March 2002: Upset about the size of his annual bonus, a global financial services employee planted a "logic bomb" that deleted 10 billion customer records. The incident affected more than 1,300 of the company's servers throughout the United States. The company sustained losses of approximately $3 million-the amount required to repair damage and reconstruct deleted files.
November 2004: A life insurance company's "temp" employee was given system administrator clearance, and at the project's completion, applied to the organization for permanent status and was rejected. He argued openly with his supervisor and was terminated. His access to the company's main database system, however, was not. Using his existing password, he logged into the company's database and destroyed hundreds of records before being caught.
June 2005: Arizona Biodyne, an affiliate of Magellan Health Services that manages behavioral health for Blue Cross of Arizona, breaks the news to more than 57,000 Blue Cross Blue Shield of Arizona customers that their personal information was stolen. The tapes holding the information had been kept in an 87-pound safe that was stolen from Biodyne offices.
Loss of sensitive data due to "insiders"-individuals who were, or previously had been, authorized to use the information systems they eventually intentionally or unintentionally employed to perpetrate harm-is a growing concern in the insurance industry.
Kevin Mitnick, who at one time achieved the dubious distinction of being the FBI's most wanted cyber-criminal, proved back in the 1980s that hacking into a large organization's databases was simply a game of cat and mouse.
Since that time, the press has extensively covered the increasing number of hacker penetrations at many large organizations. But estimates of how often insurance companies face attacks from within their own walls have been difficult if not impossible to establish.
Under-reported; on the rise
Many security analysts agree that insider attacks are under-reported to law enforcement agencies or prosecutors. Companies, particularly in the insurance arena, fear the negative publicity or increased liability that may arise as a result of the incidents. It follows that the insurance company executives quoted in this story did so only upon guarantee of anonymity.
Under-reported yet based in stark reality, internal security threats are on the rise, according to Deloitte Touche Tohmatsu's 2005 Global Security Survey. The survey, which targeted the world's largest financial institutions, including insurance, revealed that 35% of respondents confirmed encountering attacks from inside their organization within the past 12 months (up from 14% in 2004), compared to 26% from external sources (up from 23% in 2004).
"Insurance companies, like other information-centric businesses, are particularly vulnerable because they are information-rich," says Ted DeZabala, one of the authors of the study and principal in Deloitte & Touche LLP's security services group, in New York.
"This is especially true with our life and health insurance clients, where there tends to be more snooping going on. Most of our clients have dealt with incidents, loss prevention and detection," he says.
For one information technology officer at a major life insurance company, being resigned to the inevitable is a first step in creating a program for prevention. "No matter what you do, no matter how you do it, it can be beaten," says the executive. "So you do security in layers. Steer them here, there and everywhere and make it extremely difficult for anyone, inside or out, to get where they don't belong."
Solutions for every crime?
That's fine for employees who are committing low-tech or even high-tech crimes, points out David West, global insurance strategist at SAS Institute Inc., a Cary, N.C., provider of business intelligence software, but it does not take into account the employee who walks out of the office with photo copies of confidential customer information.
"You need to consider the employee who has discovered the black market for contact information-that data is gold. There's a market out there for auto insured lists, for example, and a few underhanded agents willing to pay dearly for them."
DeZabala agrees. "Our experience is that security is going to be breached," he says. "People inside are going to get access, either by accident or with malicious intent, and by any number of means. In either case, data will be lost. You are not going to eliminate the problem."
Equating the issue to preventive medicine, DeZabala says, "you can't get rid of the disease, but you can manage the symptoms."
The more sophisticated carriers are starting to employ fingerprint authentication clearance for copy machines, and for higher-tech threats such as identity theft, phishing and pharming, companies are looking at identity management solutions that encompass access, vulnerability, patch and security event management to stem the disease, DeZabala points out.
And while some security solutions are well-suited to enforcing simple policies, they can't provide more subtle detection, according to Forrester, a Cambridge, Mass., research company.
As the need for internal security increases, Forrester sees an emerging market-information leak prevention products that monitor, measure, and prevent the inappropriate disclosure of sensitive business or customer information. When selecting one of these solutions, Forrester advises firms to examine a number of criteria, including how accurate is it in detecting sensitive information and where the policy enforcement is located.
Agents taking seriously
At the agency level, an increased focus on security planning and implementation is being formally organized.
Published by the Independent Insurance Agents & Brokers of America Inc., Alexandria, Va., the Agents Council for Technology's (ACT) report, "The Independent Agent's Guide to Systems Security: What Every Agency Principal Needs to Know," combines common sense with similar steps that carriers are already taking to ensure security, such as establishing a formal policy, training new and existing employees and asking them to sign and date a confidentiality agreement that assigns ownership of intellectual property to the agency and prohibits copying, transmitting or posting of confidential data.
The guide also recommends that agents assign individual log-in and passwords, activate access control on the agency management system and restrict access to confidential customer and employee information to only those employees who need it. Firewall protection, e-mail and PDA monitoring, and log management are also required.
Carriers creating a formal security policy find themselves doing more than simply assessing and monitoring risk and conducting routine audits, according to SAS's West.
For many of his customers, that requires overcoming the challenge inherent in insurance companies' ever-expanding IT infrastructure: the entrance of the corporate IT security officer (CISO).
"There are internal conflicts, because you have IT operations, which wants to keep everything up and running, and the growing IT security department, which wants to keep the data safe," he says.
