Blog

Every IT Security Breach Whittles Away at Trust

Joe McKendrick
Insurance Experts' Forum, May 12, 2014

At the end of last year, it was disclosed that tens of millions of credit and debit card numbers had been stolen from the Target store chain. More recently, news of the Heartbleed vulnerability in open-source web servers hit, requiring millions of people to reset their passwords.

Cisco calls it “The Trust Problem.” That is, many of today's IT systems breaches are the result of the “exploitation of trust” — attackers “take advantage of users’ trust in systems, applications, and the people and businesses they interact with.” In its latest annual report on IT security, Cisco takes organizations to task for not doing more to rebuild end-users' trust in doing business online.

The bad actors out there in the wilds of cyberspace keep morphing their methods — or even revive old ones — to wreak havoc on organization's systems and data. They often embed malware in corporate systems, which lie in wait, or leak sensitive information, undetected for long periods of time.

While the gaping holes hackers breach are eventually sealed up, the constant barrage of issues is chipping away at the bond companies worked so hard to establish with their customers online. This quickening erosion of trust is cutting onto corporate reputations, and is making it harder to do business online. For the insurance industry, which now relies on the online delivery and processing of confidential information, the implications are clear. An industry built entirely on trust cannot let customers' confidence erode.

“Today’s networks are facing two forms of trust erosion,” the Cisco report points out. “One is a decline in customer confidence in the integrity of products. The other is mounting evidence that malicious actors are defeating trust mechanisms, thus calling into question the effectiveness of network and application assurance, authentication, and authorization architectures.”

Not good news at all. Here are some of the vulnerabilities Cisco uncovered:

• “Threat alerts grew 14 percent year over year; new alerts (not updated alerts) are on the rise.”

• Mobile is creating new security issues: “Ninety-nine percent of all mobile malware in 2013 targeted Android devices. Android users also have the highest encounter rate (71 percent) with all forms of web-delivered malware.”

• High-profile sites are increasingly fending off attacks: “Malicious exploits are gaining access to web hosting servers, nameservers, and data centers. This suggests the forming of berbots that seek high-reputation and resource-rich assets.” Plus, to add to the mix, malware is being implanted in these corporate sites then results in these sites generating suspicious traffic.

• Good riddance, spam: “Spam continues its downward trend, although the proportion of maliciously intended spam remains constant.”

• Java is targeted: Java, the cross-platform language used across many web sites and applicators, “comprises 91 percent of web exploits.” But don't blame Java's caretakers or the Java Community Process that oversees new releases — an astounding 76 percent of companies Cisco looked at are “running Java 6, an end-of-life, unsupported version.”

• Malicious code goes undetected: “Indicators of compromise suggest network penetrations may be undetected over long periods,” says Cisco. There are cases in which malware keeps pumping out sensitive data for months and even years before it is spotted.

Cisco recommends a holistic approach to security, urging organizations to adopt better ways to achieve visibility across all their systems. “To defend their network, organizations must be aware of what’s on it: devices, operating systems, services, applications, users, and more. Additionally, they must implement access controls, enforce security policies, and block applications and overall access to critical assets.”

While not addressed specifically in the Cisco report, it's also important to be vigilant of insider breaches and attacks. While an IT systems may be hardened against hackers from the other side of the world with all types of mechanisms — sandboxes, firewalls, intrusion detection systems, auditing — there needs to be more vigilance about managing the privileges of internal teams. For example, live production data — with sensitive information — often is sent out for testing new applications, sometimes with outside developers. Many publicly reported data breaches involve third-party contractors, or even not-so-security-savvy staff members, who lose disks or accidentally post such information to public websites.

Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.

Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at joe@mckendrickresearch.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

Why Insurers Need More Than a Policy Admin System

For some insurers, not being able to handle the volume of quotes that are being submitted to them means leaving significant money on the table.

The Pitfalls of Using Assembly Line Methods to Create Software

Most of the time, when the business needs IT, it is for custom software development, just like creating a concept car.

Next Step in the Internet of Things for Life Insurance

As the use of wearables increases, particularly for use beyond an individual’s fitness, it will be critical for standards and services to emerge to bring this data to multiple users.

Wearables and Gamification in Life Insurance Goes Mainstream?

With so many U.S. households still uninsured, insurers are going have to try new things to re-position their product, focusing on consumer needs.

Will John Hancock Vitality Transform Insurance?

The Vitality program integrates this information directly into the rewards, giving you credit for the exercise, just by virtue of reporting it.

Why Customers Should Want Innovative Insurers

At a time when confidence in the insurance industry has been compromised, innovative companies can break the mold.