SECURITY THROUGH RESPONSIBILITY

Rough Notes, Apr 2005 by Chivvis, John

Responsible computing leads to increased agency security and productivity

Statistics say that over 70% of all business disasters can be attributed to either system/ hardware malfunction or human error. However, many agents-while attacking the IT side of the issue with patches and updates, software and hardware-ignore the human factors that put their agency at risk for security breaches and incidents.

For more than 20 years, Tim Woodcock, president and CEO of the Davie, Florida-based Courtesy Computers, Inc. (www.courtesycomputers.com), has been working with insurance agencies and their computing systems. Woodcock says that by implementing a few simple practices into the overall business and employee workflow, agents can increase security, reduce exposure to data loss, and even increase productivity. "Whether you call it disaster recovery or business continuity planning, it is all about taking steps to mitigate risk," adds Woodcock.

Probably the simplest, yet most effective, investment is to have a security audit performed on the agency's systems on a regular basis. "I always recommend that agents get an external vendor to conduct these audits," says Woodcock. The reason he recommends external IT consultants instead of an agency's internal IT staff is that looking at the system from the outside typically provides a more objective and granular assessment of the systems, networks, data and workflows.

Reports are provided with explanations of the current state of the systems, where the problems are, the severity of the potential risk(s), and a prioritized list of solutions. "Usually the first one is the most shocking," confesses Woodcock, because in some cases the audit highlights human error or misconceptions.

Woodcock explains that the audits his firm provides include extensive external security and intrusion detection checks. "A few weeks ago, we told an agency: 'no, you don't have a firewall,' even though they thought they did."

A thorough audit will also highlight physical and internal issues. Woodcock has seen his share of servers in unsecured hallways being accidentally reset by employees, servers overheating in rooms without proper temperature control, backup systems that do not write good backups, open access to employee computers with sensitive data on-screen, and networks plagued by employee-introduced spyware.

While some may see an annual audit as just another added expense, Woodcock says that it is a simple investment that, in the long run, will save an agency money. He points out that agents will lose anywhere from $38 to $100 per employee for every hour of downtime, "and that doesn't even factor in what it costs for us to come in and fix it."

Woodcock says that one thing that some agents like about an external audit is that it allows them to make the outside auditor the "bad guy" when it comes to enforcing new policies. "We don't mind being the bad guys up front," says Woodcock. "It also assists the agent when it comes to implementing IT policies."

According to Woodcock, agencies need to consider implementing policies that address acceptable use of the Internet, proper use of agency systems, and keeping systems and resources secure. "It's amazing how often I get a 'deer in the headlights' look when I ask agency owners or principals if they have a basic Internet abuse policy or a security policy for employees in place," says Woodcock.

"We worked with one agency that reported that their system was 'lethargic,' and that their Internet usage was spiking at lunch," recalls Woodcock. It turned out that the agency would allow employees to surf the Web during lunch. What Woodcock found was that approximately 60% of lunchtime surfing was spent shopping and banking online and 12% was spent visiting "adult-themed" Web sites. "We also found that the spike lasted until 1:45 p.m.-not exactly the lunch hour," says Woodcock. "When you talk about that big of a productivity loss, that's millions of dollars in lost revenues."

Besides acceptable Internet and e-mail usage, an agency's information security policy needs to address the handling of computer security issues including viruses, employee installation of software or downloads, and use of passwords. "In this case, less access is more security, so grant it as needed for each employee," says Woodcock. "Because of the sensitivity of the data, you must have controls to ensure that only authorized employees have access-including remote access."

The other side of implementing an information security policy is monitoring the use of IT resources and informing/reminding employees of the penalties for not following the guidelines spelled out in the policy. "If you tell them that you will be scanning their systems and monitoring the network, and you do," says Woodcock, "then unacceptable use will stop."

However, a good information security policy is not just for spelling out the responsibilities of the general employee, but for IT staff as well. Keeping data secure requires regular scheduling of updates and patches of software and hardware-and the verification of backups. "Too often backups are assumed to be good," says Woodcock, "but in actuality, more than 70% of all tape backups fail due to disk errors, bad tapes or other problems. Even though the logs may say it's good, it's always important to have a process in place whereby 'test restores' from backups are performed."