The security breach of Nationwide Insurance last week is the last thing anyone in the business world wants to announce. There’s a level of trust associated with any company that consumers choose to do business with, but despite the best efforts of those companies and their security teams, the attack on Nationwide doesn’t appear to be anything out of the ordinary, nor will it be the last of its kind.
In an article to be published in the December issue of Tech Decisions, I interviewed Dan Greteman, CIO of Allied Group, a part of the Nationwide family. The interview was conducted in late September, just days before the attack on his company.
Greteman was proud of Nationwide’s record on security, but hardly cocky. He pointed out that for two years in a row the Ponemon Institute had listed Nationwide as one of the most trusted companies in the United States in terms of privacy.
Like all accolades, though, they focus only on what has happened in the past. Security conscious CIOs, as Greteman admits, need to focus on the future. He also doubts that security issues will ever disappear.
“I feel good about where we are as an organization—a great mix of reactive and proactive,” he says. “We attend security events across industries and speak to others to get a good perspective on what they are dealing with. It doesn’t matter if you are a financial services company, an insurance company or a telecommunications company, likely you have very similar dynamics. We are learning from them and I believe we’ve had very good results. As we move into new models and packaged software, we need better integration to make sure we are protecting our policyholder data and personal information.”
How many CIOs would say the exact same thing about their company? Quite likely, most, but that statement—and the attack on Nationwide—only goes to show how difficult a job companies have to protect their private information on systems that are vulnerable to attack.
We as consumers trade off security every day of the week for one simple reason: convenience. We want quick access to the personal information we share with companies to pay our bills and conduct important business functions. As Greteman points out, when there is something of value sitting out there, criminals will find ways to get their hands on it.
“Anytime there is money, personal information, and the ability to do harm to folks, you are going to have people out there trying to take advantage of that,” he says.
Vigilance in terms of data security is a 24-hours-a-day job and even then it might not be enough.