Cybersecurity: Balancing Risk and Cost
Chuck McGann | October 27, 2015
It seems not a week goes by without an unplanned data access, unapproved data exfiltration or unauthorized system access hitting the headlines. Most recently, the U.S. Government’s Office of Personnel Management (OPM) made the news, disclosing the unauthorized access to the personally identifiable information of over 21 million government employees, applicants, and non-applicant individuals including over 5.6 million employees’ fingerprints.
Insurance companies are familiar with risk management and the cost of a known risk being exercised. When that exposure occurs, the financial payouts can be staggering. Equal risks come from the possibility of information systems’ breach and data exposure.
However, many companies struggle with limited budgets and resources. It inevitably becomes an exercise in balancing risk and cost. I like to use the following analogy: You don’t put a $1,000 fence around a $100 horse. You take reasonable care to make sure the horse stays within the appropriate boundaries, but if that horse gets loose and causes damage in significant excess of the $1,000 fence, you might rethink that decision.
It’s a risk-based decision that can come back and haunt you. So, with solutions ranging from free to millions of dollars, how do you prepare a cyber risk management plan without breaking the bank?
The first step is to understand your risk and your vulnerabilities. What assets do we have in our infrastructure? What personally identifiable and/or sensitive data do we have to protect? What vulnerabilities do we have that need to be mitigated?
In order to understand your information technology assets, an assessment of the infrastructure should be undertaken. Asset management discovery via a network scan will highlight the connected and active assets and what those devices are connecting to. The output of this assessment gives a baseline of the infrastructure to upon which to base your vulnerability analyses.
Infrastructure-specific risk areas can be identified by conducting independent vulnerability assessments and penetration tests. These tests typically are performed by ethical hackers simulating how someone would attack your network and systems. They give you concrete data on where your immediate infrastructure vulnerabilities are.
As this first step is critical in crafting your program, it is a good place to invest budget dollars. Many companies offer the assessment services listed above for reasonable costs. If you must choose only one, it is crucial to have independent vulnerability assessment/penetration testing.
Next, you have to decide what your risk tolerance is. What happens when the horse gets out? How much risk do we want to retain? What is our budget? How much do we want to spend on technical prevention versus mitigation and response?
When answering these questions, you should keep in mind that it’s not a question of ‘if’ you will have an incident; it is a question of ‘when and how bad.’ While you can certainly seek the advice of a cyber professional, ultimately these are questions only you can answer and the answers will be different for every company.
You are now equipped with the information you need to build a balanced, comprehensive program that is unique to your organization. While your needs and their related costs will vary, here are some effective and inexpensive ways to help strengthen the overall security posture of your organization.
- Create a culture of security awareness. The number one security threat to an organization is its people. It is important to educate and enlist all members of your team in protecting your company’s assets. Securing the organization begins at the executive level—lead by example. Help manage your security awareness by walking around, look for unsecured systems or passwords on Post-It notes. See something, say something. An educated employee/user is a valuable security warrior in the fight against cyber threats. The SANS publication Securing the Human is a good resource to review and validate your security awareness program.
- Hit the low hanging fruit. The SANS Top 20 Controls is a list of critical items the security community has identified as having significant value in reducing an organization’s security gaps and controls. Adopting these controls can reduce an organizations exposure and potential liability by showing due diligence to addressing security issues.
Whether we are prepared for it or not, cyber intrusions are now a fact of life for businesses of all sizes. We need to recognize that fact and take the appropriate steps to protect our data and our customers’ data to the best extent possible within the reasonable limits of our financial and technical resources.
The basic cyber protections outlined herein are a quick and inexpensive place to begin your efforts. We can’t build a Berlin Wall to keep the horse in the field, but we can build and maintain a strong, wood-rail fence that contains and protects our data appropriately for our industry’s well-being.
Chuck McGann is chief cyber strategist for Salient Commercial Solutions.
- Enterprise Architecture in an Agile World
- Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data
- Industry Insight: 4 Global Insurance Trends in Digital, Data, Content Services and Security
- Diving Deeper into Prioritizing Your Strategic Digital investments
- Why Content Rules
- How Mass Personalization Will Open the Small Business Benefits Market
- At Year End 2017, Will Your Organization Be Protected from Cyber Risks?
- Do Insurance Bots Dream of Mitigating Risk?
