Worst Day Ever
“The things we think about are
protecting our customers,” says Curley.
“That’s what we’re in business for: to
protect them from an insurance stand-
point. That doesn’t stop when it comes to
Insurers knows there can be a grave fi-
nancial impact if they fall victim to an attack.
“If you have a major breach you have
credit reporting, call centers, legal fees, and
possible government fines to deal with,”
he says. “There is tremendous cost when it
comes to forensics and down-time, not to
mention the opportunities you lose.”
The Biggest Threats
Attacks can come from anywhere, and
attackers are more sophisticated and organized in ways that allow them to better
tap targets. Today’s hackers operate more
like a business, and less like a kid in his
basement, explains Curley.
The internet is essentially a flat landscape, meaning it doesn’t matter where
you are physically located or how big a
company you are. Probes and attacks are
sourced from all over and can move with
ease. Phishing scams and ransomware are
popular threats used by criminals today.
They are easy to deliver with a high probability of execution and impact.
“If you’re underprepared for these
types of attacks, you may find yourself in
an expensive and damaging situation,”
he says. “A company like Mountain West
may not get national headlines, but you
get regional and local headlines, which
can be just as damaging because those
span the marketplace where you operate.”
Turning for Help
There are different security tools available
to companies, but no silver bullet. Total
security is unachievable unless you shut
everything off and throw it in the bottom
of the ocean, points out Curley.
“We ask for help from vendors and
partners to fill gaps where we might not
have the expertise,” he says. “Applications
around security involve layering different
strategies and different spaces. You might
not invest primarily with one vendor any-
more; you might layer it across vendors so
if you have a technical vulnerability in one
it might not exist in another.
Mountain West also turned to MVP
Advisory Group for help and MVP’s secu-
rity leader and partner, Laszlo Gonc.
“Laszlo has helped us with our
cybersecurity response plan and with the
table-top exercises,” says Curley. “In the
chaos of everyday life in IT, keeping the
lights on, and all the other things you do,
Laszlo has been an additional resource
who has done this before and can dedicate time to help us drive in the same
The incident response plans have
been a valuable part of Mountain West’s
security efforts. Using templates, Curley’s
team sat down with company stakeholders to look at security as a Mountain West
problem rather than just an IT-specific
function or problem.
“We looked at it holistically across the
enterprise and developed a risk register,
which helps guide us in planning and im-
provement steps,” says Curley. “If you think
about where you can improve and put
them on the list, then you can start doing
risk management. We defined our crown
jewels: What are they? Where are they?
How can people get at them? The response
plan can start with a generic template and
then hone into your specific business. Then
we just practiced. As you go along you find
areas where you need to add parts because
they may have been left out.”
Just through their internal IT process-
es, Curley and his team always look for
areas of improvement.
“Security is an iterative process.
Through this and our regular daily IT
functions, we continually try to do things
better, look at things in different ways,
and try to find vulnerabilities and weak
points,” he says.
Ease of Doing Business
The mantra for many insurance compa-
nies today is “ease of doing business,” but
that also means it is easier for attackers to
penetrate a company’s security systems.
“Like any other technology, mobile
technology has a level of risk,” says Curley.
“It depends on how the system is de-
signed, built, monitored, and maintained
to determine how secure a mobile solu-
tion is. With any solution it’s important to
always be thinking of the information.”
Some questions also have to be answered, such as:
K Where is my data going?
K What data is exposed?
K What are the worst case scenarios?
With these basic questions in mind,
it’s important to explore all of them in
detail to ensure that you are building
solid foundations and tools, according to
“If your mobile solution gives exposure to key backend systems or sensitive
information, then it could be higher on
the list in terms of risk. The risk needs to
be calculated by considering the users,
design, device, data center, and the path
in between. Mobile devices are becoming
a popular attack surface for malicious
applications, so if you’re writing a mobile
app you need to keep this in mind, as it
will continue to be a larger area of focus.”
Won’t Go Away
Cybersecurity will continue to accelerate
for businesses moving forward. In the
past 10 years, it is more prevalent.
“I think that adequate defense is one
of those things you are never going to
achieve totally, but having solid defenses are achievable,” says Curley. “It’s only
done with everyone working together
as a team. From an IT standpoint, you
can secure everything to the nth degree,
but every user has to be cognizant of
the information they are dealing with
and how they can best protect it. It’s
a team effort. Training and education
are absolutely crucial parts of security.
Folks might get tired of hearing it, but
it is one of those things that you have to