tion that we find companies putting on
laptops and other devices with hardly
any controls or encryption is amazing.”
Recently, Horizon Blue Cross Blue
Shield of New Jersey notified its cus-
tomers that, during the first weekend
of November, laptops were stolen from
the company’s Newark headquarters.
Those devices may have contained the
personal medical information of nearly
840,000 customers. In its notification to
customers, Horizon reported that the
laptops were password-protected and
cable-locked to employee workstations—
but the devices were unencrypted.
(Horizon did not respond to requests to
comment for this story.)
A company’s cyber risk management process needs to include not only
consistent use of technological controls,
but also what to do when—not if—there
is a breach.
“Even if you suffer a loss, it doesn’t
mean you weren’t doing the right things,”
says Greisiger. “We see companies
with very good security measures and
millions of dollars in security budgets
get hit. Every company needs a public
relations strategy.”
“Getting in front of [a breach] and
keeping people informed is a better
response than trying to keep it under
wraps. Public relations should be a key
part of a proactive risk management
plan,” says Money.
A company’s risk management process also needs to consider the variable
that is most difficult to control: people.
“The perimeter is no longer the firewall.
The perimeter is the person,” says Tow.
“People are under attack who are not
IT and security professionals. They are
everyday users,” Money says. “Compa-
nies struggle with how to make them
aware of security without swamping
Nationwide’s security program in-
cludes what the company calls “Associate
as Firewall.”
“Associates’ behavior in their capacity
both as employees and private individ-
uals presents certain risks,” Herath says.
“If we can train them on how to behave
safely, both at work and at play on the
Internet, that helps us reduce some of
the most obvious risks.”
In addition to network controls,
encryption, and other corporate-level
safeguards, Nationwide has made a
commitment to providing cyber security
technology to the end user. The compa-
ny, which uses MacAfee software on all
end points on its network, provides the
software to its employees to install on
their own personal devices.
Nationwide also includes online
data protection tools to its customers in
its identity theft coverage product. The
tools, provided through Europ Assistance USA, include DataScrambler to
prevent keystroke logging and Phish-Block to warn users against phishing
sites and attacks.
“We are trying to encourage better
behavior,” Herath says. “The theory is
that if we give people the tools to protect
themselves, they will be more secure in
their own space. The vast majority of
individual account takeovers are a result
of people getting phished or download-
ing spyware that steals their passwords
and IDs.”
XL Group has created a culture of
cyber security. “You have to work on
behavioral changes. You have to give
[employees] not just the tools, but also
the training to remind them that we are
only as strong as they are,” says Dunbar.
Training is just one part of a compre-
hensive program. “Most organizations
have security training they do on an
annual basis, but just providing training
isn’t effective,” says Raghavan. “In order
to push a change in user behavior, you
need to establish an awareness campaign.
We are starting to see organizations have
those campaigns—newsletters, intranet
sites, lunch and learns—rather than just
In addition to providing quarterly
training to employees, XL issues frequent
security bulletins, sends email blasts on
security topics, puts up security-focused
posters throughout its offices, and has
an internal blog on security topics. The
company also performs ongoing evalu-
ation of its security controls, including
internal phishing password strength
testing, and presents the findings to
colleagues.
The results are often eye opening.
“We show employees what a phishing
email looks like and superimpose all the
clues that should have tipped them off,”
he says. “We show them that if it sounds
too good, it probably is. We teach them
to take the extra two seconds to mouse
over links to see the true source before
Counting the Cost
Companies may say they can’t put a price
on reputation, but the fact is the technology, processes, and training that are all
part of effective cyber security come at a
price that must be weighed against risk
and budget realities.
“When we look which insurance
companies are not doing as well at the
strategic level, it’s the mid-tier. The big
boys have CISOs and technology and
all the things necessary to have at least
a semblance of security,” Tow says.
“Mid-tier insurance companies are a
target-rich environment for organized
criminals and nation-states. Those
companies may not have the budget for
a full-time CISO, but they still need the
capability to determine strategy, policy,
However, Tow says the cyber security
scenario is continuing to improve. “The
attention level that security is getting
is growing due to increased numbers
of headlines in the mainstream media
on breaches. Companies have a better
understanding of the need for diligence
around applying the same methodolo-
gies for protecting and insuring risk for
clients to their own cyber security. It’s
getting better.”
“We’re looking at new technologies
all the time. The question is how much
security is enough and what is the right
type of security,” Dunbar says. “It’s con-
stant vigilance.” ITA