Security Is a Business Requirement

Published: July 11, 2007

By Harry L. Waldron, CPCU, AAI, Microsoft MVP

See other Security MVP Article of the Month columns.

Insurance Industry is an Example of How Security Applies to Everyone

All companies must protect their information resources through a security process that includes: defensive tools, corporate policies, security awareness, security testing, and monitoring. Security is a challenging corporate function for every business to ensure safety, privacy, and confidentiality. As one golden rule proclaims, “Security is only as strong as its weakest link.”

Financial information is the key asset for an insurance company. The insurance contract is a promise of protection that is based on the accuracy, reliability, and confidentiality of customer information. Insurance information must be well-protected in order to meet business needs, just as manufacturers must safeguard their inventories and physical assets. Information Security must be effective in every company to prevent embarrassing accidental and even intentional losses of data.

The Information Security Process: Focus on Both Tools and People

Information Security is not about tools alone, because it is a process that requires the utmost support from people, as well. Maintaining good security in the business environment is a challenge that never ceases. New risks are constantly surfacing, and security professionals must constantly address new challenges in protecting their organizations. Exhibit A, later in this article, provides a checklist for many of the major security initiatives that a company must address in a comprehensive Information Security Program.

As a starting point, companies must invest in their staff, in training, in tools, and in security projects. The insurance industry takes security seriously because it must protect customer privacy, competitive secrets, and other intellectual assets. The security process works best when companies implement the best defensive tools, actively educate the user community, and have empowered IT Security staff who proactively monitor the changing landscape in a spirit of continuous improvement.

Many companies prefer a “tools only” approach, where the security process is more transparent and there is less emphasis in involving people. While security software has improved, this approach is not recommended because there are business risks that can’t be addressed by software alone. Greater benefits will be achieved by involving business professionals and providing them with basic security training.

As the security checklist in this article illustrates, a more effective approach includes both tools and people. Consider the morning of May 5, 2000, when the Love Bug virus attack surfaced. Protection from antivirus software vendors was not immediately available. While many individuals had anti-virus protection, this worm spread rapidly and resulted in over $20 billion in damages worldwide. At Atlantic Mutual Insurance Companies, we had established an all-employees warning system and had trained our professionals in how to safely handle e-mail messages. This resulted in very few infections and no downtime for our company.

The security process requires users to be educated beyond just avoiding attachments or potentially hostile Web links. Kevin Mitnick, one of the most renowned malicious users, used low-tech social engineering schemes to gain access to people's computers by getting those people to disclose their passwords.

Security awareness should include: corporate policy training, Internet and e-mail message safety training, and ways to better protect the confidentiality of all information. For example, companies can offer lunch-and-learn classes about encryption, or about how to protect portable computer systems, and can even provide demonstrations about how systems are compromised.

The intranet can provide an excellent resource for security reference information and training. At Atlantic Mutual, we developed a security Web site in 1997 that hosted our corporate policies, best practice guidelines, monthly newsletters, how-to guidelines for installing security software, and more. Using Web pages rather than printed manuals saves expense, allowing your company to easily update and share policies by providing your employees with related links to your intranet.

The Information Security Function Must be Empowered

Besides tools and security awareness, to be effective in the process the IT Security function must be properly recognized and funded. IT Security staff are responsible for more than just user account management, because all of the company’s information resources require protection. An effective IT Security team must actively research evolving threats to provide “just-in-time” protection. They must also monitor activity on their networks and even test security controls for opportunities to further strengthen defense controls.

Information has value in every company. A company should have the best tools available to protect its assets. Secondarily, everyone from the janitor to the CEO plays an important role in the defensive process. Finally, an active IT Security function helps provide synergy for the process so that it is relevant and effective for all. The process requires a lot of ongoing work. However, it will pay dividends in avoiding business outages and in preventing privacy disclosures, and most importantly it will help in developing an educated and protective workforce.

Exhibit A – Corporate Security Protection Checklist

  1. Implement the Best Technological Defenses

    • Commercial firewall system (such as multitier, perimeter network [DMZ], honeypot, secure server, or monitoring system).

