When discerning the internal operations of a business, it is rarely discussed why IT would need to be involved in the day to day matters of alternative departments. Departments only need IT to run the systems the business depends on, right? Not in today’s technology ecosystem.
According to the CompTIA, 48% of IT is now being purchased outside of IT. We call this Shadow IT, information-technology systems and solutions purchased and implemented outside of the visibility of IT. For example, often times to help run their business more efficiently, an insurer will purchase Cloud Software from an HR Software Services Company. The problem here is there are no servers to be built, user accounts and passwords to set up, no IP address allocated. In this case, IT does not even have to be aware at all of what is happening within the company’s operations, more importantly, it’s critical data, leaving the doors wide open for the threat of a breach.
A great example of how this major concern is often overlooked is shared through one client’s story. A Fortune 100 client had approved a contract to outsource all of their HR functions without any diligence to their cloud vendor. They gave no thought to who has access and is working with the data, how this data is being transmitted, or where the data is located. They only cared that it was a ‘better’ way to do business.
Through our Enterprise Risk Management methodology, we had a well-established vendor risk management process in place. Because of that process, the new vendor came across the desk of the vendor risk management office that consisted of business unit leaders, HR, general counsel and of course, IT. The risks were brought to light immediately and it became evident of what the potential threats were for this data, the way it could be used, and the significant risks to the business. The committee decided to do some investigation on the vendor. As part of the initial due diligence, the vendor provided a hefty SOC II report that looked great on the surface. However, when digging into the content of this report, there were many elements of basic security missing that would be required by the ‘tier 1’ level criticality of the vendor process. Exposing many holes and missing components, we came up with several pages of controls that were unsatisfactory or not addressed at all in the SOC report. This was enough to deem it worth paying the vendor fee of $30,000 to have an audit completed. Subsequently, after finding three pages worth of security risks many of which would be classified as critical, the deal was paused until the vendor could remedy all of these problems.
When these decisions on systems and ANY data that may be going outside the organization are being made beyond IT, there must be some line of visibility. The only way to do that is to
first realize that security and the protection of your digital assets are not just an IT problem. In this case, it was the “process” of the vendor risk management program that prevented the inadvertent exposure and potential risk of the data.
Establishing such committees will reduce the attack surface, and get visibility into what’s happening within a business’ data. When working with any cloud vendor there are 3 basic areas of concern:
Data at rest – Where and how will your data be stored, consider co-locations, backup, and disk and/or database encryption
Data in use – who has access to the data, is there a vetting process. Are there technology controls to only allow for the requested use of the data
Data in motion – How is the information being transmitted, is there proper encryption, certificate and key management etc.
Do not be fooled by outsourcing; thinking that by transferring the functions outside the organization, the risk has also been transferred. Many insurers are outsourcing payment processes, or compliance, shifting the process from the payments to the vendor. The risk still rests with the insurer. It will be their name on the news and they will be required to incur the capital expense and labor burden of breach notification. The regular diligence of that vendor is still extremely necessary to ensure the security of the data.
There have been a number of breaches for cloud service providers that have affected insurance companies. In the previous article, Targeted Ransomware Hits MSP Hosting Insurance Data, we focused on the provider itself and what happened with the ransomware of the breach. This reviewed how ransomware has become much more sophisticated, efficient, and targeted. Criminal actors have combined several attack routes to collect a much higher rate of return per campaign. For example, a managed service provider (MSP) that hosts over 280 customers—several from the financial service sector including insurance providers—created a very target rich environment for these sophisticated attacks.
Internally we should be focused on what the insurers should be doing to enforce risk management for THEIR vendors. This will help prevent this issue from happening to them.