In The Struggle To Maintain Security

A recently released study from Atlanta-based LOMA reports that technology is a two-edged sword in the battle to maintain data security–offering both defensive measures and products designed to defeat those measures.

“On one hand, powerful new technologies enable life insurance and other financial services providers to deliver more products and services through more channels,” states Stephen W. Forbes, senior vice president of research at LOMA. “On the other, they make it easier for insiders and outsiders to invade weak points and, as a result, compromise data privacy and interfere with IT processes.”

Forbes is the author of the study, “Data Privacy, IT Security and Disaster Recovery in the Financial Services Industry,” which examines security challenges and suggests solutions.

The study, released at the end of July, notes that a companys insiders, rather than outsiders, are more likely to invade IT systems because they are often aided by special knowledge of the firms operating systems, software code, linkages among systems, and other inside information.

“Thus, special attention should be paid to minimizing security breaches coming from within the organization,” the study says.

Concerns regarding privacy of information on Web sites “reflect a distrust of technology in general in protecting privacy,” the study states. “This distrust is fueled by the ongoing development of new forms of technology that intrude on privacy.”

In addition, networked computers make it easier to invade privacy because they facilitate the ability to share, combine, and perform analyses on different databases, the study points out. “Because it is easier to collect digitized data than paper data, more private information is being collected in such databases.”

According to the study, there is no completely foolproof method of protecting IT resources from invasion by hackers, or from insiders such as employees. Forbes points out, however, that “while there is no guarantee of complete security for an organizations databases and other technology resources, there is an expanding array of IT tools and business processes that can be used to increase the probability of protection.”

The tools include maintaining the physical security of IT resources, firewalls in various IT systems, data encryption, controlling access for particular users, and user authentication technologies, said the study. Other protective technologies include virtual private networks (VPNs increase security by controlling access and encrypting data), IT inventory controls, automatic log out and file deletion for PCs and mobile computers, and intrusion detection systems.

The study also notes that many failures in IT systems are not due to faulty or inadequate security technology, but to improper use of such technology. “Training employees, distributors and other individuals on their roles in maintaining secure IT systems and the penalties (e.g., dismissal) for failure to maintain these corporate policies is critical,” says the study.

David ONeill, vice president, e-business solutions, at Zurich North America in Baltimore, agrees that foolproof security for computer systems does not exist. “I havent seen anyone thats told me theres an absolute guarantee and theyre gonna bet the ranch on it,” he observes. “Theres no ultimate mousetrap as yet.”

He also agrees that while security breaches can come from inside or outside an organization, exposures often come about as a result of inside events.

“Zurich got hit with Nimda [a virus]; the code doesnt lie,” he notes. That happened because “someone went into a HTML e-mail application at Zurich.” Such applications include Web-based e-mail systems like Yahoo!, Hotmail, and America Online, he says.

“We learned from our mistake,” ONeill says. “Weve disabled HTML e-mail” within the company.

Another vulnerability may be the fact that a company uses an application service provider (ASP) to access certain software programs via the Internet, ONeill points out. “ASPs arent as careful with security as companies,” he states, “but the client takes the earnings per share hit” when a breach occurs. “When we insure a company, we check the ASPs for security as well, and we underwrite them.

“Change is constant. Viruses are coming out daily. Vulnerabilities are found often. We want our clients to have security, intrusion detection, and guarantees from their ASPs,” states ONeill.

Echoing those sentiments, the LOMA study concludes that “a well-designed data privacy, IT security, and disaster recovery program can lower the risk of a financial services organization incurring significant losses from these exposures.”


Reproduced from National Underwriter Life & Health/Financial Services Edition, September 2, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.