This Opinion piece looks at how data breaches can cause serious problems within the insurance industry; from GDPR fines, fighting fraudsters, maintaining customer trust, employee problems and much more.
Between a Breach and Hard Place
By Mike Smart, Business Development Director, BAE Systems
It’s hard not to feel a degree of sympathy for the poor old Chief Security Officer (CSO) sitting in their highly secure office. What with organised cyber criminals doing their best to break into the technical estates he or she is working so diligently to protect and the regulatory authorities looking over their shoulder itching to wield their new found big GDPR fine stick, it’s a high-pressure environment. Their situation is not improved by those unintentional breaches caused by the genuine Christmas party-induced, mistakes or the more serious situation of deliberate malpractice perpetrated by internal staff.
It’s a tough and thankless job; which ironically when one is complete control (never entirely possible) creates the impression amongst senior colleagues that all the CSO does is use long words, complex diagrams and in reality does nothing all day. That is of course until that eventful day when the wheels come off and all hell breaks loose.
Providing a secure technical environment has been a requirement from the very first days of computing. The main issue being the ability to control who had access to what processes, a simple example being restricting those people who had access to payroll. On the one hand there was the issue of ensuring that not everyone knew how much the Chairman was earning or claiming on expenses but also controlling who could cut cheques (remember them?) and adjust how much people were paid. Two very basic issues, controlling the flow of information and managing executable processes.
Albeit these are still very common themes, the complexity in today’s interconnected environment is of a different order entirely. Cyber crime has become an increasingly popular way of making a living. It’s a lot more civilised sitting at home breaking into computer systems to steal or extort money on the back of inserting nasty viruses than donning the balaclava and taking on The Sweeney.
This is also an organised business. The Hollywood notion of technical geniuses working for the common good by exposing all the naughty things that Governments try to hide or defeating Bond villains is just that: a notion. These gangs steal people’s identities by accessing customer databases and using this information to execute fraudulent transactions. If one can successfully circumvent the processes in place insurers and banks are happy grounds for money laundering, raising finance for terrorist activities or extortion. It’s a serious business and one that deserves a zero-tolerance policy.
The connected world has many benefits. A fridge that tells you when you’ve run out of beer or that you’re down to your last few rashers of bacon is very useful. Well to some people it is; the serious point is that as the network expands exponentially so does the potential to break into the network. We now have very extended and connected deeply integrated supply chains. Home working is becoming a norm. Most businesses also want to be able to communicate directly with their customers to execute a variety of commercial transactions.
The more participants in the network, the more complex it becomes to control the security aspects, protect core processes and protect data, the most valuable commodity in the business. The advent of the smartphone has seen a mind-blowing amount of data being created and stored. Insurers are one of the largest consumers of data. It’s used for pricing, customer and risk profiling, improving retention rates and, in claims, to uncover potentially fraudulent transactions.
Insurers thus hoard data, which makes them a target for those people who want to gain access to the same data-sets, to electronically clone an individual.
A breach in security, leading to a substantial loss of data, has a potentially devastating impact on a business. Loss of market reputation, hugely damaged customer confidence, share price falls and now, alongside FCA and GDPR sanctions, an eye watering financial toll. CSOs, CIOs and CEOs all fear that Sunday morning call breaking the bad news that something has gone awry.
Protecting oneself against breaches in security requires a multifaceted approach and a lateral thinking methodology.
- Protecting the businesses most valuable asset, data, requires a different set of tools and processes from those deployed to prevent our own internal resource breaching maliciously or otherwise documented procedures.
- Too often we see significant effort being expended on building sophisticated external facing defences and hardly any attention addressing the 40 per cent of all breaches in security that occur internally.
- Traditional platform software comes with security levels defined around roles; this security typically defines who has access to what processes and financial sign off levels. All well and good but little if any consideration is given to who accesses the data and it’s the data as well as the process that requires protection.
- It’s not reasonable to expect a business to remain abreast of all the developments in the word of cyber crime. An organisation believing it has the wherewithal to counter all unknown threats is, at some point, likely to experience a rude awakening. This is a fast moving landscape which attracts highly talented individuals intent on crime. Working with specialist partners in this area to prod and poke current defences and discuss current trends will go a long way to mitigating the degree of exposure that a business faces.
After three decades in the computing industry, it’s been fascinating to watch the market evolve. From punch cards, through the dark art of programming to smartphones with more technology than an Apollo rocket in such a comparatively short time it’s come a long way.
As we have gained more access to IT so we have created more and more data. Failing to protect it is possibly the biggest exposure a business faces today. Get it wrong and missing the commercial targets for a quarter will be a cake walk in comparison.
This article is sponsored content, produced in association with BAE Systems