    • Corporate antivirus protection (with centralized updating, alerting, and management for all e-mail messages, server computers, and corporate workstations).

    • Corporate antispyware protection for workstations.

    • Web content filtering to block users from accessing objectionable or potentially harmful sites.

    • Spam filtering controls for electronic mail systems.

    • Attachment blocking for electronic mail systems.

    • Alternative or more trusted document exchange methods using external entities.

    • Security configuration standards (the minimum security standards that must be adhered to) for server, workstation, network, and other technical resources.

    • Remote access controls and standards (such as remote control software, dial-in, or VPN authentication).

    • Strong or complex passwords for network, server, or database authentication.

    • Two factor authentication techniques (such as secure ID cards, Cryptocards, and biometrics).

    • Encryption for Web sessions, sensitive database fields, sensitive server computers, portable computers, and so on.

    • Privacy protection (special controls and focus to ensure that customer information is properly protected).

    • Application-level security controls. (For client/server applications, this better protects application systems in case the administrator accounts are compromised.)

  2. Ongoing Security Awareness Training

    • Teach relevant security topics in the user community (such as classes about key policies, privacy, passwords, maintaining confidentiality, spyware, avoiding phishing attacks, and so on). This is more than just how to avoid nontrusted files or Web links.

    • Offer lunch-and-learn or more formal presentations, which should be brief, easy to understand, and provide value to the recipients.

    • Develop a company-wide e-mail message alert system for when major viruses or other threats get past defense systems into inboxes.

    • Create an intranet security Web site, an excellent resource for the IT Security department. It can store information such as corporate policies, best practices, monthly newsletter archives, and informational references. Relevant Web page links can then be easily shared in e-mail messages.

    • Make it clear that all employees play a vital role in corporate security. This means that professionals need to be careful in sharing information, in safeguarding their equipment, and in avoiding all malicious software risks. One message from the world of IT Security is "SECURITY = SEC-U-R-IT-Y", which is to say “You are It”, emphasizing the point that every person has an important role to play in protecting the company’s information.

    • Stress that employees are sometimes the last line of defense. It is possible for malicious software agents or social engineering attacks to penetrate defense systems and reach the user. Therefore, it is beneficial to train employees to identify threats and to report them to the help desk. Security training should begin as part of the new employee orientation process. On-going security awareness should continue using email, the intranet security web site, and relevant formal classes. These training opportunities can head off major attacks and keep the company operating, rather than experiencing major downtime and lost business opportunities.

  3. Active Security Management Process

    • Pilot test and deploy Microsoft updates expediently throughout the company. (Reverse engineering of security patches can be accomplished now in hours rather than days.)

    • Create an inventory of all products and stay up-to-date on security releases for all products. New releases should be tested and applied expediently for any new security update.

    • Stay up-to-date on supported product versions and service packs. (For example, upgrade from near end-of-the-line products like Windows 2000 to Windows XP or Windows Vista.)

    • Use automated software distribution to deploy security solutions (such as virus definition updates, Windows Server Update Services updates, service packs, and so on).

    • Test security defenses internally on a quarterly basis and externally by expert security firms periodically (such as network vulnerability assessments, network penetration testing, passwords, network server computers, Internet server computers, workstations, routers, remote access, and so on).

    • Perform security audits and reviews. Examine past events and look for ways to strengthen security controls. (For example, review intrusion detection system, firewall, event, and other security logs on regular basis.)

    • Monitor evolving threats. IT Security professionals should constantly evaluate new exposures as they emerge and take steps to mitigate potential attacks.

    • Maintain up-to-date security policies, procedures, and standards, to encourage the best human behavioral responses. (For example, make policies easy to understand, use a positive framework, and keep up with new areas of technology.)

    • Provide training for IT Security team members. This is critical because they work in a complex and constantly changing environment. Each team member must also invest in his or her career by constantly reading and engaging in continuing education.

    • The Information Security Manager must keep management informed on new security exposures and their potential impact. A monthly meeting is recommended with the company’s senior leadership to discuss risks, trends, and to gain their approval for improved security strategies, that lead to a better business environment.