As Enterprises Snooze, Data Attacks Focus on Financial Services

For some years now, I have been blowing my somewhat lonely horn about the poor state of data security in the insurance and financial services industries. To be sure, there have been attacks on our industry’s enterprises—some of them very costly—yet we don’t seem to have felt the pain acutely enough to make security an industry-wide priority. “Sure, it happened to someone else, but it won’t happen here,” some loopy-brained supporters of non-action have insisted.

Now a letter from David Jevans, CEO of IronKey, to his company’s customers has again shed light on this situation, and has found that the tide of crime is turning ominously in the direction of financial services. “The first half of 2010 illustrated that security threats against our data, applications and networks continue to grow,” his letter states. “As an industry, we are seeing ever more data breach notifications, where unencrypted data is lost or stolen.

“Attacks are often financially motivated, and the criminals have begun to focus their energies on the online banking services that serve companies, both small and large,” he continues. “Financial malware, such as the Zeus trojan, is being used to infect the computers of finance professionals in small, medium and large-sized companies. The criminals then use these infected computers to break into company online bank accounts, and fraudulently transfer funds out of these accounts.”

Are you a finance professional—or do you work with one? If so, perhaps you would do well to warn such persons about the increasing number of criminal attacks aimed squarely at their companies’ cyber vaults. Then again, a warning can only do so much. Preparedness—in the forms of better security technology and tighter controls on personnel who interact with technology—would seem to make sense.

It was easier to look the other way when cyber attacks weren’t being reported so close to home for insurers, agents and other financial services entities, but the crosshairs have been moved, and if you’re feeling a strange tingling in the back of your neck, it may be that some crook is about to pull the trigger that will deliver to him the information in your minimally protected systems.

I wonder how long our experts and pundits will continue to drone the “it can’t happen here” mantra. I wonder how much longer we will continue to swallow the idea that data security is a minor annoyance and not a major issue. I really am starting to believe that some insurers, whether they admit it or not, are just looking at cyber-crime as a cost of doing business, and are building certain losses into their budget projections to begin with. If that is happening, I wonder what formulae they are using to predict just how much will be stolen over any period of time.

There was a time when I believed that all it would take would be one or two highly publicized breaches for this industry to wake up and get serious about security. Experience has taught me, however, that it is much more likely that we will allow these criminal leeches to drain our blood slowly—perhaps until we reach the point where we have neither the will nor the resources to resist.

“Our applications and networks are under attack from ever more sophisticated adversaries,” Jevans says. “The Aurora attacks against numerous large companies, including Google and Adobe, showed that cyber criminals are creating more sophisticated malware, and are coordinating their attacks in order to penetrate the defenses of companies who have the most well informed IT security departments.”

But we really don’t want to acknowledge the possibility that things are getting that bad. It’s just too icky!

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.