[Skip to content]

Sign up for our daily newsletter
The Actuary The magazine of the Institute & Faculty of Actuaries
.

How secure is your security?

IF THERE’S AN INTERNET STORY the media likes more
than a spectacular launch (or crash), it’s an equally
spectacular breach of security through hacking or
a virulent new virus. Hacking, denial of service,
and the lack of protection of personal information,
particularly credit card details, over the net seem to
receive almost daily coverage in the press. Whether
these breaches of security are quite as widespread as
some would have us believe is, to some extent, irrelevant.
What matters is that the acres of newsprint
devoted to the subject fuel fear and doubt in businesses
and customers alike.
A climate of fear?
These fears are confirmed by KPMG’s recently published
Information Security Survey. Nearly 200 companies,
a quarter of which operated in the financial
services industry, were asked for their views on security
issues. Over three-quarters of the respondents said
that security was the main obstacle to use of the Internet
for transactions. They had all the usual concerns
about confidentiality, fraud, and viruses.
Despite these doubts, only a minority of companies
take sufficient steps to tackle the security issue. In fact,
the survey showed that the majority of organisations
do not meet the most basic requirements of BS7799,
the British Standard code of practice for information
security management. This means that they are failing
to address even the more traditional forms of risk,
never mind those associated with e-commerce.
The real picture
There are few statistics available on the frequency of
Internet security breaches, although it is probably safe
to say that only a malicious minority deliberately use
the Web for fraudulent purposes. After all, if you really
wanted to obtain a policyholder’s credit card details, it
would be far easier to get a job as a part-time waiter
and physically collect the Diners’ Card slips than to
try to intercept payments traffic.
The odds should be in the insurance sector’s favour.
But, while many sites with limited security may not
have been abused, the risks are real, and the likelihood
of a security breach is growing. The financial
consequences of a breach can be significant, not only
in terms of the loss itself, but also because of the costs
of recovery and preventing further failures. So letting
your site go unprotected is no more sensible than
leaving your house keys in the lock of your front door.
Priorities
Over half of the businesses surveyed regarded the
security aspect of e-commerce as one of the most
important issues they faced but were struggling to
do much about it. For example, the security of Internet
sites is rarely tested and procedures for reporting
violations of security are weak. Nearly a third of companies
do not have the most basic of all controls: a
firewall which protects their internal systems from
attack via the Internet.
Why do businesses leave themselves open to danger
in this way? There are many reasons: the risks might
not be understood, the board might not be involved
in this area (ie no budget), or the company might
have just decided to take a gamble.
The way ahead
Insurance companies are like every other business
seriously considering how best to be involved or leverage
their entry in e-business. Hence, they need to
understand and manage the inherent risks and decide
how they can best be minimised. That means asking
themselves some tough questions and, in most cases,
carefully reviewing their policies, procedures, and
infrastructures. They also need to be sure that the
third parties they are dealing with have equally rigorous
security standards they need to ensure that the
whole chain is not destroyed by the weakest link.
Fortunately, there are a number of solutions to the
new risks that the Internet presents. For instance, public
key infrastructures (PKIs) can be used to help secure
privacy, data integrity, authentication, and non-repudiation.
PKIs offer high levels of security and have the
potential to open up new market opportunities previously
unfeasible because of the costs involved.
Many of the risks associated with this new technology
are not new they are old risks in new guises.
Networks have always been vulnerable to attack, but
now there are more people with the necessary knowledge
and ability, and the ‘prize’ for success is greater.
The key to use of the Internet is ensuring that risks are
matched by an appropriate level of control. It is
unlikely that we will ever be able to completely
eliminate the risks associated with the Internet, but
new solutions are being found all the time.
Layered security the new paradigm
PKI is just one element of the new ‘layered security’
paradigm. Layered security uses controls which are
not fully effective in their own right, but which overlap
in their objectives with other controls. Each control
might be only 50% effective, but three or four
controls working together at 50% each can be more
efficient and cost effective than one control which is
80% effective.
Where layered security is
seen in organisations, we see
an increase in the number of
security breaches. This
would seem to indicate that
layered security is less effective,
but when you look carefully,
you find that these
organisations are not more
exposed to breaches, it is just
that they detect more of
them. Of course, once a
breach has been detected,
incident management can
then kick in to ensure that
any damage is limited.
The real answer
New tools and techniques,
however, are only part of the
answer. The best solution
long-term is for security to
be acknowledged as a business
issue at board level, and
not sidelined on the grounds
that it is essentially a technical
matter to be handled by technicians. To profit
from the Internet’s real potential, the insurance industry
needs to see security as a value proposition as an
enabler and a facilitator, rather than an inhibitor of
business.
Operational success demands a strong risk-management
and control-conscious culture. In many organisations
employees do not understand the impact of
the risks associated with their decisions. Consequently,
even simple controls such as enhancing the
security of a web domain are often overlooked. Such
oversights can lead to website hijackings, which
expose the organisation to the risk of reputation damage
or loss of intellectual property. The impact of
e-business is such that a single such failure can dry up
an organisation’s revenue stream and drive off customers
whereas in the not-too-distant past, technology
failings tended to affect only single locations
or back-end processes.
A company which takes care to establish the principles
for security and to embed them across its entire
organisation is one that will reap major rewards. The
reason is simple: it will be able to identify, evaluate,
and manage both new and existing risks and to do so
in a cost-effective manner. More importantly, it will
benefit from the trust and confidence which its systems
engender. This is a concept which is at the heart
of the insurance industry.
The insurance industry’s future will rely on smart use
of technology, of that there is no doubt. However, it
will be the companies pioneering genuinely secure use
of the Web that will really prosper in the longer term
and they may not be the traditional players.
Some of the security risks of doing business over the Web
Masquerading/spoofing which includes other websites ‘pretending’ to be a legitimate e-commerce
site, individuals masquerading as legitimate customers, and employees pretending to be customers.
Message interception, ie the theft of information such as credit card numbers, and/or the modification
or duplication of messages (known as ‘replay’ attack).
Message repudiation in which legitimate customers deny transactions or messages.
Accidental disclosure of customer information, leading to legal liability.
Communications error which leads to the loss or corruption of transactions.
System problems which encompass the inability to maintain or extend the service because of technology
constraints and/or the use of non-industry standard hardware and software.
Web server attack which brings a denial of service and/or a change in the web server’s content.
Malfeasant code which covers email viruses, ‘Trojan’ code inserted by hackers, and malicious or
fraudulent code keyed in by internal/external programmers.
Key security questions every company
should ask itself
Do we have a framework for security that covers the
policy, procedures, guidelines, and internal communications
needed to make sure that everyone is aware of their
responsibilities?
Are we confident enough in our systems and customers
to know who has generated each e-commerce transaction,
and could we prove it in a court of law?
Do we have a software/hardware infrastructure capable
of providing a first line of defence, and sufficiently strong
cryptography to maintain security over a public network?
Have we made sure that the most likely routes of attack
are closed off by testing that our security works in
practice?
Does everyone know what action to take in the event of
an attack?
Will third parties meet the quality, reliability, and security
standards we have set for ourselves?
Are we meeting the requirements of BS7799, the code of
practice for information security management?

01_06_02.pdf