Other than sharing common products, the differences between thetop tier of insurance carriers and their smaller rivals can beenormous. Those differences are even more apparent when looking atthe issue of security. Larger insurers have a target on their backthat the mid-tier don't have to deal with, but with smaller ITstaffs, the mid-tier and smaller carriers have to not only keep upwith known threats but also be on the lookout for attacks thatweren't foreseen when they first decided to let customers—and theattackers that come with them—inside their perimeter.

The larger insurance carriers are proactive, according to DavidHelms, vice president of the cyber security center of excellence,the consulting arm of Salient Federal. The top tier recognized thatthe Internet and mobile computing are strategic to their business,which changes a carrier's security posture.

For the mid-tier carriers, most are just beginning to move inthat direction, adds Helms.

“Generally you have one or two IT guys doing security and it'smore on a part-time basis,” he says. “We find [the mid-tier] to bereceptive to help and recognize their own vulnerability. Thebusiness models the bigger carriers have been using are things theywant to follow—a Web interface or mobile solutions. That gets themthinking about their threat boundary.”

Whether it is harder or easier for carriers the size ofBrickStreet Mutual Insurance to keep things secure is a matter ofopinion.

“In some respects it's easier,” says Skip Langlois, director ofinternal audit, for BrickStreet, a regional workers' comp carrierlocated in West Virginia. “We only have 340 employees so we don'thave the bureaucracy that a lot of organizations run into. On theflip side, we only have 340 employees and you are talking to theonly two people (himself and the carrier's information securityofficer) that are primarily involved in security at thecompany.”

The advantage BrickStreet might have over some of itscompetitors is there is a focus on security at the seniormanagement level. Also, BrickStreet is just six years old—havingmigrated from a state entity into a private company—so it doesn'thave the legacy issues that older companies deal with.

Helms points out that attackers often look for a “big-namebrand” when they are scouting for vulnerabilities, but hackers alsoare seeking “targets of opportunity,” which affects smallerinsurers.

“Attackers scan the entire Internet and if a target ofopportunity shows up, they are going to take it—regardless of yoursize—and at least explore it, particularly if the target is afinancial services company,” says Helms.

Being Proactive

Historically, insurance carriers have been more reactive tosecurity challenges compared to other financial services sectors,but Vikram Bhat, a director for Deloitte, feels insurers areshifting their posture to becoming more proactive and understandingwhere the security landscape is changing and how they must react tothose changes.

“Clearly, being proactive starts with basic blocking andtackling,” says Bhat. “[Insurers] need to understand where thecritical assets are. Assets include not only core applications butpeople, as well. The risk landscape is changing and the bad actorsare as concerned as much about people as they are physicalassets.”

The change also includes advanced capabilities around cyberintelligence, event monitoring and correlation as well as piecingtogether data across various parts of the security landscape tolook for anomalies, adds Bhat

One reason why insurers have trailed other parts of thefinancial services sector is because the regulatory requirements inbanking and securities traditionally have been more stringent,according to Bhat.

“That's where the interest was for the bad actors,” he says. “Sothe maturity there is better, although different organizationsoffer different scales. Now there's a realization by insurancecarriers to improve their security because there is more atstake.”

Information risk management requires a balance, though,according to Dan Greteman, CIO of Allied Group, part of theNationwide Insurance family of companies. If you have securityissues, employees and customers are unhappy and if you don't haveany issues the company is perceived as being too aggressive in itsapproach to security.

“We have an information risk management organization that isfocused in terms of where are the risks,” says Greteman. “It couldrange from technology risks to business risks. We have a goodframework of proactive risks. We use a heat map to assess differentrisks, we actively address them, we test them, and we haveprocedures around how we pilot or test different capabilities.There is a great mixture of reactive and proactive procedures.”

Keeping up with new threats is difficult for mid-tier and smallinsurance companies, explains Deepesh Randeri, information securityofficer for BrickStreet. That is why BrickStreet depends on thirdparties to provide them information, whether it is SANS or vendorssuch as McAfee.

“We do proactive log monitoring with systems-generated logs,”says Randeri. “A vendor monitors out logs for critical devices.They do a lot of research because they are in the business ofkeeping things secure and keeping their customers in the loop.Whenever they anticipate new threats, we get notified and theyrecommend certain parameters for our core devices so if we were tobe attacked the logs would track that.”

