The insurance industry is many things, chief among them a dynamic center of technology. Actuarial experts, security analysts and consultants, and developers work within a vast network of personal data, the protection of which requires the attention of our most gifted computer scientists.
At the forefront of the discussion on safeguarding confidential information is heightened awareness about the threat presented by smartphones and tablets. This is a legitimate concern in an increasingly bring-your-own-device (BYOD) workplace.
Unfortunately, many security professionals continue to apply, or attempt to apply, traditional computing solutions to this new mobile reality -- and it's just not working.
One big reason is that traditional network computing security features like firewalls and anti-virus protection do nothing to address the risks posed by unsecured mobile applications, or so-called "leaky apps." This seemingly harmless collection of icons, the individual squares we tap and access every day, can act as a gateway for attackers seeking to find and exploit weaknesses.
Once inside an insurance agent's smartphone or an executive's tablet, a cyberthief can steal volumes of sensitive material, including banking and financial details, medical records, insurance policy numbers, and other highly personal content.
The average smartphone user would have a very difficult time identifying a leaky app on his device. In most cases, the apps perform as advertised. There is no watchdog group to evaluate app security and inform users of potential vulnerabilities. Most users have no idea how their apps store sensitive information, whether they encrypt data in transit, or how they perform certificate authentication.
But the attackers do, and a clever criminal can easily use a leaky app to open a treasure trove of valuable content. These apps are far from being the exception. In fact, leaky apps are closer to the norm.
Our own internal audit at viaForensics found that 60 percent of the 100 most popular apps, including those with dual appeal to individual consumers and executives, have a high-risk rating in one or more security categories. All of these apps were offered through Google Play and iTunes. None of them were apps the typical user would suspect of being unsafe.
This challenge demands a comprehensive and an immediate response. Because of their individual and collective longevity, in some cases dating back to the 19th century, insurance companies have the credibility to address this issue in an unprecedented fashion. They also risk destroying that credibility by acts of omission, by failing to arrest this problem before suffering the kinds of massive data breaches we have already seen in the retail sector.
Creating a thorough mobile security strategy -- one that addresses not just malware and targeted attacks but the greater danger posed by leaky apps -- represents an opportunity for insurers to enhance their legitimacy and sustain their deserved prestige.
Picture an actual certificate of insurance: a heavy stock document with an embossed seal, gold leaf, the blue ink of assorted signatories, the insurer's official logo and the five-point Times New Roman print with its "heretofore" caveats and "wherein" sentences. People have a literal investment in that paper, which they cannot afford to have attackers tear apart through data theft.
Addressing the scope of threat: a plan for action
Consider an independent study by Gartner, which predicts that the focus of endpoint breaches will shift to smartphones and tablets. Recognize, too, that the average cost of resolving a successful attack against any business is $8.3 million. Experts believe that this number will rise 10 percent by 2016.
Insurers should, therefore, take advantage of any and all proactive steps to address this problem. It begins with educating their workforce in a way that turns them from potential liabilities into a first line of defense.
If employees are using their mobile devices for work, make sure they are running the latest iOS or Android platforms. Similarly, they must be vigilant about keeping their apps updated, as many vendors use new releases to patch existing security holes.
The devices should be protected by strong passcodes. Users should be advised against jail-breaking their smartphones, as this can make the devices more vulnerable to attack. Agents and executives should also only use known, secure WiFi networks, and be wary of any apps that seem to drain their devices’ batteries in an especially fast manner.
If an insurer chooses to create its own app, there are a number of key security practices that the organization should implement. These include:
- Avoid storing sensitive information on the device; if you must do so, make sure it is not stored in clear text or stationed within an easy-to-find database.
- Use secure SSL/TSL protocols to secure data in transit.
- Conduct ample testing and retesting of an app before it goes live.
By launching strong BYOD security measures and building secure apps, the insurance industry can take control of a previously reactive situation. It can offer the public the best insurance policy against data breaches. That is an insurance policy worth striving to achieve.