except in the minds of people who were there. With social media, it’s shared instantly with the world, and preserved forever,” Keller says.
“To some extent, it’s the same problem presented by forums, personal Websites, and other online venues,” he says. “What social media adds is an incredibly large audience.”
Technical security breaches leading to data loss occur through vulnerabilities in Web 2.0 technologies that support social media platforms or are caused by employees downloading malware. Social threats arise from intentional disclosure of information or through social engineering attacks against unsuspecting employees.
In a recent report on security, PwC notes social media’s flexible Web architecture enables exploitation and compromise. “Web 2.0 platforms are increasingly powerful and designed to enable easy sharing of rich data,” Loveland says.
Dockery illustrates that ease and power with a scenario where the data of a hard drive could be stolen via Twitter. The process would involve breaking up the content into thousands of individual tweets that are sent and then reassembled remotely.
“Web 2.0 is an amazing, very reliable communication technology. But if you aren’t monitoring your outbound Twitter feed appropriately, an entire hard drive can disappear without our knowledge,” he says.
“The same strategy is true for viruses,” Dockery adds. Virus-writers can place pieces of viruses on individual sites that are reassembled into a final code piece when all are downloaded.
“You can’t detect those type of viruses based on a single virus signature because that signature doesn’t exist until after it’s already on the user’s machine,” he says. “Web 2.0 technology has enabled a strategy for virus delivery that some filters can’t catch.”
Positive reinforcement has led to an increase in the use of social media by cybercriminals to infiltrate companies for financial gain or simply to cause mischief.
“If you look at it from the hacking side of the business, people are willing to spend a lot more time doing ‘data mining’ exercises that can be done more easily thanks to social media, to target a specific company, and to even develop a well-defined and rigorous process for monitoring that information due to the success of their efforts,” Loveland says.
“Hackers are increasingly sophisticated. They are trying to triangulate data from multiple sources, including social media, and bring that information together because that effort leads to outcomes that are successful by their standards,” he adds.
On the other hand, Dockery sees the potential of social media and the related rise of mobile devices to help lessen the risks associated with some other areas of electronic communication.
“Social media and mobile device management are connected. As a result, ‘holes’ into the corporate network that companies needed to create when those devices didn’t exist can be closed,” he says. “For instance, the fact that employees can communicate over social media channels on personal devices allows us to shut down some openings into our corporate network that were required to access to personal Webmail.”
MEDIA AS METHOD
In addition to technology vulnerabilities, social media has the increased potential to expose sensitive data and intellectual property because of what Desiderato calls an “almost dangerous level” of assumed trust.
“A lot of carriers are worried that when people are collaborating on social media sites, even if it’s only internal employees, they are going to reveal sensitive data,” he says. “It’s easy for someone to say ‘give me your name and password so I can get into the system and look at the details you’re talking about,’ and people will do that because the nature of social media is around trust.”
Social engineering takes further advantage of the trust-based nature of collaboration media, enabling cybercriminals to pose as coworkers and colleagues behind an electronic cloak.
“Social networking sites do have their own security. There are apps for consumers to prevent them from being victims of scams. Companies have their own firewalls and security software and strategy. But ultimately technology is only of so much use because the real challenge of social media attacks are that they are done socially,” says Chet Wisniewski, senior technology advisor for Sophos.
“People put information on social networking sites that they wouldn’t otherwise reveal publicly. Customers, employees, and stakeholders can all reveal information about your company. And because that information is now out there, people are gathering it and using it. It’s definitely a richer target for someone who wants to do something unethical,” says Tom Andreesen, managing director in Protiviti’s social media risk practice.
“The password resets on corporate systems often ask employees to confirm personal information,” says Loveland. “That information often can be very easy to obtain as people include it voluntarily, along with identifying their employer, on social media sites, enabling virtually anyone to use that information as a phishing exercise or to gain access to corporate systems.”
And with social engineering, the disclosure of seemingly innocuous information can put companies at risk, Wisniewski observes.
“If I were to want to get into a company’s network to conduct some sort of espionage, sites like LinkedIn can be a goldmine of information,” he claims.
For instance, a cybercriminal could search for employees who are new to a company, then pose as one to call the IT department. “I can ask a lot of questions, say I’m new, ask for a password reset, and so on. I have credibility in asking as the ‘new guy,’ and I can play on people’s natural trust and willingness to help,” Wisniewski explains.
Insurers need to create a multi-tier protection strategy, starting with establishing policies and procedures that govern the use of social networks and corporate information.
“Something as simple as a social media policy is lacking at some insurers,” says Desiderato. “Some really haven’t built any governance around the social media security process.”
“We do see that a lot of companies have a very flimsy social media use policy,” agrees Andreesen. “If they don’t have a policy, they should create one. If they have one, they should monitor it, maintain it, and be sure employees are aware of it.”
Dockery believes the security profession has simply taken time to adapt to the new world of social media. “A year ago, the gap we had was that there weren’t enough templates around best practice policies that we could use to train people,” he says. “Today, you can go out and there are hundreds of social media policy templates.”
PwC identifies several key areas of a security policy that includes social media. Insurers should classify data so employees understand precisely what is—and is not—sensitive information, and who is authorized to share that information. They also should specify the types of social networking accounts that the company sponsors and how sharing of data via those sites is allowed. Policies can specify who is responsible for different types of communications and who has oversight responsibility for social media.
“Having a person or group of people with clear responsibility for security is essential,” Loveland says. “That may sound obvious, but too many companies overlook it.”
