In the physical world, the most basic concept of security is making sure the doors are locked. But in the social networking world, the challenge for insurance CISOs is to keep the doors open while still securing sensitive data and intellectual property.
“From a security officer perspective, we need to find ways to say ‘yes’ to the business,” says Mike Dockery, CISO, Cincinnati Insurance Companies. “We need to enable our CIOs. If they want to use social media to connect with agents, employees, or customers, it’s my role to enable it in a secure fashion.”
“If I have a conversation at the water cooler or with my friends over dinner and divulge some information that I shouldn’t, that conversation isn’t preserved except in the minds of people who were there. With social media, it’s shared instantly with the world, and preserved forever,” Keller says.
“To some extent, it’s the same problem presented by forums, personal Websites, and other online venues,” he says. “What social media adds is an incredibly large audience.”
“Social media and mobile device management are connected. As a result, ‘holes’ into the corporate network that companies needed to create when those devices didn’t exist can be closed,” he says. “For instance, the fact that employees can communicate over social media channels on personal devices allows us to shut down some openings into our corporate network that were required to access to personal Webmail.”
MEDIA AS METHOD
For instance, a cybercriminal could search for employees who are new to a company, then pose as one to call the IT department. “I can ask a lot of questions, say I’m new, ask for a password reset, and so on. I have credibility in asking as the ‘new guy,’ and I can play on people’s natural trust and willingness to help,” Wisniewski explains.
Social networking data capture has been a bigger concern for insurance carriers outside the P&C sector and for other financial institutions that have to comply with FINRA or SEC guidelines regarding the ability to capture, index, and archive electronic communications. However, P&C carriers can learn from the practices of other sectors because data capture guidelines and capture technology both include an implicit security component.
Up until a few years ago, New York Life had no choice but to say no to the requests of its sales force because, according to Haberman, the technology to comply with FINRA and the SEC regarding social media wasn’t available.
Loveland stresses that, as hackers become more aggressive in their attacks on social media, businesses must step up the use of traditional protection tools to verify incoming content and traffic and detect cross-site scripting exploits and phishing. Content filtering utilizing spam blockers and anti-virus applications should be utilized to block or allow a communication based on analysis of its content. Identity and access management controls and multifactor authentication should be used to help stop authentication hacking.
In particular, data-loss prevention technology (DLP) that can identify sensitive data at rest, control its usage at user end points, and monitor or block its movement across network perimeters should be extended to social media platforms. “If I’m doing work and I have access to the payroll file, and I attempt to move data across the network to either a file or outlet that I shouldn’t, DLP should not allow an unencrypted transmission out. DLP can be essential,” says Loveland.
The rapid evolution of social media and the devices used to access it keep CISOs in a reactive mode. “There tends to be a 12-18 month lag before a tool shows up that can really address the security behind new devices and vulnerabilities,” Dockery says.