We Have Seen the Enemy, and He Works for Us
Insurance Experts' Forum, February 14, 2011
In what should be a huge eye-opener for anyone involved in insurance IT, an annual survey conducted last year by CSO Magazine—with help from the U.S. Secret Service, Carnegie Mellon Software Engineering Institute (CERT) and Deloitte's Center for Security and Privacy Solutions—found that while many organizations make solid efforts to strengthen their data security, many admit it is becoming increasingly difficult to outpace the efforts of the criminal community.
Perhaps more disturbing, however, is the source of those criminal attacks. According to CSO, “While outsiders (non-employees or contractors) are the main culprits of cybercrime in general, the most costly or damaging attacks are more often caused by insiders (employees or contractors). Outsiders invade organizations with viruses, worms or other malicious code; phishing; and spyware, while insiders most commonly expose private or sensitive information unintentionally, gain unauthorized access to/use of information systems or networks, and steal intellectual property.”
If internal breaches are not the majority of incidents, should we then pay less attention to them? Apparently not. Dawn Cappelli, technical manager for the Threat and Incident Management division of the Software Engineering Institute CERT Program, said insider attacks continue to be seen as a bigger problem than anything that might come from the outside—and are more costly to boot, says CSO.
The survey found that insiders most often use their laptops or copy information to mobile devices as a means to commit electronic crimes against their organization, the report adds. Respondents suggested that data is often downloaded to home computers or sent outside the company via e-mail.
So where does that leave us in our insurance enterprises? It’s one thing to acquire and maintain the latest anti-intrusion technology, and to clamp down on security-averse practices like allowing employees to visit questionable websites, but it’s quite another to try to sniff out the likely perpetrators of malice within one’s own walls.
If your company’s technology is already there in terms of being up-to-date, then the solution is not a technological one, but a human one. One must ask: Who within your gates is likely to commit such a crime—that is, who would have the means, the motive and the opportunity? The means and opportunity part would seem to point to your IT people, but don’t forget other executives and technicians who may also have access. In fact, it really doesn’t take much sophistication for almost anyone to copy confidential data to a thumb drive and walk out the door with it.
So when push comes to shove, one must carefully consider those who would have a motive. The inevitable “disgruntled employee” comes to mind, but then there are many such individuals who remain with companies or depart from them who never commit data thievery. The recently discharged employee sounds like a more logical choice, yet by the time he or she is jettisoned, the information may already have been pilfered.
In the end, when we try to put together a list of likely suspects within our own walls, we are—at best—speculating. So rather than trying to predict the future, perhaps we are better off being sensitive to those whom we know are disgruntled so that we can at least attempt to work out whatever grievances they may have. In other words, let’s talk to them.
Perhaps it’s only my counselor side coming out, but it seems to me that those who are treated fairly in this manner are much less likely to swipe critical data because their motives will be less significant, or perhaps done away with all together. At least they will know you cared enough to try and make things better, and maybe that will make the difference between an angry thought and a criminal action.
Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.
Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at firstname.lastname@example.org.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.
Add Your Comments...
If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.
You must be registered to post a comment. Click here to register.