Mobility

Mobile computing also has both pluses and minuses when it comesto security, points out Helms. It is important to allow customersto do business the way they want to do it, but the security issuescan't be ignored.

“Mobility is a great, enabling way to do business and respond toyour customer requirements, but at the same time it smears dataacross what we used to think was a distinct boundary of ourenterprise,” says Helms. “The problem with mobility is the boundarydoesn't exist anymore. It moves back and forth quickly andpervasively. Wrapping those communication mechanisms, ensuring theintegrity of the endpoints, and ensuring only the rightentitlements are exposed to the right users is a big challenge, butit is a key to customers and agents in the field.”

Mobility, like any new technology, offers huge opportunities,but with opportunity comes risk, explains Bhat. Users are embracingthe technology at a number of levels, ranging from understandingthe policy structure and the discussion aroundbring-your-own-device.

“It goes from understanding how mobile devices are really used,what data and transactions you are conducting on those devices, andfiguring out what you will allow and not allow,” says Bhat. “Thereis still a lot we don't know about this topic, but people arefiguring it out. There is no one right answer to figuring out howto make it secure and what construct in which to make ithappen.”

If you look at the consumerization of technology and theadditional devices that make folks more productive, Gretemanbelieves as an organization you have to be responsive to them.

“When we look at the issue of personally-owned devices as wellas tablets in the field, it's critical to the business,” he says.“These are easy-to-use use items that make people more productiveand facilitate a greater exchange between agents and policyholders.It's here to stay and people need to be prepared for it.”

If you are looking at devices that are connected into yourorganization, Greteman maintains you need the ability to segmentthe two.

“Technology needs to support the idea that if someone losestheir personal device you can wipe the machine remotely so there isno sensitive information on the devices,” he says.

With smartphones, Greteman points out it is less likely thatpeople are creating materials on their phone, whereas the screenson tablets are big enough for most uses.

“You have to have a segmented posture on the devices, whether itis an Apple, Android or other device when it comes to tablets vs.smartphones,” he says. “For the last two years we've put structurearound it and worked to define solutions for the business andpersonal components. We have a large number of folks onpersonally-owned devices from the phone perspective and a smallernumber on tablets because not as many people have tablets. Theirsize also is a factor in the creation of materials.”

Social media

Social media creates security issues at two levels, explainsBhat. First, businesses have to look at social media more carefullythan most people do in the sense that what people put out in socialmedia can result in the bad actors gaining the ability to gatherintelligence and get more specific in their targeting.

“Understanding what information goes out there and what isvisible to the external world becomes critical,” says Bhat.

The second aspect involves the legal and regulatory issues wherethere is an uncontrolled use of social media sites.

“Like any other evolving technology, what companies need to dois to look at it from the construct of whether they have controlsin place across various parts of the enterprise,” says Bhat.

With four different generations in the work force, Gretemanpoints out there are different dynamics around social media.

“The concept of being personally connected and linked to yourpersonal life is a reality and in many ways we look at it andembrace it,” says Greteman.

Helms has three questions insurers need to address aboutsecurity and social media: Are our employees engaged in socialmedia in a way that is exposing our internal data? Is any of ourproprietary information leaking out into these social networks? Isthere a possibility of any customer data—even inadvertently—beingcommunicated in those environments?

“Often times it comes back to the old fashioned approaches suchas email phishing,” he says. “That's still the easiest way to getinside the corporate boundary. Attackers go through social networksand develop social profiles. They identify a person you trust andsend you an email with a link you would not think twice aboutclicking. The development of that information is one of the moresignificant threats than even a proprietary data leakage.”

Take Responsibility

Helms points out that federal mandates such as HIPAA andSarbanes-Oxley have raised security as an issue to the executiveand board level with real consequences for a company's leadershipif these things aren't handled correctly.

Not all executives understand what needs to be done, though.Helms has spoken to many executives who view security as a “bolton” to their system.

“The last thing [executives] think about is whether the systemis secure, but when you imagine your system in the beginning it'swhether your system is resilient and available when customers wantto use it and will it maintain confidentiality,” he says. “We tryto get security out of the back end and into the front end andbuild in security as part of the development process. Every timethey think of a new feature or capability, part of that iterativedevelopment process is that security needs to be part of thatconversation.

Helms points out customers should be morediligent when they are doing financial transactions.

“There is a strong criminal element that is interested in whatkind of information they can get—from your accounts or creditcards,” he says. “Customers are expecting their provider isaddressing the security challenges and the responsibility fromtheir perspective is on the provider. The insurance industry has adiligence they need to pay to protect that and the customer needsto challenge those providers.”

