|
|
WHAT'S NEXT: STAYING AHEAD OF EMERGING CYBER RISKS
Q&A with XL's Chief Security Officer Thomas Dunbar
Companies representing all sizes and industries rely on technology to conduct some portion of their business. Therefore, managing the risks of technologies that are growing more accessible and affordable everyday is top-of-mind for IT managers tasked with supporting business operations through the effective use of technology. Insurance companies are no exception. Thomas Dunbar, XL’s Chief Security Officer (CSO), addresses some of the issues that fill his day and how XL works to manage its cyber risks.
WHAT KEEPS AN IT SECURITY OFFICER, LIKE YOU, UP AT NIGHT?
There are so many things going on in the world right now. Recently, there has even been talk and testimony before Congress about an electronic Pearl Harbor, an event in which some critical infrastructure could be disrupted to the point that businesses, and subsequently society loses its ability to function normally. This is a more extreme, but no less valid concern.
Most often, however I am always looking ahead, wondering where the next cyber attack is going to come from and if we have adequately prepared for it. The majority of us CSOs are concerned everyday about — Zero Day Attacks. In these attacks, someone is able to spread malware or virus so quickly before an antidote is yet to be developed. The window to respond to events is getting smaller and smaller. They can spread so quickly.
Another major concern is data loss. Over 90 percent of data is electronic. USB devices can hold a lot of data. While they are small and quite affordable — frankly rather cheap — the value of the data stored on them is often overlooked. Data in the wrong hands can be a big problem.
WHAT CHANGE IN CYBER SECURITY THREATS HAVE YOU SEEN IN THE LAST FEW YEARS?
There has been a move away from individual hacking, attacking, and viruses just for the pure glory of it or stir up a little mayhem. Today, cyber crime is much more organized. It’s about making money.
For instance, through phishing, someone fraudulently attempts to acquire sensitive information, such as passwords, user names and credit card information, by masquerading as a trustworthy entity, like a financial institution, in an electronic communication. The information they acquire is then sold off to other groups who use the information.
Pursuing cyber criminals is tricky. As there are no physical borders on the Internet, cyber crimes are very often international crimes. But as privacy laws and legal systems differ in each jurisdiction, this presents tremendous difficulty in investigating and prosecuting these crimes.
DOES THE GROWTH OF SOCIAL NETWORKING AND ITS USE BY MANY COMPANIES POSE ADDITIONAL LIABILITY CONCERNS? HOW CAN IT BE MANAGED?
Not too long ago, some people may have stuck to their belief that social networking was just a fad. That belief is hard to stand by any longer. Social networking is proving to be a fundamental shift in the way we communicate. Social networking has definitely gone mainstream and now more and more businesses are devoting resources to assure that they are part of the conversation on social networks.
We look at things from a People, Process and Technology point of view. Unfortunately, the weakest link in any security issue is the people. As the saying goes, we are only human. As humans, we are inherently curious. That is exactly what phishers rely upon, our curiosity, to exploit or dupe us. Once they reel people in out of curiosity, they can pass on their malware and harness information or computer power all over the world.
Social networking is now the primary means of spreading malware. To manage these risks, we have to educate employees via policy and build their awareness of what’s happening online. Additionally, we can help manage this risk by installing strong Antivirus and AntiMalware pro-grams on workstations to protect the environment.
HOW DOES A COMPANY LIKE XL MANAGE ITS CYBER EXPOSURES?
We employ a risk management driven approach. We evaluate the risks and then determine how to best mitigate the risk to a level that is acceptable by the company. We deploy technology on our networks such as Intrusion Detection and Intrusion Prevention Systems and AntiVirus/AntiMalware. We also have processes and technology in place to monitor and report issues and anomalies. Overall, we have a strong policy with industry proven standards to address risk.
People play a key role in managing our cyber risks here at XL and will do so at any other company too. Educating employees about cyber risks is an important risk management tactic and an ongoing process. At XL, we start when employees join the company by providing policies and requirements around security and their responsibilities. Each employee gets a welcome email from me that reinforces the key messages and provides links to internal resources on important information risk topics. We also distribute periodic emails and awareness materials in the form of posters and videos on the intranet. We have a portal page with weekly tips and major stories in the news. Our latest communication details how we performed an internal test of employee passwords and their strength as a way of reminding employees of the importance of selecting a strong password.
|
|
INsight is an XL Insurance publication. Copyright 2010. All rights reserved.
"XL Insurance" is a registered trademark of XL Capital Ltd and the global brand used by its insurance company subsidiaries. Coverages are underwritten by Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Insurance Company of New York Inc., XL Select Insurance Company, XL Specialty Insurance Company, XL Insurance Switzerland, XL Insurance (Bermuda) Ltd, XL Insurance Argentina S.A., XL Insurance, Mexico S.A. de C.V., and XL Insurance Company Ltd. Coverage placed with Lloyd’s Syndicate 1209 are managed by XL London Market Ltd and supported by an XL corporate member at Lloyd’s. Lloyd’s ratings are independent of the XL Capital group. Coverages not available in all jurisdictions.
|
|
|
|