Data confidentiality and Integrity critical for Insurance and Pensions
A resilient Cybersecurity strategy must continually evolve in order to remain relevant to the environment.
The Strategies in the Covid-19 pandemic environment must also align with prevailing and possible future anticipated threats based on the “current and next normal”.
Yester-year Strategy for many no longer defend the organizations against the new evolved cyber-attack strategies.
A former Cisco CEO, John Chambers once said, “There are two types of companies, i.e. those that have been hacked and those who don’t know they have been hacked”, and hence strategies that ensure identification of possible cyberattacks become pertinent.
Simply, Cybersecurity can be defined as the practice of defending computers, servers, mobile devices, electronic systems, networks and data from malicious attacks.
Cybersecurity is also aligned to the CIA (Confidentiality, Integrity and Availability) triad, which is a benchmark model, used to evaluate the Information Security of an organization.
Information and Data security classification is also critical in this regard.
In light of the pandemic, Insurance companies and Pension Funds have had to re-strategize and prioritize remote working frameworks and include them in their budgets.
This has necessitated patching up and upgrading existing virtual private network (VPN) and infrastructure designs with emphasis on security.
An analogy of someone boarding a flight can be applied to illustrate the possible levels of Cybersecurity required in an organization.
Imagine you are driving into the Airport car park, you are stopped at the entrance boom, and you obtain your parking ticket and proceed. That becomes your first level of security. You park your car and proceed to the Departure hall where your relatives accompanying you are requested to stop at a certain point, and only you are allowed to proceed to the check in counters. That becomes your second security check point.
At the check in counter you have to produce your passport and other identification, for the system and online check in verification.
The next point is at the immigration and customs counter security check before you proceed to the scanners. Your luggage and you are security scanned and allowed to proceed, if all is in order. If you are a first class or business class passenger you will proceed to the VIP lounge while if you are an economy class passenger you go to the general lounge.
All the check points in the above analogy can similarly be applied to the Cybersecurity levels as they relate to the security Framework required at each point, depending on an organization’s requirements and policies.
Since the pandemic has resulted in accelerated remote virtual working and collaborative processes, this has increased the Cybersecurity check points which now incorporate remote home working frameworks. The levels and number of checkpoints will vary based on the size and complexity of the environment and infrastructure to be secured.
Given below are some of the common checkpoints.
Data Confidentiality and Integrity
In Insurance and Pensions the confidentiality and Integrity of data is of paramount importance. The client data on state of health and other personal detail is considered highly confidential and hence needs protection.
The criticality in this regard becomes more relevant when the processing of such data for underwriting purposes has to take place from homes and other out of office locations.
Likewise Claims Processing data is also considered highly confidential and the security of networks/wifis at the remote environments becomes an imperative. As a basic requirement Virtual Private Networks (VPNs) for non-cloud bases systems have had to be upgraded to take care of this critical requirement.
End Point Security
While remote access is a necessary imperative in the Covid-19 pandemic context, it can also be the weakest point of the process. The protection of the remote access environment to the organization’s network becomes very critical.
The actual Application System could also present some risks, even if the networks have been secured, hence the security in relation to the transactions taking place at this level is a critical requirement.
Encryption of sensitive information in transit, such as via e-mails, offers protection and guards against phishing where the attacker can masquerade as a genuine entity / person but usually the domain would be misspelt, there is a suspicious attachment, or it creates sense urgency etc. Frameworks with Zero Trust policies, based on maintaining strict access controls will ensure that such mail is dropped or dumped in junk mail.
Database and Infrastructure Security
Most of the information being accessed and processed usually sits on databases and the transactions are accessed from these platforms. The security in this regard becomes a must.
Most Insurance Companies and Pensions Funds have implemented and are using Cloud based Systems. The protection of the data in this regard is also important as vulnerabilities in relation to IoT (Internet of things) could present major challenges compared to on premise environments. If we apply the airport checkpoints analogy above, consideration of the other cloud systems for online collaboration such as MS Teams, Zoom, Google Meet and others also fall under this checkpoint.
The ubiquity of mobile devices and the extent to which these have been enabled for key staff, Agents, Brokers, Customers and other stakeholders to access business applications, also requires that this checkpoint be managed and adequate security be implemented to ensure that there is adequate protection.
This level of access also includes physical access checks such as biometrics or physical entry check points to the organization. It can also include the logical access to the systems through log ins, password protection and other authentication levels. What if the spouse and/or the child gets access to the system, in the home environment, where is the check point? The evolved Business Continuity Plans would obviously give guidance on what procedures to follow.
Disaster Recovery in the Remote Environment
While all the logical monitoring and management can be done remotely either from the Office or the home environment of the technical staff, there is an element of the physical risks to items such as laptops, printers and other devices. The relevant recovery evolved procedures should take care of this requirement.
Preparing for the NEXT NORMAL
Under the Next Normal, the Cybersecurity Strategies should ensure that the new security landscape is accommodated. Monitoring customer digital needs will be an imperative in order to craft an appropriate Cybersecurity Strategy for granting them access to the systems.
Permanent remote working for a certain group of employees is envisaged, while others, specifically lean front office teams will be expected to come back to the office. Limitation of visiting clients to offices will be maintained, which will mean that online and collaborative communication will be enhanced, thereby requiring Cybersecurity strategic focus supported by relevant budgets.
Joice Benza is the Managing Consultant and CEO of X-Pert Solutions. She is a Business Continuity Planning and Cybersecurity Expert and a seasoned Project Manager with over 30 years’ experience in the Pensions and Insurance Industry acquired locally and abroad. She is also the vice president of Computer Society of Zimbabwe Council.
She can be contacted on: +263 +263 242 2006210. Mobile: +263 772 239 842