Enterprising Developments

The 4 Pillars of IT Security

Joe McKendrick
Insurance Experts' Forum, November 8, 2013

A nasty new version of “ransomware” has been making the rounds on the Internet, putting millions of personal and corporate files at risk. Instead of stealthily copying data and sending it somewhere else, this type of Trojan virus encrypts the data in an unbreakable algorithm, then demands payment for the key to unlock it.

“This kind of malware is not new but over the past 18 months it has become significantly more prevalent and the malware authors have written significantly more clever and scary versions,” writes James Lyne, global head of security research for Sophos. Even after security tools clean out the virus, the files remain encrypted. The latest variation of the threat, called CryptoLocker, includes a countdown timer which demands a payment of $300 within 72 hours or else the key file will be deleted.

Hopefully, law enforcement will catch up to the creators of this and other viruses, but unfortunately, there will be others. This is only the latest reason – as if any more were needed – for continuing, comprehensive employee education on data security. In addition, it points to the urgency of making sure that all important data is backed up and available on a continuous basis.

Some best practices every insurer needs to engage in and maintain:

Education and training: This is the first, and best, line of defense for organizations. Build a security-aware organization, in which employees can effectively “police” their own domains, following best practices such as not opening suspicious emails or visiting non work-related websites.

Your own encryption: After employee engagement and training, this is the second best line of defense against data theft or corruption. You may have the best technical defenses in the world at your production site, but what happens as data is sent out to development groups or backup sites? How secure are these parties, even if they are still part of your organization?

Monitoring and auditing: Companies don't do enough monitoring and auditing to ensure that unwarranted access is taking place. In surveys I have conducted, many companies only audit their access logs every few months or so. By then, it may be too late.

Technical tools:  Finally, there is a range of security solutions that help ensure that databases, servers, networks and client devices are protected against unwarranted intrusions.

Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.

Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at joe@mckendrickresearch.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

The Good, The Bad and The Ugly Of Enterprise BI

When IT can't deliver, business users build their own applications focusing on agility, flexibility and reaction times.

The IT-Savvy 10%

IBM survey reveals best practices of IT leaders.

The Software-Defined Health Insurer: Radical But Realistic?

Can a tech startup digitally assemble the pieces of a comprehensive, employer-provided health plan?

Data Governance in Insurance Carriers

As the insurance industry moves into a more data-centric world, data governance becomes more critical for ensuring the data is consistent, reliable and usable for analysis.

Fear This

Just days before this Issue, which contains our security cover story, went to press, we got some interesting news: 1.2 billion unique usernames and passwords and 542 million email addresses were reportedly stolen from 420,000 websites, according to The New York Times. The websites ranged from Fortune 500 companies down to small online retailers.

Should You Back Up Enterprise Data to the Cloud?

Six questions that need to be asked before signing on with an outside service.