Much as an army pushing far into new territory exposes its flanks to attack, many of the operational advances insurers have achieved in recent years have been tempered by ascendant risks.

Emerging mobile technologies, social networking tools and cloud computing promise operational, and even cost benefits, but present a wealth of challenges to those tasked with securing enterprise data.

"There is no doubt that with every new technology there is a new type of risk," says Ty Sagalow, EVP and chief innovation officer of Schaumburg, Ill.-based Zurich NA. "As general rule, software and hardware are never perfect."

While data security issues precede the information technology infrastructure of the modern insurance company, recent advances in technology inflate their scope and severity far beyond the historical norm. For many years, the theft of large amounts of company data was circumscribed by physical limitations. In the mainframe era, insurers could more or less construct a moat around the enterprise with little worry of it being breached. Now, in the era of ubiquitous wireless Web access and 32GB USB flash drives, the only limits on data theft are the ingenuity and avarice of those seeking to steal it - be they internal or external.

"It used to be most of your users were within the enterprise," says Fred Kost, director of security solutions marketing for San Jose, Calif.-based Cisco Systems. "Now, a lot of people who need access to applications, data or the network are outside your corporate perimeter. It changes your ability to lock down access."

Further exacerbating this trend are technologies such as cloud computing and the use of mobile devices, which move data traditionally garrisoned within the enterprise outside its walls.

"Historically, no technology has been developed that has proven to provide absolute protection against hackers, and this is especially true of insider threats," adds Sagalow. "New types of business models such as cloud computing generally have new risks [associated with them] because they haven't been thoroughly tested."

The Rethink

Over the last decade, organizations have largely focused on protecting the perimeter with firewalls and restricted access. The looming threat of negative publicity, coupled with the tight regulatory environment under which insurers operate, no doubt reinforces the consequences of cyber risk. Additional security concerns may come from the business side of the house about protecting customer information. "We've done an awful lot to protect client information and secure our perimeter," says Bob Zandoli, chief information security officer, at New York-based MetLife.

Yet, in the modern enterprise, the perimeter itself is not as clearly demarcated as it once was. "Security is evolving, just like technology is evolving." Zandoli says.

Nothing demonstrates this new ambiguity more than cloud computing. Ask two knowledgeable people to define cloud computing and you'll probably get two different answers - and both are likely to be correct. (For the purposes of this article, we'll forego a definition and use cloud computing to refer to any abstracted, on-demand computing model.)

Leaving such philosophical and etymological discussions aside, most would agree that perimeter security is going to become harder as cloud becomes more prevalent. "With cloud computing, you don't know where your information is," says Zandoli. "If there is a breach, how you do conduct computer forensic investigations in the cloud?"

Yet, far from being the next big thing, some would assert that cloud computing is little more than a rebranding of the application service provider concept, and presents many of the same sort of challenges you face with any type of outsourcing.

Ellen Carney, senior analyst with Cambridge, Mass.-based Forrester Research, contends many of the security issues surrounding cloud computing will sort themselves out in time. "As cloud computing and Software as a Service (SaaS) matures in the insurance industry, you will see more companies proceeding this way," she says. "Over time, there will be an increased level of comfort about putting data in the netherworld."

Carney points to customer relationship management software provider as an indication that security issues can be properly addressed. "We haven't heard anything about security breaches there," she says.

Tse Wei Lim, an analyst in the insurance practice at New York-based Novarica, agrees that cloud computing has broad security implications but argues that it is not widely adopted enough in the insurance industry to have immediate ramifications. Rather, he sees the widespread use of analytics as a more pressing security concern. "The next big thing that CIOs will need to worry about is the increasingly pervasive use of analytics and BI tools at all levels of their organization," he says. "As insurers begin to see the benefits of analytics, and the tools become more powerful and more affordable, IT departments will begin to see greater demand from the business side for more data to be made more widely available. The security challenge then will be for CIOs to work out how to satisfy this demand while keeping that data secure."


Another broad trend pushing out the security perimeter is the adoption of technologies incubated in the consumer space. The proliferation of mobile devices, means information security officers have to figure out how to exert control on a variety of end-user devices from laptops to smartphones. Though consumerization is not something to which IT is accustomed, Cisco's Kost says business requirement and productivity issues often trump security concerns. "It's a reality, and not something most companies can avoid," he says. "Mobility is just another avenue. We can secure it."

Indeed, one high-profile vote of confidence for mobile security happened in 2009. "We have our first president with a BlackBerry smartphone," Sagalow says.

While the threats presented by mobile security may be becoming more manageable, the questions about those posed by Web 2.0 technologies remain, as social networking sites, have become fertile ground for data thieves.

"There are a lot of tools that hackers are using to troll those sites and pull that information in and collect it," says Tony Hernandez, managing director of the security practice at Devon, Pa.-based SMART Business Advisory and Consulting.

