The industry remains infantile in its approach to data security

By ara c. trembly

When I was a little boy, the possibility of monsters, bogeymen and trolls in one’s bedroom was, perhaps, slightly more real than it is today.

Maybe you can look back and recall your own experiences with the kid-eating monster in the closet, the sharp-fanged vampire at the window or Freddy Kruger waiting to pull you right out of bed and into his particularly bloody and disturbing version of hell.

In my childhood environment, however, there was one protection against such dangerous intruders that every kid knew would work–hiding under the covers. Yes, no matter how menacing the slavering jaws, fetid fangs or razor-tipped fingers of the adversary, they could not penetrate the barrier of my grandma’s quilt, my aunt’s porous afghan or someone’s ratty army blanket.

Of course, you couldn’t allow any space to remain between the blankets and the bed, lest one of the attackers should turn himself into a gas (eminently possible; just ask any kid under 10 years old) and infiltrate your fortress of cloth, but barring any unfortunate limbs remaining uncovered, you pretty much knew you were safe under there, even though you also knew on some level that your kid logic was as full of holes as that old army blanket.

Looking back over the technology news and events of 2005, I would have to say that many in our industry have adopted the hiding-under-the-covers strategy when it comes to information security, and the potential consequences are far more dangerous than the wrath of an army of imaginary monsters.

The battleground between the forces of legitimate business and the legions of criminal hackers and spyware purveyors who want to steal valuable information was a bloody one in 2005, and there were significant casualties on our side. ChoicePoint, for example, which provides risk management and fraud prevention information to the insurance industry, had its security breached not once, but twice in 2005. Since the company maintains databases of background information on just about everyone in the U.S., it’s safe to say this was a major setback.

As we pointed out last spring, however, hardly a whimper has been heard from our carriers, brokers and agents regarding this problem. This despite the fact that ChoicePoint’s Insurance Services division stores and provides motor vehicle reports, claims histories, customized policy rating and insurance software, and property inspections and audits. But for our industry, all is cozy and safe under the covers.

Think this was an isolated incident? Consider that in 2005, the names of financial services companies whose security was breached included J.P. Morgan, City National Bank, Bank of America, CitiFinancial, Ameritrade and the Federal Deposit Insurance Corporation (FDIC).

Spyware has become a particularly virulent bogeyman in 2005. In a survey of security administrators, 67% agreed that spyware was “the greatest threat” to their company networks in 2005, according to ZDNet News. In an InformationWeek survey of 400 technology professionals, 71% said they would spend “significantly more” or “somewhat more” on spyware management in 2005.

Yet, according to Chad Hersh, a Houston-based analyst with Celent, a research firm, “Information security is still lagging” in our industry. While it’s true that increased industry regulation is encouraging more of us to safeguard data, “regulations can’t do enough to set standards that would truly secure the enterprise,” he adds.

How is it that insurance, arguably the most risk-averse of all industries, continues to move so slowly to protect information that is so vital to its own survival as an industry? The disturbing answer seems to be that, rather than spend the money and resources to truly secure our customers’ information, we are content to hide under the covers until the sun comes up or mommy comes to tuck us in.

For a child in his or her bedroom looking to chase away spooks that run wild in the imagination, the magical thinking behind hiding under the covers is a normal, perhaps even endearing, response. For grownups running companies worth millions or billions of dollars, the same response to very real threats is at best a sign of immaturity and at worst a symptom of mental illness.

Wake up insurers; mommy can’t save you from these monsters.

Looking back over the technology news and events of 2005, I would have to say that many in our industry have adopted the hiding-under-the-covers strategy when it comes to information security, and the potential consequences are far more dangerous than the wrath of an army of imaginary monsters.”