Just how safe is your policyholder data?
Insurers’ rich policyholder data records — consisting of social security numbers, driving license numbers, employment records, health records and more — are a hacker’s paradise. (Photo: iStock)
As insurers continue to expand into new online territory, from agency portals and online policy applications to mobile phone apps, their appeal to cybercriminals only deepens.
The increased use of outsourcing for various aspects of the operation only adds to the risk for information getting into the wrong hands. Insurers’ rich policyholder data records, consisting of social security numbers, driving license numbers, employment records, health records and much more, are a hacker’s paradise.
While credit cards can quickly be cancelled, making their black-market prices very low, data that is tied to a customer for life is highly valuable. A healthcare record for example can net 10 times more than credit card numbers online. This kind of personally identifiable information can be used to conduct highly targeted spear phishing, allowing hackers to customize an attack based on what they know about the target.
Know what to expect from these trends so disruption isn't quite so 'disrupting.'
When it comes to business, we know trust is key. Protecting the private information that policyholders have entrusted to you should always be a top business priority. If this trust is broken, there can be serious consequences. Merely hoping that sensitive data stays in the right hands is no longer a viable strategy in the current threat landscape. Whether you are assessing home, motor, or health risks for your customers, you now have a duty to do re-assess your internal risk of whether you are doing everything you can to protect policyholder data, along with your hard-earned reputation.
Here are five best practices to avoid a costly data breach:
No. 5: Understand your data and where it flows.
In order to protect your data, you first need to understand it’s value, where and how it is being used — and by who. Which employees or third parties have access to this data, for example? Once you have a complete 360-degree view of your data environment and usage, you can build a tailored defense.
No. 4: Go beyond the network and protect information wherever it travels.
A recent study from Enterprise Strategy Group (ESG) was undertaken in order to evaluate the challenges, best practices, and solution requirements for securing data that is shared externally. ESG spoke with 200 IT security professionals who hold purchase decision-making authority or influence for data security technology products and services.
Ninety-eight percent (98%) of respondents cited the loss of sensitive data as a top or significant concern, and also indicated it was very or somewhat likely that their organization has already lost data via a variety of ways in the last 12 months. Of note, participants cited data loss vectors such as files being inadvertently emailed to the wrong person (cited by 67% of respondents) and unauthorized access (66%) as top issues.
The increase in outsourcing and collaboration with external partners and subcontractors is extending the flow of information outside of the secure confines of corporate controlled perimeters. While this collaboration is necessary and encourages innovation, it opens up companies to unnecessary risk.
To reduce the risk of external collaboration, many companies are now taking a data-centric approach to security. In addition to data-loss prevention (DLP) solutions, organizations are now adding enterprise digital rights management (EDRM) solutions to their information security framework. EDRM enables the organization to ‘wrap’ a sensitive document with persistent, granular controls. Using EDRM, document owners can control who can access the document, what that recipient can do with the document (view, print, cut/paste, screen share, etc.), from which location or device, and for how long.
No. 3: Automate reporting on information usage inside and outside of your network.
By adding data-centric security to your infrastructure, you will not only reduce the risk of policyholder information getting into the wrong hands, you will also receive real-time information on who is accessing your information, from where, and what they are doing with it. Consolidated information usage details, both for information within and outside of your network, will give you the insights you need to respond to compliance and audit reporting.
No. 2: Scrutinize vendors’ and third parties’ security infrastructure.
While using data-centric security will keep you in control of your information, even when it is being used by a third party, you will want to ensure that your partners fully understand and comply with your exact security requirements and processes. It’s important they hold the same high standards as your own organization.
No. 1: Stay up to date.
Businesses change, collaboration methods change, data usage changes; third parties and vendors change; and most importantly, cybercriminal tactics change. You therefore need to do regular risk assessments to ensure all areas of data security remain covered. While adding data-centric security to your infrastructure will increase your visibility to vulnerabilities and reduce your risks considerably, a one-off initial security audit is not enough. Keep on top of security software updates too and ensure there are no weak spots available to hackers – you simply can’t afford to operate business with an unpatched system.
Keeping your business afloat in the age of the mega breach
Robust planning, on-going risk assessments and data-centric solutions such as EDRM are what will enable insurers to further embrace the use of mobile devices, file sharing, and outsourcing with complete confidence. It will ensure that security remains effective wherever files travels and while they are being utilized, making it possible for both insurers and their partners to have peace of mind, and agile collaboration. Because, ultimately, no organization is immune to the serious repercussions that come along with being breached, and in an industry as heavily targeted as insurance, maintaining a good security posture is an absolutely essential.
Vishal Gupta is founder and CEO of the Sunnyvale, California-based data security company Seclore. To reach him via email: firstname.lastname@example.org.