- Conditioned to Respond
- Managing & Mobilizing Insurance Data in a Connected World
- Race to the Finish Line
- New Tools, New Opportunities in Claims
- ITA LIVE: Reaching Insurance Industry Crossroads
- Advice to Insurance IT Leaders: Keep Your Eye on the Ball
- New Date, Venue for ITA LIVE 2017
- Guidewire Makes Major Push to Small and Midtier Market by Acquiring ISCS
- Insurance Disruption is Happening Right Now
- Insurity Adds Strategic Investment Partner, General Atlantic
- Beyond Transformation: The Convergence of Finance, Risk, and Actuarial Functions
- The Rapid Evolution of Consumer Protection Regulation
- Talent Hunt: Finding, Attracting, Retaining Top People
- Insurers Flexing Their Distribution Models
- Technology Driving Disruption in Insurance
- Fear of ‘Next Bubble’ Challenges Life, Annuity Carriers
- Technology Allows Commercial Lines Insurers to Stand Out
- Single Sign-on Viewed as Biggest Tech Challenge for Agencies
- ISCS Observes 20th Anniversary; Scurto Predicts Major Changes Ahead
- Policyholders and Their First Impressions
- Progressive Making Progress on the UBI Front
- High and Dry: Insurers Search for Disaster Recovery Plans
- Insurers Sign The (Un)Dotted Line
- Reflections of a Retired Insurance CIO
- Mobile Device Management Just One Answer to BYOD Issue
- Lessons from GEICO and Progressive on Winning the Critical Buying Stage
- You Are a Target for a Cyber Attack
- Web-based Systems are the Next Evolution in Claims Technology
- Gaining a “Wow” Experience from Web Users
- Time to Shift from Business/IT Alignment to Business/IT Alliance
- Healthcare Insurers Changing to Consumer Model
- Organization is the Key for Selecting Software Vendors
- Analysts Expound on the Needs of the Mid-tier Insurance Market
- Finding the Cure for Obamacare’s Website
- New Software Solutions Benefit Insurers on the Inside and Outside
- Products, Market Impede Investment in Systems for Life Insurers
- Combatting Cyber Threats: Predict, Prevent, Persist
- The Future of Telematics Heads Beyond Insurance
- The Shame in Cyber Security Lapses
- Building Policy Administration Systems for the Future
- Insurers Look Into The Eyes of Their Policyholders
- It’s a New Dawn for the ITA
INSURANCE IT NEWS
- Tower Selects EIS Group’s Insurance Platform to Drive Transformation
- NTUC Income Selects Majesco Distribution Management and Majesco Digital Solutions to Advance its Distribution Management Operation
- Emerson Reid Modernizes Its Business Processes With VUE Software
- Octo Telematics Powers CAA MyPace™ Pay-As-You-Go Program
- Announcing the Solartis Insure Microservice Hackathon
- DataCubes Completes Plug and Play Tech Accelerator Program
- Medical Mutual of Ohio Implements One Inc Digital Payments
- SUNZ Insurance in Production with Sapiens’ Workers’ Compensation CompSuite® Policy System
The Email Chat is a regular feature of the ITA Pro magazine and website. We send a series of questions to an insurance IT leader in search of thought-provoking responses on important issues facing the insurance industry.
ITA is pleased to present the 2014 Webinar Series. We have many topics for you to choose from and attendance is open to all ITA members. The webinar topics are current and exciting — ranging from predictive analytics to telematics and will focus on the direction insurance carriers need to follow for the future. All webinars are presented by insurance IT professionals along with some of the leading analysts and consultants in the field. There is no cost to attend an ITA webinar. For more information and to register for the webinar, click the “title” of the webinar below.
BLOGS AND COLUMNS
It has become a common refrain over the past few years to view the practice of enterprise architecture (EA) as something that time has passed by, much... READ MORE
One important trend in society over the past decade is our increasing ability to create and consume a seemingly unlimited amount of digital content... READ MORE
You have surely heard it said that small businesses are the growth engine for America. Today, the phrase has a special ring to it for benefits... READ MORE
With stagnant growth and lingering low interest rates, the life insurance industry faces a challenging future... READ MORE
Finding insurance carriers willing to write commercial lines risks has always been a challenge for producers... READ MORE
As Guidewire Software prepares for the start of Connections, its 11th annual user conference that begins on Nov. 2, Brian Desmond, chief marketing... READ MORE
Fraud detection has always been and will continue to be a critical component of claims management. Learning the lessons from current claims Straight... READ MORE
- Vendor Views