Insuranceciooutlook

People, Processes, and Technology: Mantra for Cybersecurity

By Michael Stoeckert, CTO, ProAssurance [NYSE:PRA]

Michael Stoeckert, CTO, ProAssurance [NYSE:PRA]

As we have seen in recent years, data breaches continue to rise in breadth of industry and scale of the attacks. This has required companies to add layers of protection to cyber risk programs. To do this, it’s important to have good overall coverage with your people, processes, and technology.

People

“People” focuses on what companies do to increase security awareness via short-length, high-frequency training on various types of threats—and the things to watch out for in order to protect the company. Security training requirements are becoming more specialized based on employees’ functions. I see the growing need to train for secure coding practices. Training at the business level for business email compromise focusing on wire transfers is also important.

"There is no one category that will create and maintain a healthy cybersecurity program"

Use security tips to communicate lurking threats. Include what can affect employees while on the company’s networks and what can affect them on their Bring Your Own Device (BYOD) or home computer. A data breach that affects an employee’s personal assets can also affect the employee’s work productivity.

Process

Processes include the company’s incident response, security oversight, IT controls, and policies/procedures. The incident response plan defines the critical response team that will work on the issues found when an incident occurs. This includes both internal and external communications/responsibilities.

It is important to have cyber scenarios in the company’s business continuity/disaster recovery plan that leverage the incident response plan and provide practice via table top exercises to ensure full understanding of the process. Some type of security oversight is required to ensure the security program is aligned to mitigate the appropriate level of risk in the company. Having business and technology representation on this committee helps ensure there is a balance between security and ease-of-use.

Additionally, a healthy IT control structure helps ensure IT systems and services have protections built into the process. Have IT review the process periodically to discover issues and update the control structure to continuously improve the process.

Policies define what employees need to do and procedures define how these will be accomplished. This includes passwords, acceptable use, system patching, vulnerability management, and change management, but also the growing need to assess third party software and service providers (third party vendors). Third party vendors are a growing area of risk as companies can’t assume that everyone protects company data with the same level of fervor.

Ensure your third-party vendors have some type of process to assess their third-party vendors’ level of risk. There are some nice security score carding solutions maturing that utilize externally accessible information to dynamically assess a company’s security risk. Use this to supplement a baseline set for a security checklist. Companies can assess on all of their third-party vendors by using a checklist that requires vendors:

1. Do background checks for all employees and contractors prior to hiring
2. Have a cybersecurity policy that describes how they will identify and manage cybersecurity risks
3. Notify their clients of a data breach
4. Have cyber liability coverage
5. Use a process to assess security risk of all their vendors
6. Have a data destruction process for paper and electronic assets—including subsequent hardware
7. Have an offline backup process for electronic data
8. Use a process to obtain, test, and automatically deploy security patches in a timely manner
9. Have access to physical and logical devices based on a valid business need
10. Practice strong authentication mechanisms to manage user identities and access to assets
11. Limit the use and management of administrative privileges
12. Utilize security tools like firewalls, antivirus, spam filtering, intrusion detection, workstation encryption, and mobile encryption

Technology

Technology includes the company’s perimeter security, internal ecurity, and monitoring/correlation services. Perimeter security includes firewalls, remote access services, virtual private networks (VPN), spam filtering and internet demilitarized zones (DMZ). These usually account for multiple layers of perimeter security that not only try to prevent the “bad guys” from getting in—but also try to prevent the data from getting out (commonly called egress).

Internal security includes file blocking/Uniform Resource Locator (URL) defense, sandboxing, anti-virus, advanced threat detection, intrusion detection/prevention (IDS,IPS) systems, offline backups, and the least access privileges approach to user account permissions. These solutions work together to provide multiple layers of security to prevent vulnerabilities from occurring or spreading if they do occur.

It’s critical to have 24/7 monitoring services that analyze the company’s critical assets in real-time—escalating any evidence of an infiltration so the company’s security and IT teams can mitigate the issue.

As you can see, there is no one category that will create and maintain a healthy cybersecurity program. It takes everyone in the company working together to mitigate risks—balancing the level of risk the company is willing to accept with the effect on ease-of-use and employee productivity. The threats are continually moving targets so having an adaptable approach to security built on a strong foundation is critical to managing cyber risk.

Read Also

Unique Approach to Mitigate External Threats

Unique Approach to Mitigate External Threats

Curt Overpeck, CIO, Citizens
Usage Based Insurance: The Five Must-Haves

Usage Based Insurance: The Five Must-Haves

Jake Diner, Co-founder and CEO, Driveway Software
Digital Transformation Technology Implications for Insurance Companies

Digital Transformation Technology Implications for Insurance Companies

Alan Royal, Head of Technology Innovation and Business Transformation, Strategy CIO