When making informed business decisions, no two organizations leverage data the same, and fundamentally, we must protect it at all costs. With the number of breaches increasing worldwide, the importance of cybersecurity is at an all-time high. As an organization that gathers user data, we should be asking ourselves three critical questions about security, regardless of the type of data we are collecting.
- How do we think about Privacy and Data Protection in our industry or organization?
- What solutions do we have in place to keep our data and users protected?
- What would we do if we were to fall victim to cybercrime?
Now that we have identified three critical questions for cybersecurity let’s look at a few ways we at Inspirien work to protect our company, members, and partners from cyber threats.
Privacy & Data Protection
Due to the sensitive nature of the data we collect, we are subject to strict regulations regarding data protection, and often more than other businesses. For example, in the US, a lot of insurance data falls under the scope of the Health Insurance Portability and Accountability Act (HIPAA), the Graham-Leach-Bliley Act (GLBA), or the Sarbanes-Oxley Act (SOX). Each of these different laws and regulations carries sizeable fines for noncompliance. Now that we understand the importance of compliance, it is easier to understand how data breaches can be detrimental to an insurance company’s reputation and bottom line.
Regulatory requirements aside, insurance is one of the most targeted industries for cybercriminals. The reason is primarily the amount of sensitive data we collect, but it also opens the possibility for insurance fraud. Moreover, these cyberattacks don’t always exploit system vulnerabilities but employees through phishing and social engineering tactics. Humans make mistakes, which leads to organizations looking at both internal and external threats when developing their policies for data protection and governance.
Solutions for Protection
When discussing protective measures within an organization, two terms come to mind, “Layered Security” and “Defense-in-Depth.” Unfortunately, many people incorrectly group these two types of security approaches as the same thing when they are different concepts with a few overlapping similarities. Layered Security is an excellent approach for protecting IT systems and resources, while a DiD approach broadens your attention to security and flexible policies that work with new conditions.
A typical Layered Security plan includes:
- Antivirus application
- Anti-Spam Applications
- Parental or Content Controls
- Privacy Controls
Unfortunately, many get the wrong idea when thinking about Layered Security and assume multiple instances of the same essential security tools., but this is considered redundancy. Instead, layered security is numerous different security tools layered on top of each other, each protecting separate attack vectors. It comes from the idea to cover each vulnerable component by combining them into a single strategy to secure an entire system against threats.
Now that we know more about layered security, let’s touch on Defense-in-Depth. While Layered Security focuses mainly on the origins of a threat, Defense-in-Depth brings about a larger picture. On the contrary, DiD stems from the mindset that you can’t possibly achieve complete and total security coverage against threats by implementing tools. So instead, technological components of Layered Security are considered “speed-bumps” to slow the progress of a threat until it either ceases to threaten or additional non-technological resources can come into play. Think physical theft, followed by unauthorized forensic data recovery, dangers that don’t specifically target protected systems, and even exotic threats you’ve never heard of, like van Eck phreaking.
A typical example of Defense-in-Depth would include:
- Monitoring, alerting, and emergency response
- Authorized Personnel Activity Accounting
- Disaster Recovery
- Criminal Activity Reporting
- Forensic Analysis
Before a cyber incident affects your business, you must have both response and recovery plans in place. In addition, it’s beneficial to identify best practices for your industry and ensure that you are in full compliance with laws and regulations applicable to your business.
In response to a cyber threat, your organization must be prepared to respond quickly and communicate between designated points of contact. At Inspirien, we have a Cybersecurity Incident Response Plan – or CSIRP – that outlines the process, procedures, and subject matter experts for responding to cyber threats, forensic analysis, and legal requests.
The National Institute of Standards and Technology (NIST) provides four phases of an incident response plan:
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
For me, one of the most vital keys to continue growing your cyber plans is learning from past incidents and constantly improving the process, part of the Post-Incident Activity phase.
If you’re unsure how to answer any of the questions from earlier, you could be an attacker’s next target. However, since most attacks are opportunistic, they don’t necessarily target a high-profile or high-value company, just the unprepared. That is why Inspirien has an outside partner to provide top-notch security pros, equipped to handle any incident that should come our way. Now, don’t just put the right technical tools in place; protect yourselves and your data – your customer’s personal information – against breaches that can put your assets at risk with Cyber Insurance. Contact Inspirien today to learn more about our Cyber Insurance, covering things like reputational harm and property damage and post-breach crisis management help, especially for healthcare data.
To learn a little more about commonly used cybersecurity and related technology terminology, check out the NIST Glossary.
Article Contributed by Eric Travis, IT Business Analyst for Inspirien.