Moreover, with Web 2.0 technologies, there are plenty of opportunities for unintentional data leakage. For example, an employee or consultant innocently updating their location status on a social networking sight could inadvertently reveal the whereabouts of a data center that a company wishes to remain secret. "Twitter, social networking and real-time communication has taken the corporate world unawares," Hernandez says. "There's a rethink underway."

Part of this re-assessment is due to the fact that while network security has long focused on thwarting threats from the outside, many new threats emanate from within a company's own walls. "The hacker community is focusing on client-side attacks," he says. "It's the next challenge from the IT perspective. The controls on outbound access are generally less restrictive. Once a machine is compromised, it can establish an outbound connection over a relatively innocuous port to the person who initiated it, bypassing all the edge controls."

For the insurance industry, the risk is the loss of a customer's personal information, such as bank account information, which hackers can then use for ID theft.

Instead of relying solely on technological fixes for these issues, Hernandez counsels an emphasis on education. Penetration testing reveals that employees are still the primary conduit for viruses and malware to enter the enterprise. While most employees will ignore e-mailed requests from strangers alleging to be Nigerian princes, many still fall prey to more sophisticated scams purporting to come from seemingly reputable sources such as a bank, or the company's IT department, Hernandez says. "The No. 1 remediation activity is awareness training," he says. "There are technology controls available but they can be difficult to implement and complex to manage, especially compared to awareness training."

Zandoli agrees that education is vital. "I argue that everyone is responsible for security," he says. "Companies have to have an education program to ensure that everyone is looking at the issue holistically. You have to look at every facet because you are only as strong as your weakest leak."

Sagalow, too, stresses the management of network security must be approached from the widest possible perspective. "You cannot think of network security simply as an IT or technology issue - in a fundamental sense, it's a risk management issue," he says, adding that he perceives cultural changes underway that bode well for security. "In the user community, there has been a philosophical change toward greater acceptance of the sacrifices needed to be more secure," he says. "If you go back a few years and ask a risk manager about cyber security, they would tell you that you're in the wrong office. Likewise, if you had asked a CTO about risk management, they would have said you are in the wrong office."

Lim agrees that it is important to have user buy in from all levels of the enterprise. "Employees need to recognize that losing a BlackBerry device is a security threat to the company, and that they cannot have a database on their laptop," he says. "Part of a CIO's job is to make sure that security measures are not so onerous that they get in the way of someone getting their job done. If employees think that your security measures are stupid or unnecessary, they are going to put a lot of energy into circumventing them."

To be sure, many security threats can be avoided with a little bit of forethought and operational rigor. For example, when virtualizing servers, be sure not to put a mission critical application server on the same physical server as non-mission critical applications, Zandoli notes. "Virtualization is not a threat for breach as much as it is a challenge to manage," he says.

Elsewhere, Zandoli notes encryption technologies are improving. "In the past, if an agent lost a laptop, information could be compromised. Now, we encrypt all our laptops, and if we lose one, we're losing a fairly cheap asset with information that is unusable."

Lim argues that the arms race in terms of data security tools is not really winnable, and anyone awaiting a killer app in computer security will likely be disappointed. However, he says, if thumbprint-reading biometric security systems become widely adopted, they could provide an enhanced degree of security for mobile hardware.

Yet, even these technologies have their limits, as an enterprising data thief could bypass a fingerprint scanner on a laptop by booting from a flash drive before the scan comes in. With these limits in mind, Lim says, carriers should stress methodology over technology. "How you organize data is important," he says.

Higher Profile

Overall, Sagalow is heartened by recent advancements in security, touting the work of organization such as the Internet Security Alliance, Arlington, Va., and the American National Standards Institute, Washington, to give security concerns more visibility. "The insurance industry is part of nation's critical infrastructure," he says. "If we are going to protect, it must be part of a public/private partnership. The current administration is quite vocal about the need to have best practices in network security."

Sagalow also commends vendors for building more security into existing products. "There have been tremendous efforts in the hardware and software industries to make products that are more secure out of the box," he says.

Kost says Cisco is concentrating on gathering threat intelligence in order to push it down to products to make them more effective. To do this more expeditiously, the networking giant has moved some of its security services into the cloud. "We've done a lot of work around gathering threat intelligence about which sites are host phishing attacks or spam or malware," he says. "Threats are moving quicker, so doing security-as-a-service has functional as well as economic benefits."

Yet, carriers ultimately know that the onus for security rests on their shoulders. "We have strategic projects to keep up with future threats," Zandoli says.

Sagalow concurs that the best defense may be a good offense. "Almost inherently you are playing defense," he says. "The bad guys are constantly thinking of ways to steal your data. But that's not to say you can't be proactive."

This article can also be found at

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access