Keeping the data safe from aberrant insiders is not a trivial exercise, notes a CISO from a prominent East Coast P&C company.
"You need an in-depth understanding of your business requirements and your technical feasibility," she says. "It's taking all those things and synthesizing them to create a policy that sets reasonable expectations of your employees. The policy management process is not a one-time event; it's continuous, it's written, tested, ratified and modified-just like the law-and it requires governance."
DeZabala points to empowerment of the CISO as the key to effective governance. "The single-most important issue our insurance clients are dealing with is a lack of executive attention," he says. "When it's relegated to low-level IT resources, the solution tends to be technology; it's not looked at holistically."
Stressing the need for someone who can set and enforce policy and measure effectiveness, DeZabala asserts, "He or she must have executive board-level buy-in so they can raise awareness and get resources when needed." Although banks and brokerage firms are farther along, insurance companies are about half way there," he says. (See chart, below.)
"The credit card industry has been sensitized," DeZabala adds. "You have to wait until there is a fatality at the traffic light before everyone jumps on board."
Because insiders pose a threat by virtue of their knowledge of-and access to-an insurance company's systems, as well as their proficiency at bypassing physical and electronic security measures through authorized means, the larger the organization, the more difficult it is to acquire resources.
"It's difficult to establish what you spend," says an executive from a Midwest P&C company. "It's a necessary but part-time requirement of many people-across functions, business units, and geographies."
For many carriers, resource allocation is considered part of overall risk management and part of the larger discussion: What are we willing to spend to avoid a risk event?
"Some consider security from a cost/benefit perspective-how much risk are we willing to accept?" says DeZabala. "It's a gamble for some, but we are finding less and less of our insurance clients saying they want to take on more risk at a lower cost."
With 4,500 employees and an IT staff of 400, the Midwest P&C company allocates a "proportionate" amount of its budget to fund the host rather than the perimeter.
"We continually determine who should have access to what data," says the executive. "You end up putting a lot of effort toward security awareness as a mandate, and then you put your trust in management of all levels. Everyone is aware of their part in ensuring data integrity, safety and security. It's successful only if it's a corporate effort, and must be a mindset of the business."
It may be a business mindset of some carriers, but less than half (46%) of Deloitte & Touche's survey respondents have training and awareness initiatives scheduled for the next 12 months. And only 6% of respondents currently provide security education as part of new-hire orientation.
Yet survey respondents expect to have to deal with theft of intellectual property, employee misconduct and business partner misconduct over the next 12 months. (See "Threats Envisioned," page 11.)
"The internal threat is a growing weakness in the security chain," notes DeZabala. "Insurance companies have put their focus on an increased use of anti-virus, content filtering and monitoring and other security technologies designed more for external protection, but they really need to monitor their own backyards."
Do as I say...
The U.S. Securities and Exchange Commission (SEC) failed to implement the same controls it monitors in public insurance corporations for Sarbanes-Oxley compliance, according to the IT Compliance Institute, an online information technology compliance site. The SEC isn't subject to SOX, HIPAA, or GLB, but it is accountable to the Federal Information Security Management Act. Under this law, the SEC has annually reported on its information security since 2002.
The report, released by the Government Accountability Office, noted the following vulnerabilities: Ineffective electronic access controls of user accounts and passwords, access rights and permissions; network vulnerability to improper access, through both network architecture and direct physical access to unlocked wiring closets; spotty policies and procedures for key control areas and general support systems; and an inability to assess security risks or identify anomalous or suspicious network activities for review.
Do not pass go
For insurance carriers, the stakes related to security breaches are through the roof. Liability, reputation and lost-revenue issues notwithstanding, more and more policyholders are demanding accountability.
A number of well-publicized surveys confirm that one in five Americans has already been victimized by identify theft. And since American insurance corporations are not required to inform their customers where their personal information is stored (at the carrier, agent, outsourced or offshore facility), consumers report feeling less in control than ever.
But, as evidenced by a recent survey conducted by Los Angeles-based Impulse Research on behalf of Chubb Group of Insurance Cos., Warren, N.J., Americans don't seem to care whether their information has been taken by an insurance company insider or a hacker.
Of the survey's 1,850 respondents, 65% would like to see the companies that fail to protect customer data fined, and 63% of respondents want these companies charged with a crime.
Proile of the insider
The U.S. Secret Service, in partnership with Carnegie Mellon Software Engineering Institute, Pittsburgh, released in May its latest Insider Threat Study (ITS): "Computer System Sabotage in Critical Infrastructure Sectors."
A follow-on to its August 2004 report on illicit cyber activity in the banking and finance sector, the latest report found that at the time of the incident, 59% of the insiders were former employees or contractors of the organization, and 41% were current employees.
The study, which tracked 49 insiders, noted that 96% were male, 49% were married at the time of the incident, and just under one-third had an arrest record. A full 86% were employed in technical positions.
Circumstances surrounding the majority of insiders who committed acts of sabotage and their resultant acts of destruction followed similar paths:
* The attack was triggered by a negative work-related event.
* Insiders planned their attack in advance.
* When hired, perpetrators had been granted system administrator or privileged access (one-half did not have authorized access at time of incident).
* They used unsophisticated methods for exploiting systemic vulnerabilities in applications, processes and/or procedures.
* They compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks.
* They used remote access to carry out some of the attacks.
* The attacker was detected only after there was a noticeable irregularity in the information system, or when a system became unavailable.
