In Alaska, beasts come in the form of enormous, long-haired, silver salmon-mongering grizzly bears. Recently, while cleaning freshly caught silver salmon creek-side, a hungry grizzly bear appeared. We were not above fleeing to the safety of the garage to finish fileting salmon.
We don't have a problem knowing where to find beasts in Alaska. We live amongst the beasts and must be prepared for these encounters. In our data-driven industry, beasts can look like information-corrupting viruses, ransomware, advanced attacks, denial of services (DOS) attacks or data breaches.
Unlike bear-wise awareness and protection for outdoor enthusiasts in Alaska, a cyber-wise focus on information security is a less commonly discussed beast in many businesses today. According to the National Cyber Security Alliance (NCSA), smaller businesses have become bigger targets for cybercriminals because the bad guys know they have fewer defense resources than large enterprises. (staysafeonline.org, 2017). The NCSA reports 77% of businesses do not have a formal written internet security policy for employees.
Cyber threats & plans
Whether in the woods and streams or in the web and cloud, we must overcome worry and limit unnecessary exposures by creating a culture where information security is treated as an important aspect of any business. We must learn the risks, utilize the best solutions, and choose trusted advisors when faced with unpredictable threats.
Consider the landscape of your company. Each day, you maneuver through this environment with clients’ personal data, like a backpacker carrying supplies. As you transfer sensitive data, do you think about the risk of someone else accessing it? This should be at the forefront of your mind when sending personally identifiable information (PII). We have vital information to protect including sensitive information, financial records and reports, and even intellectual property.
The most important concept in information security for those professionals outside of the discipline to understand is the concept of acceptable risk, which is best described by the following equation:
Acceptable Risk = Security Threats + Legal & Regulatory Requirements + Business Goals
In this equation, we establish the level of risk that we are comfortable with based on the threat, the compliance elements and our business goals.
It is almost second-nature for us to set our acceptable risk in our everyday lives such as driving to work in the morning donning a seatbelt and staying within the lines on the correct side of the road, rather than blatantly disregarding risks by driving unbelted anywhere on the road, not paying attention to our lane. Yet in our businesses, many are not thoroughly equipped to avoid data risks, and to implement information security methods and tools to protect our businesses.
More than half of small and medium-sized businesses have been the target of a cyber attack in the last year. (Photo: Shutterstock)
Small businesses, specifically, have been targeted by attackers due to vulnerabilities in the company software and methods. From the Symantec 2016 Internet Security Threat Report (ISTR), 43% of cyber-attacks targeted small businesses. Even more disconcerting, 60% of small businesses that have had a cyber-attack go out of business within six months of that attack.
From Keeper Security's 2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB), 55% of SMBs have experienced a cyber-attack and 50% a data breach in the last 12 months. Users reported that the most common types of attacks experienced include web-based attacks, phishing and social engineering, and general malware.
While it may be easier to suggest that all of the threats to an organization come from the outside, that's just not the case. The root causes of the data breaches were identified as primarily by a negligent employee or contractor. At their best, a company can decrease the likelihood of any given employee successfully engaging in a phishing attempt to about 20%, which is still relatively high.
As we learn more about the threat landscape, we can start to focus on the regulatory requirements. If we’re seeking to comply with minimum data security standards, like COBIT and ISO 27002, which are becoming common reference in insurance company data security policies, it can seem endlessly complex. We must recognize the standards that pertain such as Sarbanes-Oxley (SOX) for financial information and HIPPA for sensitive medical information.
Insurers and clients need to begin thinking about not if there will be a breach, but what to do when one occurs. (Photo: Shutterstock)
Those of us in claim handling environments have a critical goal of protecting sensitive client data. As an industry, we have a responsibility to understand the minimum standards related to sensitive and personally identifiable data, and offer responsible protection to parties to a claim.
We will want to determine all of the precautionary tools and methods we can implement that will decrease the acceptable risk including: log collection, encryption, segmentation and much more.
Although not an exhaustive list, here are five solutions for increasing information security while simultaneously protecting client data.
1. Patches — Verify all operating systems, software and programs, such as web browsers, are fully patched and up to date. Updating software and systems provides patches for vulnerabilities that developers have identified, and instantaneously removes those vulnerabilities.
2. Firewall with anti-virus tools — Install a next-generation firewall that will provide the necessary edge security controls, including sandbox capabilities, intrusion protection systems (IPS) and a virtual private network (VPN). Once this device is in place, organizations should focus on employee behavior.
3. Password management — It is the suggestion of Threat Informant, an Alaska-based information security consultant, to implement a password management software, which allows users to leverage different sets of login and password combinations for different applications, while allowing users to easily and regularly change passwords to comply with regulatory standards.
4. Employee Training — Organizations should have regular training for employees specifically geared towards phishing attacks and social engineering campaigns. Phishing is a common way for attackers to gain access to an organization, so quarterly training is recommended at a minimum to remind employees of this constant threat.
5. Incident response plan — threats and beasts should be dealt with swiftly and effectively. Referral to a trusted external expert can help recognize vulnerabilities and limit avoidable exposures and losses.
By implementing these information security controls, a business lowers its acceptable risk, while increasing knowledge of the organizations’ network and the users, software and devices that interact with it.
Companies should have the information needed and prepare to head out into the cyber wilderness with adequate protection. Should they encounter an attacker, they must be well equipped with effective solutions and a culture prepared to respond to help tame hackers and any other beasts.
Not all attacks can be prevented, but taking some practical steps can help mitigate the risks. (Photo: Shutterstock)
These steps, ranked in order of importance, can be followed by an organization to increase information security. While not exhaustive, it will help companies maintain a safe environment for employees to work with client PII.
1. Create awareness of phishing attempts.
2. Train staff about security risks.
3. Ensure computer updates (3rd party updates) are current.
4. Utilize endpoint protection.
5. Install a next-generation firewall.
6. Create log collection/correlation protocols.
7. Encrypt critical data – e.g., social security numbers, birth dates.
8. Employ regular back-ups of company information.
9. Require employees to regularly update passwords.
10. Provide physical security for the company.
Susan Daniels (firstname.lastname@example.org) is the president of the National Association of Independent Insurance Adjusters (NAIIA), and is the president and owner of Alaska-based Northern Adjusters. Matt Peters (email@example.com), is an information security consultant and Courtney Targos (firstname.lastname@example.org) is an account manager for Threat Informant, an Alaska-based company offering professional consultation, threat intelligence and advanced threat analytics.