Discussion Requirements This discussion focuses on an insurance company that han

Question

Discussion Requirements

This discussion focuses on an insurance company that handles private medical data and accepts credit card payments for insurance premiums.

Tasks

Discuss why the following must be protected in this context (what are the risks):

Network

Servers

Clients

Other resources

Information/data

What are ways in which each of the above items can be protected in this context?

Summarize your thoughts in a Microsoft Word document checking for spelling and grammar, then submit it directly (cut & paste) into the discussion thread. Respond to at least two other students’ views to engage in a meaningful debate regarding their posts or to defend your post.

Required Resources

Textbook and Internet

Submission Requirements

Format: Please enter directly into the Discussion Question window

Citation Style: Follow APA

At least 300 words

Spelling and Grammar count so I suggest you first type your post into MS Word and check for spelling and grammar. You can then cut & Paste into the Discussion Question thread.

Self-Assessment Checklist

I described at least one risk to each of the listed entities.

I described at least one method for protecting each of the listed entities.

I responded to at least two other students’ views to engage in a meaningful debate regarding their choices or to defend my choices.

Explanation / Answer

Why do software vendors and application software companies have Software Licensing Agreements (SLAs) that protect them from their own software vulnerabilities? Why do software companies have stringent Limited Warranty, Disclaimer of Warranties, Exclusion of Incidental, Consequential, and Certain Other Damages, and Limitations of Liability clauses in all their software products’ SLAs?

The answer to these questions can be summarized quite simply: software vendors know they can’t create and sell perfect code because of the human element. Software bugs and vulnerabilities are commonplace. Simply put, software vendors cannot guarantee that their software is bug-proof and free of vulnerabilities, so they must protect themselves from potential liability and damages that may be the result of a software vulnerability that is exploited by a hacker or unauthorized user.

When defining a policy for software vulnerability management, identifying and prioritizing mission-critical IT assets to prioritize the confidentiality, availability, and integrity of information assets is paramount.

Organizations are now realizing that having an IT security architecture and framework consisting of policies, standards, procedures, and guidelines for their production IT systems, software, and applications is critical. Many organizations are apt to create a policy that defines the maximum acceptable vulnerability window for its mission-critical and production IT systems. This policy then drives the priorities for how funds are to be invested for risk mitigation via an enterprise patch-management solution.

Many of the security incidents indicated in 2003 on the http://www.cert.org website was the direct result of software vulnerabilities that were exploited by an attacker. These security incidents can be attributed to the "vulnerability window," which is the amount of time that lapses between when a known vulnerability is identified and documented to when an organization implements the vulnerability fix or deploys the appropriate software patch.

Because of this vulnerability window issue, SQL Slammer, which was a known vulnerability posted by Microsoft in July 2002, affected nearly 90% of the world’s SQL databases on Super Bowl Sunday, January 2003, six months after the vulnerability was exposed.

The stages of vulnerability in software are as follows:

Ironically, insurance companies deal with risk on a day-to-day basis. It’s what they do. But the kinds of risks they deal with are somewhat more tangible – and these risks aren’t in a constant state of flux like today’s cyber threats are.

In order to instil confidence and protect their business continuity, insurance companies must recognize the inherent perils and do their best to bring their cyber security up to modern standards to protect theirs and their clients’ interests.

Slow adopters, big risk

The insurance sector has lagged far behind other financial-sector industries in its adoption of cyber security technologies, perhaps because they have not (so far) been aggressively targeted by cyber thieves. As banks and other financial institutions were among the first under fire, they are now among the most secure. Since they are no longer easy targets, cyber thieves will move on to the low-hanging fruit and this is where the risk lies.

Insurers retain large amounts of personal and financial data, property information, and more. Regulators are no longer satisfied with vague responses to security concerns. They are pushing for transformation, but it’s been a slow start. Insurers are now actively creating cyber insurance policies for their client, but to walk the walk they need to start getting their own ducks in a row.

Primary cyber-risks to insurance companies today include:

Infrastructure vulnerabilities and unpatched or last-generation security software provide easy fodder for hackers who can potentially do a great deal of damage through theft and other malicious activity. If the company has not yet begun its digital transformation they may be inadvertently be leaving themselves open to attack.

The solution: Speak to an IT consultant about migrating some or all of your systems to the cloud. It may be necessary to upgrade workstations and servers, but the result will be increased operational efficiency and next-generation security.

Identity theft can occur as a result of client account breaches. Files that are stored on local servers may not be adequately protected.

The solution: cloud storage provides a range of industry-compliant secure storage solutions that allow for the use of credentials to access sensitive data. Client portals may be implemented as well, supporting improved operational efficiency while ensuring client data is secure. Multi-factor authentication can also be implemented, giving clients peace of mind and providing greater in-house security.

Automated threats such as denial of service (DoS), credential cracking, and vulnerability scanning have the potential to shut down all systems, virtually overnight.

The solution: the implementation of the appropriate security protocols, software, and appliances will effectively shield systems and data from automated threats. Combatting the threat goes beyond technology solutions, prompting firms to educate their employees and partners on how to recognize malicious or suspicious activity.

Systemic infection from malicious code could bring a company to its knees very quickly. Ransomware can exist on your system for a good deal of time before it completely takes hold, so often nobody will notice anything different until it is too late. Ransomware demands may be small or monumental, but even if you do pay, there is no guarantee your systems will be fully restored to its pre-attack state or that files will not be damaged in the process.

The solution: cloud storage and backup solutions offer a range of cyber security features that can prevent malicious code from invading your systems. In addition, the establishment of a disaster recovery plan (DRP) is crucial, ensuring that you can restore your systems and experience a minimal interruption of service.

Lawsuits from clients may ensue if the company experiences a breach that leaves client data vulnerable. You have a legal responsibility to protect all information that is collected and stored for the purposes of doing business. In some cases, you may be governed by HIPAA regulation, or the GDPR, if you do business with EU citizens and it is your responsibility to comply.

The solution: To avoid a potential business and financial disaster, it is always in your best interests to ensure all client data is protected, not just behind a firewall, but with a detailed security policy that is enforced by all employees, partners, and stakeholders.

The time is now for cyber security transformation Loss of business continuity and loss of reputation may be the least of your worries if sensitive client data is leveraged for nefarious purposes. To those insurance companies who have not yet begun their digital transformation – take this as a sign to begin today.

Outdated computers, servers, and software are not compliant with today’s cyber security needs. While you may have been unaffected up to now, you may soon become the low-hanging fruit cyber-criminals are in search of.

If you are an insurance company in Arkansas and have any questions about how modern cyber security solutions can strengthen your business, reach out to Business World today, or call us toll-free at 501-214-5482 to schedule a no-obligation consultation.

References:

https://www.informit.com/articles/article.aspx?p=426764

http://www.ciscopress.com/articles/article.asp?p=1998559

https://www.niit-tech.com/blog/cyber-attacks-insurance-industry-threat-continues

https://businessworld-usa.com/cyber-security-risks-facing-insurance-companies-2017/

https://docs.oracle.com/cd/B10501_01/network.920/a96582/overview.htm

https://www.ft.com/content/86aab6c6-21d9-11e6-9d4d-c11776a5124d

https://www.sophos.com/en-us/medialibrary/PDFs/other/sophosprotectingPII.pdf

Related Questions

Navigate

• Browse (All)
• Browse D
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.