Businesses must then educate employees on those policies and the need to protect intellectual property and sensitive information, and they should fully detail the consequences of noncompliance.
But policies have their limits. “It’s important you train people as part of your control process, but it’s difficult to extend that training to people who aren’t under your control, such as agents and customers,” Dockery says. “They are going to post and send things, regardless of what your polices are. You are going to need to capture and track to solve the ‘he said, she said’ situations. Capture should be part of both your security and compliance strategies to compensate for these potential external risks.”
Social networking data capture has been a bigger concern for insurance carriers outside the P&C sector and for other financial institutions that have to comply with FINRA or SEC guidelines regarding the ability to capture, index, and archive electronic communications. However, P&C carriers can learn from the practices of other sectors because data capture guidelines and capture technology both include an implicit security component.
Up until a few years ago, New York Life had no choice but to say no to the requests of its sales force because, according to Haberman, the technology to comply with FINRA and the SEC regarding social media wasn’t available.
“Unless we could meet the requirements to archive [social media interaction] as a type of electronic communication, as is done for email, we could not use it,” Haberman says.
Deploying Socialware’s Compass software for compliance gave New York Life the ability to define and automate policies around social media use, including the extent of online activity that representatives are allowed to do. For instance, New York Life prohibits agents from ‘liking’ on Facebook, using apps on Facebook and LinkedIn, or re-tweeting.
“Those are all types of activities that could be construed as ‘endorsements,’” Haberman says.
Compass allows insurers to capture, index, and archive the interactions in Facebook, LinkedIn, and Twitter. It also lets companies control content that is considered non-compliant and prohibits it from being made public via social media, adding a layer of information security.
Although sound policies and processes are essential, insurers must not overlook effective security technology. “Because social media solutions can be deployed readily and made externally available, we’re seeing they’re not treated with the same rigor and testing and security design,” Andreesen says.
“Companies don’t do the same layered approach that they would use for other solutions,” he elaborates. “They have to treat social networking solutions just like they would for a major enterprise app rollout: make sure the security and technology teams are involved so the design is appropriate, so there is consideration for how that asset is linked into existing corporate assets, and so on.”
To that end, insurers must use multi-layered security solutions that monitor for malware, data leakage, and other suspicious activity. Loveland says a gap assessment around data leakage often leads to surprising results.
“As part of the ‘white hat’ [penetration testing] services we perform, we do a search for critical data and intellectual property,” Loveland says. “We often find that where data is supposed to be, it is properly secured. But we also find a high percentage of data that is in places where it shouldn’t be. People take extracts, make copies, dump it into spreadsheets, and now put it on social media. So instead of being protected, it’s exposed.”
Loveland stresses that, as hackers become more aggressive in their attacks on social media, businesses must step up the use of traditional protection tools to verify incoming content and traffic and detect cross-site scripting exploits and phishing. Content filtering utilizing spam blockers and anti-virus applications should be utilized to block or allow a communication based on analysis of its content. Identity and access management controls and multifactor authentication should be used to help stop authentication hacking.
In particular, data-loss prevention technology (DLP) that can identify sensitive data at rest, control its usage at user end points, and monitor or block its movement across network perimeters should be extended to social media platforms. “If I’m doing work and I have access to the payroll file, and I attempt to move data across the network to either a file or outlet that I shouldn’t, DLP should not allow an unencrypted transmission out. DLP can be essential,” says Loveland.
But Wisniewski believes DLP doesn’t have as big of a role in the 144-character world of social media as it does other online venues, such as email. “To stop truly accidental transmission, DLP tools can detect the inadvertent cut and paste of small segments into social media, but you can’t paste a whole spreadsheet into a Facebook post,” he says. “Also, if you have a disgruntled coworker intent on causing trouble, they can get around DLP safeguards.”
Although insurers tend to focus on security around social media accessed from in-office hardware, Loveland says that mobile devices such as smart phones and tablets running robust Web 2.0 apps are likely to become the next frontier for hackers. “It’s important that a company’s security policy protects any endpoint device and the data on it,” he says.
The rapid evolution of social media and the devices used to access it keep CISOs in a reactive mode. “There tends to be a 12-18 month lag before a tool shows up that can really address the security behind new devices and vulnerabilities,” Dockery says.
In fact, despite the risks of social networking, only 40 percent of respondents to PwC’s 2010 Global State of Information Security Survey reported their organization has security technologies that support Web 2.0 exchanges. In addition, a little more than one-third audit and monitor postings to external blogs or social networking sites, and only 23 percent have security policies that address employee access and postings to social networking sites.
“The insurance industry is really just looking at security around social media now,” says Desiderato. “Carriers have realized that social networking is part of the culture. They are starting by attacking it through a governance perspective, and the vendor market is staring to heat up and build solutions around what is said on social media.”
The best policy balances access and control and employs a defense-in-depth strategy that involves both business and IT.
“IT needs to partner with the business to say we’re not going to block or restrict you, we’re going to try to help you, and we would like you to help us by doing and not doing certain activities,” Wisniewski says. “Companies need to provide technological defense, but they also need social behavior change in addition to technology.”
For CISOs, the continued challenge will be to find ways to say “yes” to the business, while protecting users from themselves.
“Understanding the ownership and control challenges around social media and accepting the fact that you can’t rely on technology alone to protect you are the first steps. The good thing is there has been an increase in the development of effective social media policies and an awareness of security around social networking in general,” says Dockery.
“As always,” he adds, “An essential part of security is the ‘firewall between the ears.’”