SolarWinds recently issued the results of a survey which found many gaping holes in the security of US federal government systems. While government IT is in a classification by itself, there are many important points that are just as applicable to insurance IT operations as well.
Namely, that the number-one source of security issues is careless and untrained insiders. A majority of survey respondents, 53%, identified “careless and untrained insiders as their greatest source of cybersecurity threats over malicious external sources such as hackers and terrorists.” This is up from 42% last year.
Still, outside threats received the lion’s share of resources and funding, the survey of 200 IT executives also finds. In fact, nearly two-thirds (64%) believe malicious insider threats to be as damaging as or more damaging than malicious external threats. Nearly half of respondents said government data is most at risk of breach from employees’ or contractors’ desktops or laptops. Top causes of accidental insider breaches include phishing attacks (49%), data copied to insecure devices (44%), accidental deletion or modification of critical data (41%) and use of prohibited personal devices (37%).
Again, while this survey pertains to federal agencies, it’s the same situation found within the business sector. Insurance companies need to sit up and take note of the potential vulnerabilities within their own organizations.
Insider threat detection difficulties also include a high volume of network activity (40%), lack of IT staff training (35%), growing use of cloud services (35%), the SolarWinds survey finds. In addition, security breaches may occur with pressure to change IT configurations quickly more so than securely (34%), use of mobile devices (30%), cost of sophisticated tools (27%), and growing adoption of BYOD (27%).
Although 85% of IT managers said they have formal IT security policies, 46% noted insufficient security training for employees as an obstacle to threat prevention.
Addressing inside vulnerabilities should come from several directions:
Prevention strategies, such as using encryption across all key data assets, to render data useless to anyone inside or outside the enterprise.
Managing copies of data, to make sure sensitive production data does not get sent out to internal or third-party developers or QA teams as part of application testing processes. If anything, development and QA shops should be furnished with redacted, masked or simulated data for testing purposes.
Training and education of all employees to maintain awareness of security strategies and requirements. An IT department, or for that matter, dedicated security team, can’t handle the challenge alone. IT security needs to be a crowdsourced effort.
Applying patches and updates as they become available from vendors. The latest updates address the latest vulnerabilities detected in the marketplace.
Making sure that third-parties consultants, systems integrators, cloud service providers have solid security practices in place. You may have high levels of security awareness and best practices in place, but the vendor handling your precious data may not be as diligent.
Monitoring and auditing what goes on within applications and databases. This should be as frequent or ongoing as possible.
This blog entry has been reprinted with permission.
Readers are encouraged to respond using the “Add Your Comments” box below.
The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.