Worst Day Ever
It’s a day like any other day. People are working hard, making money for the company, and not worried about any impending disaster. Network security people know better, though. They realize this day could be the single worst day of their professional career if the company’s systems are breached and customer information is hacked.
So how do IT people handle this burden? Marcus Curley, director of IT at Mountain West Farm Bureau Insurance, knows he and his staff have to be prepared to respond to any emergency and realize beforehand what they need to do should an event take place.
“Any IT issue can be the single worst day of your career, but it’s really how you prepare yourself, your team, and your business teammates around you that matters for these types of security issues,” he says.
In preparation for such a dark day, Mountain West has developed educational programs, response plans, and initiated table-top exercises.
“No one likes to be thrown into the game without knowing any of the plays, what their role is, or who’s on the team,” says Curley. “Going through these scenarios helps prepare us by building ‘muscle memory’ from running through some of the more probable possibilities, and aiding us with the dynamic nature of these issues. Security is a moving and evolving target. You remain vigilant by surrounding yourself with solid people, teams, technology, and processes.”
Preaching the Gospel
Curley describes security as similar to a chain with multiple links. The chain is only as strong as its weakest link. Technology is one of the links in the chain, but there are more employee links than technology links, which is why regular education and discussion with employees is critical.
“Our company leaders have an acute awareness of the importance of information security here at Mountain West,” says Curley. “Communicating the latest threat trends, plans, and roadmaps for our security— and keeping them prepared for a security event—is extremely important. Since security is much more than an IT concern, you need to have involvement from your business leaders to bolster the security on the business side from processes, physical security, training, and enforcement. If you’re myopically looking only within IT as the source of security and defense, you’re only doing part of the job.”
Senior leadership at Mountain West understands the consequences and ramifications of being unprepared.
“The things we think about are protecting our customers,” says Curley. “That’s what we’re in business for: to protect them from an insurance standpoint. That doesn’t stop when it comes to protecting their personal information.”
Insurers knows there can be a grave financial impact if they fall victim to an attack.
“If you have a major breach you have credit reporting, call centers, legal fees, and possible government fines to deal with,” he says. “There is tremendous cost when it comes to forensics and down-time, not to mention the opportunities you lose.”
The Biggest Threats
Attacks can come from anywhere, and attackers are more sophisticated and organized in ways that allow them to better tap targets. Today’s hackers operate more like a business, and less like a kid in his basement, explains Curley.
The internet is essentially a flat landscape, meaning it doesn’t matter where you are physically located or how big a company you are. Probes and attacks are sourced from all over and can move with ease. Phishing scams and ransomware are popular threats used by criminals today. They are easy to deliver with a high probability of execution and impact.
“If you’re underprepared for these types of attacks, you may find yourself in an expensive and damaging situation,” he says. “A company like Mountain West may not get national headlines, but you get regional and local headlines, which can be just as damaging because those span the marketplace where you operate.”
Turning for Help
There are different security tools available to companies, but no silver bullet. Total security is unachievable unless you shut everything off and throw it in the bottom of the ocean, points out Curley.
“We ask for help from vendors and partners to fill gaps where we might not have the expertise,” he says. “Applications around security involve layering different strategies and different spaces. You might not invest primarily with one vendor anymore; you might layer it across vendors so if you have a technical vulnerability in one it might not exist in another.
Mountain West also turned to MVP Advisory Group for help and MVP’s security leader and partner, Laszlo Gonc.
“Laszlo has helped us with our cybersecurity response plan and with the table-top exercises,” says Curley. “In the chaos of everyday life in IT, keeping the lights on, and all the other things you do, Laszlo has been an additional resource who has done this before and can dedicate time to help us drive in the same direction.”
The incident response plans have been a valuable part of Mountain West’s security efforts. Using templates, Curley’s team sat down with company stakeholders to look at security as a Mountain West problem rather than just an IT-specific function or problem.
“We looked at it holistically across the enterprise and developed a risk register, which helps guide us in planning and improvement steps,” says Curley. “If you think about where you can improve and put them on the list, then you can start doing risk management. We defined our crown jewels: What are they? Where are they? How can people get at them? The response plan can start with a generic template and then hone into your specific business. Then we just practiced. As you go along you find areas where you need to add parts because they may have been left out.”
Just through their internal IT processes, Curley and his team always look for areas of improvement.
“Security is an iterative process. Through this and our regular daily IT functions, we continually try to do things better, look at things in different ways, and try to find vulnerabilities and weak points,” he says.
Ease of Doing Business
The mantra for many insurance companies today is “ease of doing business,” but that also means it is easier for attackers to penetrate a company’s security systems.
“Like any other technology, mobile technology has a level of risk,” says Curley. “It depends on how the system is designed, built, monitored, and maintained to determine how secure a mobile solution is. With any solution it’s important to always be thinking of the information.”
Some questions also have to be answered, such as:
Where is my data going?
What data is exposed?
What are the worst case scenarios?
With these basic questions in mind, it’s important to explore all of them in detail to ensure that you are building solid foundations and tools, according to Curley.
“If your mobile solution gives exposure to key backend systems or sensitive information, then it could be higher on the list in terms of risk. The risk needs to be calculated by considering the users, design, device, data center, and the path in between. Mobile devices are becoming a popular attack surface for malicious applications, so if you’re writing a mobile app you need to keep this in mind, as it will continue to be a larger area of focus.”
Won’t Go Away
Cybersecurity will continue to accelerate for businesses moving forward. In the past 10 years, it is more prevalent.
“I think that adequate defense is one of those things you are never going to achieve totally, but having solid defenses are achievable,” says Curley. “It’s only done with everyone working together as a team. From an IT standpoint, you can secure everything to the nth degree, but every user has to be cognizant of the information they are dealing with and how they can best protect it. It’s a team effort. Training and education are absolutely crucial parts of security. Folks might get tired of hearing it, but it is one of those things that you have to over-communicate.”