The following is an opinion article written by Tom Moore, Australia and New Zealand practice manager for Aura Information Security. The views expressed within the article are not necessarily reflective of those of Insurance Business.
Insurance in Australia is a mature $32 billion industry that’s undergoing rapid and significant change. According to a 2017 report on the sector from PwC, this is being driven by three factors: changes to the way customers seek, acquire and use financial services; heightened scrutiny of the sector by regulators and the public; and technology driven innovation.
The latter is being harnessed to enhance product design and distribution, refine process efficiency and improve customer experience.
Cost management initiatives – including automation, process simplification, offshoring and outsourcing – are a key focus and many insurers are undertaking large scale transformation programs, the report found.
A new level of cyber-risk comes standard with new technologies and systems. Ensuring sensitive commercial and personal data is secure should be top priority for insurers as they embark on implementations and upgrades.
Following the law
Australia’s tough new data breach reporting laws which came into effect in February 2018 mean a rigorous approach to IT security is more important than ever.
Businesses with turnover in excess of $3 million which experience a data breach, or suspect one has taken place, must notify their customers and the Office of the Information Commissioner; a statutory body which can impose stiff penalties on companies which don’t take appropriate action to remediate the issue.
Designing security into the system
The optimum time to implement security measures is when new systems are being planned and installed. Ransomware and phishing attacks can result in significant reputational and financial damage and it makes sense to take all steps possible to lock down sensitive systems from the outset.
Taking a ‘Secure by Design’ approach avoids exposure to unnecessary risk and ensures cyber-security is factored into system upgrades and overhauls.
It will likely be viewed as ‘bridesmaid’ technology – not the aspect of a major project which wows users or gets the project team excited – but treating it as a low priority is an invitation for hackers to swoop.
The Australian Cyber Security Centre’s 2017 Threat Report notes the presence of ‘thousands of adversaries around the world willing to steal information, illegally make profits and undermine their targets’.
Unfortunately, for many large organisations – even those for which privacy and information security should be of paramount concern – it takes a negative experience to put information security where it belongs. That is, at the top of agenda, at the outset of a project. All too often, our team is called on to act as the clean-up crew; fixing vulnerabilities which could have been more easily and cheaply attended to during an earlier project stage.
Why be ‘Secure by Design’?
A ‘Secure by Design’ approach allows businesses to identify security risks in the early stages, and remediate vulnerabilities when it is most cost and time effective to do so. Being secure by design is about proactively managing information security risk across the life of a project.
Think of it this way: Imagine trying to retrofit seatbelts, airbags, and crumple zones to the design of your car – hardly a straightforward undertaking! When you buy a vehicle, you quite reasonably expect the manufacturer will have accommodated those safety requirements before focusing on performance and aesthetics. The same should apply when implementing a new IT system.
The ‘Secure by Design’ process should begin at the project kick-off meeting, when solution requirements and desired business outcomes are being discussed. That way, you can ensure you’re making good security design choices and building a secure system from the ground up. Doing things properly at the outset should mean no nasty surprises during the testing phase.
It’s worth noting that being secure by design isn’t a discrete activity – it’s an ongoing process. IT systems are not static. They’re designed, built, tested, deployed, modified and patched – and used. They have an operational lifecycle and security is vital at every life stage.
IT systems’ inherent risk can never be fully eradicated but must be managed via monthly reporting, regular penetration testing and scrutiny upgrades, in the event of changes to the risk profile.
At Aura, being secure by design is considered a four-phase process. During the design phase, potential security risks are identified by software and infrastructure security architects. The same consultants remain involved throughout the build process, to ensure systems are being implemented securely. They undertake an end-to-end penetration test prior to ‘go live’ to ensure any remaining security flaws are remediated. And during the operating phase, they carry out ongoing analysis, reporting and security optimisation.
Protection for the protectors
Australia’s insurance sector has long provided invaluable protection for individuals’ lives, assets and health. Ensuring their personal data is also well protected should be top priority for insurers as they transform their operations for a digitally driven future.