Most Companies Waste Millions Of Dollars On Poor Security Operations While millions of dollars are spent each year to keep critical business data secure, “in most companies, that money is being wasted; theres no ROI [return on investment],” according to one consulting firm.

“Ten years ago, security was pretty good. We didnt have viruses like today and computers werent connected much. But the world has changed,” said Chuck Porter, managing partner, technology infrastructure services, for New York-based Accenture.

“Today, most businesses and employees are connected to the Internet. Viruses are something you just have to be there to catch.”

Todays companies face many security challenges, both technical and organizational, Mr. Porter explained. “Some of the challenge is financial; companies are tired of investing in [security].”

Execution [of security programs] is also a challenge,” he added. “How many of us would honestly say we are executing our security operations with much diligence? I would suspect very few.”

Most companies, said Mr. Porter, dont keep their firewall or antivirus software up to date with the latest versions, updates and patches.

According to Mr. Porter, increasing connectivity and collaboration among workers via the Internet will require increased security for the insurance industry. Under federal regulations, he added, “you can go to jail if you fail on the accuracy and integrity of your information. For CIOs, the stakes just got higher.”

“Security,” he continued, is about preventing intruders from getting to your information assets.”

Todays technology enables customers and business partners to gain access to our systems in a way that makes it easier to do business, he noted. The problem, however, is that “increasingly, you have to grant access to people who are not your employees to do this,” said Mr. Porter. Thus, security becomes a balancing act between preventing something bad and enabling something good.

In 2000, Mr. Porter did an assessment of his own companys security programs and found them to be behind the curve. “The report card was not good,” he noted, with many areas of security receiving Cs, Ds and Fs. “If we didnt fix this, we were going to be on the front page of the Wall Street Journal with publicity we didnt want.

“Our security was good enough for 1997, but no good for 2000,” he said. “We had stood still while the rest of the world moved on.”

In response to the assessment, the company developed a security program that stressed:

Strong authentication measures.
Secure workstations.
Addressing weaknesses and preventing further weaknesses from being introduced.
Firewall monitoring and intrusion detection systems.
Security awareness.

In the area of authentication, the company decided that passwords and logon IDs were not enough in themselves, said Mr. Porter. They changed to a system that uses authentication tokens. These are keychain-size devices that allow authorized users to access the network. The token may be read like a credit card or it may display a number that is used as a password.

Overall, said Mr. Porter, the security program has significantly reduced the companys risk in many areas. “Anecdotal evidence is that our risk is much lower,” he stated. For example, he reported, the companys security systems were able to stop both Code Red and SQL Slammer virus attacks “within 30 seconds, and it didnt affect us or our ability to serve clients.”

For companies who seek to improve data security, Mr. Porter recommended using risk management techniques “in an intelligent way.

“Figure out what is important to you,” he said. “Investment in security is a business decision; it should have a rationale and an ROI.”

Mr. Porter also stressed the importance of keeping up with the industrys regulatory issues when it comes to security. “Be as good as or better than the industry so you can demonstrate that youre using reasonable measures,” he advised. “Holistic is the way to go with security. You need a comprehensive approach.”

Forensics, or the ability (after a security breach) to figure out what happened in order to prevent a reoccurrence, is also an important part of a security program, he noted. Forensic technology can help a company follow e-mail trails or spot violations of intellectual property.

Using such technology, Mr. Porter said his company can recover the information from a disk that has been formatted (wiped clean of data) up to seven times. “The CIA can go back 12 levels,” he added.

Mr. Porter said his firm also tests its security periodically by hiring outside companies to attempt to penetrate its systems “physically and electronically.”


Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, June 2, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved. Copyright in this article as an independent work may be held by the author.


Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.