IT Security Threat Reaches Executive Level

The success of a company now relies on its ability to secure critical data.  When escalated to this level of importance, it's time for the CEO and board to become directly engaged in the process.

The traditional role of IT has changed significantly in recent years.  IT professionals, previously tasked with configuring office computers and network servers, are now entrusted with securing trade secrets and highly sensitive customer records.  Add to this a surge of cloud-based applications and storage that make an organization's data vulnerable and the IT department suddenly has a very full plate.

Organizations are being targeted primarily for the purpose of financial gain.  Customer records often include sensitive data that can be easily monetized, providing ample motivation for both hackers and internal threats.  As companies increase their digital assets -- through the harvesting of more customer personal, financial and transaction information - they become a higher profile target for thieves.

Failure to Recognize a Breach

single sign-on breachFirewallThe challenge often seems to be detecting and resolving intrusions.  Sometimes the first notification of a breach comes from federal investigators who've discovered the organization's data on the open market.  Even when signs of suspicious activity present themselves, too frequently the threat is not given proper escalation.

Of greatest concern is the timely reporting of incidents through the levels of company leadership, regulatory authorities and, ultimately, the effected parties. The IT department might feel compelled to research and resolve the breach before notifying senior management.  This can turn a potentially damaging situation into a public relations nightmare.

Common Language is Key

The solution begins with establishing a communication channel and common language between business and IT leaders.  Together they must understand and agree upon the level of risk the organization is willing to tolerate.

These marching orders allow the IT department to make a plan that meets these strategic needs.  Once completed, the gaps, priorities, and strategy needs to be communicated back to the CEO and board in a language that top leadership can understand.

Lastly, don't deny the limitations of your IT department.  The complexities and rapidly changing nature of security breaches may require the assistance of outside expertise to keep systems and procedures current.

This post is based on a TechRepublic article by Michael Kassner titled, "C-level execs need to rethink IT security".  

Are Insurance Companies Managing Their Risk of Data Breach?

An injury that doesn't happen needs no treatment. An emergency that doesn't occur requires no response. An illness that doesn't develop demands no remedy. The best way to stay safe ½ is to avoid getting into trouble in the first place. That requires planning, training, leadership, good judgment, and accepting responsibility--in short, risk management.  

 -- Boy Scout Field Book

Insurance companies are the experts at analyzing and managing risk. They identify, quantify and set pricing based on the calculated costs of risk. Naturally, the higher the perceived risk, the higher the cost to mitigate the potential losses.

Yet here is the irony.  While those in the insurance industry excel at evaluating risk management for their clients, they often neglect risk mitigation within their own operation.

Exposed data is serious risk

The insurance industry collects and analyzes overwhelming amounts of data. This often sensitive and confidential information becomes the basis upon which many critical decisions are made, and which produces the competitive advantage to provide better policies, prices, and solutions to the market.

All of this data, both historical and cutting-edge, is truly the lifeblood of the insurance industry. Therefore, the astute management and protection of this data is the infrastructure of arteries and veins delivering this lifeblood to all of the appendages of the company that need the results of this data compilation.

In addition, this sensitive and private information is disseminated to various internal and external associates, customers, partners and collaborators usually via the Internet, which exposes this data to compromise.

And yet, despite their expertise in risk analysis, many in the insurance industry fail to ask these questions:

  • Given how much data we're exchanging with clients, partners, financial institutions, healthcare organizations, etc., what is our risk of a data breach?
  • What is our liability if we suffer a data breach?
  • What can be done to mitigate potential losses?

When examined this way, any underwriter would agree that failure to adequately protect the sensitive data continually in transit in an insurance company's daily workflow presents an extremely high risk.

Insurance industry, heal thyself

If data really is the lifeblood of the insurance business, and the data center is at the heart of the company, then the arteries and veins are the methods of moving that data to and from your departments, clients, business partners, and others.

While adding layers of physical security to the data center is a top priority for insurance IT professionals, securing the pathways in and out of that data center tends to be overlooked, despite media coverage of data breaches at companies worldwide.   This lack of action underestimates the extent of the public's concern that their private data may be compromised, and state and federal efforts to more strictly regulate data storage and transfer policies.

Effectively managing FTP transactions is essential to mitigating the risks of data loss.  The costs of implementing managed file transfer solutions are minimal and provide tremendous flexibility when striving to meet the requirements of trading partners and compliance regulations.

As the insurance industry knows better than anyone, the best approach is to mitigate risk with a cost efficient solution.  In this case, taking direct action to protect data transfers is the obvious prescription for any organization -- especially one based on risk management.