Sunday, November 24, 2019

Cybersecurity 2020

WorkCompCentral recently reported Cloud Security a Growing Concern for Insurers. The upshot is that insurance companies, large and small, are increasingly using data storage that is centralized and therefore perhaps more accessible. This centralized and "off-site" storage of data, generally now in the hands of "a third party," is referred to as "cloud" storage. It is replacing the "on-premises" practices of the past.

Cybersecurity has been a critical concern for years. Information is a commodity that has inherent value. Companies collect data to enhance their business and functions. The unscrupulous seek to obtain that data and to apply it to their own ends either using or selling that data. That may be done by breaching a network from the outside, or perhaps by planting something on the inside, see Hardwired Hacking.

The transition of data from proprietary locations to "cloud-based systems" is fueling predictions "that cloud security will become a greater focus in the coming year." There has already been "an increase in spending on cybersecurity across the board” according to one expert who expects that spending "to accelerate.”

There is a perception that cybersecurity has been a secondary function, an "afterthought" of network design and construction. Systems were designed from the standpoint of function, data management, and user functionality. The article asserts that the foundation is changing and that "instead, systems are being designed with security in mind from the start." And, the potential threats can come from any direction; the hardware, software, and people that are engaged could all present risks both purposeful and not. 

Security, it seems, is taking on a primary role. It is intriguing that the transition would be limited to, or even primary to, cloud computing. It would seem more logical that such a shift to the primacy of data security would be a logical paradigm change for anyone designing a computer network, in-house or "off-site." It is probable that is the actual focus, but this article's focus on the cloud flavors the perspective in that direction. 

In either event, the insurance industry in general is focusing on security because it is dependent upon technology and computing. The article notes that systems, now including "cloud-based systems," are engaged in "underwriting, claims, billing, and data analytics." In these processes, insurance carriers come into possession of a vast array of private and proprietary information. 

There is therefore a critical need for carriers to protect that data from breaches. The news has been laced with examples of data breaches around the country. Business Insider recently reported that "hackers have become so sophisticated that nearly 4 billion records have been stolen from people in the last decade." That is "billion" with a "b." By any measure of severity, that has to be accepted as a serious volume of data being compromised. 

Key points of that article include:
"The past decade has seen an explosion in the number of people entrusting massive tech companies with their personal data. There has also been a rise in large-scale data breaches and hacks."
"Of the 15 largest data breaches in history, 10 took place in the past decade. The two largest data exposures of all time happened in 2019."
"Organizations that fell victim to the attacks include Facebook, Target, Equifax, Adobe, and more."
"Data violations have only become more frequent in the past decade, according to a recent study."
The trend is thus toward increasing threats to data security. The largest, and perhaps we might suspect most sophisticated, entities in business have been victimized. Though we note that these entities are victims, it is more accurate perhaps to say that the customers of those entities are victims. While the company data may be of value to the criminals breaching these systems, it seems likely that the customer's data is the real target. 

Facebook advertises that (essentially) no matter what you are interested in, "there is a Facebook group for that." The Basset Hound group has been featured in their advertising. That got me wondering if there is a Facebook group for people whose identities and data have been hacked from Facebook? Some jokingly say that there is definitely a Facebook group for people whose private data has been sold by Facebook itself, the group is called "Facebook." Ouch, that one might hurt a little. The poignant point of that joke is that perhaps people are too trusting with their data to begin with?

The trend is for us to hear about data breaches when they are large-scale, affecting many people. When thousands or millions of people are potentially affected, the headlines will be vivid. But, what about the smaller businesses? Doctors, lawyers, insurance agents, and more store a vast array of information about their patients, clients, and customers. Might a hacker be interested in that data?

Or, might a hacker find interest in a small business because that business is interconnected with a customer or payer through an "in-house" or "cloud-based" network? If the doctor's office computer can interface for records or billing with some host (like an insurance company), might that connection be exploited for a hacker's gain? Is it unreasonable to suspect that while the network at a big insurance company might be protected by a team of cybersecurity experts, the small business that interacts with the insurance company might be protected by nothing beyond a generic anti-virus program? In other words, the small business might be the weak link in a security cordon.

There is the threat of exploiting data through hacking and the Internet. But, there is also the threat of simple theft. An industry insider related to me how a company was bankrupted when there was a physical break-in, and computer servers were physically removed. Those contained data, the same data one might expect to be hacked on the Internet. Perhaps this sort of theft is better because it is quickly known? Perhaps no sort of theft is any better than the rest. 

There are those who advocate, in the WorkCompCentral article, that the transition to a "cloud" includes a purchase of sophistication. They contend that those who use a cloud are putting their data "in the hands of technology specialists who can focus on security and maintenance issues." This, it seems, is an outsourcing of security for those who may not have sufficient expertise or sophistication to provide that protection internally. In this regard, there may be a distinction illustrated between the small and large enterprises in this proposed shift to the cloud.

WorkCompCentral also reminds us that technology is evolving, something that has likely challenged each of us at some stage of our careers. There are evolving technologies, tools, and the coming evolution of artificial intelligence among our concerns. While small entities may lack the financial or intellectual foundations to appreciate and leverage those changes independently, the implication is that cloud services will include that leverage in their products and pricing. 

For whatever reason(s), there is an apparent trend. The article notes that "cloud installations now represent more than half of insurance core systems." And in deployments, a recent report contended that "63% of insurers were looking to move more of their applications to the cloud in 2019." But, there is not much 2019 left. It will be interesting to see what the trend is in 2020.


Therefore, there are three issues. First is the decision regarding trusting your data to a third party, a "cloud." With that could come both benefits and burdens (if their sophistication fails, or if one of their users is lax, it could compromise your data). Second, more broadly, what are your options to protect your livelihood from hackers and other threats. Finally, what demands will your customers and business partners make upon you in regard to these or other security decisions? 

WorkCompCentral noted that a recent blog post by AmTrust said “Workers’ compensation insurers need to be prepared for possible data breaches.” And, if we accept that as true then perhaps the same can be said of us all? The threat, it seems, is to us all: large, small, in between. Perhaps all of us need to focus more attention on our data, security, and protocols. Is it something we have even thought about recently? Shouldn't we?