The 4 Pillars of IT Security

A nasty new version of “ransomware” has been making the rounds on the Internet, putting millions of personal and corporate files at risk. Instead of stealthily copying data and sending it somewhere else, this type of Trojan virus encrypts the data in an unbreakable algorithm, then demands payment for the key to unlock it.

“This kind of malware is not new but over the past 18 months it has become significantly more prevalent and the malware authors have written significantly more clever and scary versions,” writes James Lyne, global head of security research for Sophos. Even after security tools clean out the virus, the files remain encrypted. The latest variation of the threat, called CryptoLocker, includes a countdown timer which demands a payment of $300 within 72 hours or else the key file will be deleted.

Hopefully, law enforcement will catch up to the creators of this and other viruses, but unfortunately, there will be others. This is only the latest reason – as if any more were needed – for continuing, comprehensive employee education on data security. In addition, it points to the urgency of making sure that all important data is backed up and available on a continuous basis.

Some best practices every insurer needs to engage in and maintain:

Education and training: This is the first, and best, line of defense for organizations. Build a security-aware organization, in which employees can effectively “police” their own domains, following best practices such as not opening suspicious emails or visiting non work-related websites.

Your own encryption: After employee engagement and training, this is the second best line of defense against data theft or corruption. You may have the best technical defenses in the world at your production site, but what happens as data is sent out to development groups or backup sites? How secure are these parties, even if they are still part of your organization?

Monitoring and auditing: Companies don't do enough monitoring and auditing to ensure that unwarranted access is taking place. In surveys I have conducted, many companies only audit their access logs every few months or so. By then, it may be too late.

Technical tools:  Finally, there is a range of security solutions that help ensure that databases, servers, networks and client devices are protected against unwarranted intrusions.

Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.

Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at joe@mckendrickresearch.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.