Security isn't a new topic in business. Many years ago, businesses were concerned primarily with physically securing information within their facilities. We managed our companies' critical information on a "need-to-know" basis-if you needed to know, then the keeper of the information would share the information with you.With the advent of e-commerce and networked computers comes the added need to secure these networks. Businesses, including insurers, want to facilitate the sharing of relevant data while protecting proprietary and confidential data. And, of course, the need-to-know rule still applies.
Yet, at the same time, carriers are realizing the benefits of becoming more tightly aligned with their stakeholders-agents, policyholders and providers. Insurers need to share information electronically outside their organizations via the Internet-but they need assurances that they can securely provide pertinent information to designated parties.
Understanding The risks
First and foremost, carriers need to understand the potential e-security risks. The lack of adequate security can result in the loss of revenue through compromised confidentiality, loss of data, legal liabilities or Web site down-time.
A denial of service attack is usually achieved by flooding the target computer (or computers) with meaningless data so that legitimate traffic is unable to pass. This type of attack can disable an Internet site, resulting in a significant loss of revenue.
Information gathering, or reconnaissance attacks, may be perpetrated by hackers or disgruntled employees. The 'spy' violates the network, cracks passwords, collects confidential data and may use the information to compromise the business operations.
As its name suggests, a Trojan Horse is a seemingly harmless program that contains hidden code that can be used to sabotage a computer or network. Once 'inside,' the hidden code may be used to launch denial of service attacks, change core processes of a computer or delete data.
Viruses are the most well-known e-security risk. They are applications that replicate themselves across a network of computers. They typically attach to documents, Web pages or e-mails. Viruses create simple annoyances or, like a Trojan Horse, promulgate malicious code.
Risk management
In recognition that there is risk in Web-enabling business functions, carriers need to begin the risk management process by developing a comprehensive security policy.
Effective security policies must encompass access management. Whether the request to access information is from an individual or an application, the three A's of security apply:
* Authentication identifies the individual or application.
* Authorization determines what the individual or application is allowed to do.
* Administration manages the security policies and their execution.
Authentication ranges from simple solutions such as passwords you select and change regularly to more complex solutions including biometrics such as fingerprints, retinal scans or voice patterns.
Securing the perimeter with a firewall is still a necessity for network security. Choose a firewall based on a secure operating system. New embedded firewall technology that solves many of the problems associated with internal threats is becoming available.
Another important element of the enterprise security policy is content filtering, which is used to preserve network bandwidth, manage employees' time, limit legal liabilities and scan for and eliminate viruses.
From 1997 to 2001, computer crime was responsible for over $1 billion in losses, according to the Computer Security Institute. The risks are real, and the solutions work. eSecurity is not a fad; it is an essential requirement for a successful business.
Rachelle McLure is national practice director of eSolutions for RCG Information Technology, an Edison, N.J.-based provider of IT professional services.