Security starts at the board of directors, explains Langlois.The BrickStreet board was very much involved getting the companyset up.

“They were making sure we were doing things the way they neededto be done,” he says. “One of the things we do that some companiesmay not be doing is have a code of conduct. Usually it is writtenby the legal department or HR. Our audit committee of the board hastaken responsibility so much so that our board members attest on aregular basis that they have read the code. This applies to vendorsas well as the board and they report annually if they have anyconflicts of interest. If they do, it is documented in a boardresolution and the board members have to state in the resolutionhow they are going to address that conflict.”

Security didn't become a big issue until companies began doingbusiness on the Internet 10 years ago, points out Langlois.

As a start-up company, “we didn't have to build momentum forsecurity,” he says. “Plus, we have a CEO that wants to know ifthere is a problem and has no problem if people come in with anissue because he wants to fix things. We've been given a lot oflatitude to do things best practice. We are doing things you don'ttypically see of a company our size.”

Randeri also takes great pride in what Brick Street has doneover a short period of time.

“We are bleeding edge with a lot of the [security issues] we aredoing,” says Randeri. “That's primarily because we have theblessing of the board and senior management. We had a Fortune 500company ask us for a copy of our security plan.”

The Basics

Both Langlois and Randeri believe it is imperative that everyonewithin the company is on the same page when it comes tosecurity.

“We had to make sure our employees were security consciousenough that they were not passing personally identifiableinformation (PII) via plain text email,” he says. “We had to makesure our employees were savvy enough to not leave claims or policydocuments on tables when they were done for the day. We did a lotof education right at the beginning and even today we have yearlyawareness training and it is incorporated into new employeeorientation. We are trying to build a culture. Our employees arevery security conscious right now and we have taken steps to be asprotected as we can.”

Security professionals have to be right all the time, explainsRanderi, so that means being proactive and performing vulnerabilitytests.

“We do vulnerability assessments on an annual basis,” he says.“That's not a requirement by a regulatory body; that is our plan.We make sure we mitigate the vulnerabilities that have beenidentified, we make sure we do a complete review of our LDAP serveror Windows active directory so only those people that need to haveaccess do have access—the principle of least privilege. When theregulators or external auditors come in, we can show them exactlywhat we have been doing the past 12 months and so far they arepleased with what we have been doing.

Investment

There is a broad awareness of the topic of security at thehigher levels of the company, but how much investment is made isoften dictated by the regulatory climate and oversight.

“If there are incidents that get a lot of attention or if aboard member asks the right questions or a C-suite executive getsbehind it, the combination of these factors drives the spend levelthroughout an organization,” says Bhat. “In general, people have tofight for dollars and that's why we always recommend to clientsthat they have an information security strategy. You need to beable to optimize the spending of resources on these items.Sometimes that takes time, but that's the right way to do it.”

Reacting to incidents is the easiest way for security units togain funding because as people attack the company, either throughthe website or some other area, it is easier for the executiveleadership to see the impact of those risks.

The other side is what is your posture and your investmentstance regarding potential future threats, according toGreteman.

“We look at our risk posture constantly,” says Greteman. “We'vegot a very intuitive framework which we use to understand where weare, what to worry about, and what we need to do to mitigate. Having transparency and understanding with your board is importantand I believe we are there.”

Other industries

Greteman doesn't worry about how the insurance industry isperceived in regards to security as much as he worries about hisown company. In that regard he feels Allied stands up well amongthe competition, citing the Ponemon Institute for the second yearin a row naming Nationwide as one of the most trusted companies interms of privacy in the U.S.

That doesn't mean Allied can ever afford to relax. Gretemandoubts that the issue of security will ever disappear.

“Anytime there is money, personal information, and the abilityto do harm to folks, you are going to have people out there tryingto take advantage of that,” he says.

Newer technology adds risk, but Greteman wonders how farcompanies take it?

“I feel good about where we are as an organization—a great mixof reactive and proactive,” he says. “We attend security eventsacross industries and speak to others to get a good perspective onwhat they are dealing with. It doesn't matter if you are afinancial services company, an insurance company or atelecommunications company, likely you have very similar dynamics.We are learning from them and I believe we've had very goodresults. As we move into new models and packaged software, we needbetter integration to make sure we are protecting our policyholderdata and personal information.”