Risk managers may have their head in the clouds with concern over the liabilities of cloud computing. However, an uptick in companies moving to cloud data hasn't correlated to a cybercrime storm, says Bryan Sartin, director of Verizon Enterprise Solutions' Research, Investigations, Solutions, Knowledge (RISK) Team.
“By and large, major cloud providers have figured out their own native security architecture, so hackers can't use the same recipe of attacks on different providers,” says Sartin. It is the risk manager's company that should be concerned about its safety culture, especially those in the financial and insurance industries, which Sartin says are “classic” victims of cyber attacks.
The data pro warns that cyber security must be a top-down effort, from cooperative managers to well-trained, vigilant employees. Cloud computing cannot be confined to a box, says Sartin—and when data activities are packed up and shipped to a third-party manager, the company must continue treating it like a risk under its own roof.
Heed the example of one client of Verizon Enterprise Solution's RISK services, an insurance company: the insurer received an alert from its security team stating that its data had been streamed to a remote area in China.
“The team was sure it was an effort by the Chinese government, and had narrowed the suspect to a certain arm of the government down to its location and address,” says Sartin. Once deployed to the company “crime scene,” the RISK squad realized the missing data was coming from the computer of an employee who was well-known in the office for his incredibly fast project turnaround.
“We asked the guy if we could see his data security token, which he said he'd lost,” Sartin continues. “It turned out that he mailed the token to a business he found in China that did his work for a fraction of his salary—he was outsourcing his job.”
The man's employers were so focused on external threats that they did not investigate a potential insider situation. In other situations, companies don't manage third-party data risk enough; such was the case of a premium-brand-name retailer that unknowingly outsourced its data management to a one-man “company” working out of a wired-up trailer park home.
“Smaller cloud providers, especially the ones in a trailer park in Idaho, remain vulnerable,” says Sartin. “In the cloud, all companies must ask themselves the same two basic questions:”
The first thing risk managers need to know is where their data is located. It could be comingled with other company's data in Dallas or in Singapore, or it could be on a private, isolated server surrounded by security controls—it pays to ask the data provider. In fact, it is the data owner's right under PCI Security Council Standards.
Sartin's second point is the importance of reading their data provider's contract.
“Breach victims often think the company managing their monthly data productivity is also managing security, but when it comes time to investigate a data breach, the detectives can't get access to system logs because the vendor isn't allowed to do it,” says Sartin. “Ultimately, the data vendor is not responsible for security.”
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
