More than three million Medibank Private customers are likely bracing themselves for possible impacts following the recent cyberattack on the health insurer. Two hundred (200) gigabytes (GB) of data was stolen in the attack, including customer names, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data.
It’s probably a good time for insurance industry professionals to brush up on their knowledge of data security. Brian Grant (pictured above) is ANZ director at Thales, the global technology firm. The Melbourne based digital and data systems security expert discussed data security issues with Insurance Business in August.
Read next: Medibank says personal data was stolen
Based on that interview, IB has compiled this list of five important data security tips that are often overlooked or poorly understood.
Grant said the concept of shared responsibility is a common approach that’s applied to cloud systems and how they are used by all businesses, including insurance companies.
“AWS and Google all talk about the shared responsibility model and it’s well known in the industry,” he said. “It’s all to do with who’s responsible for what element of a cloud platform- in terms of delivery and support and maintenance and including that security framework.”
Grant said this model has a very interesting component.
“In a shared responsibility model, there’s one little interesting factor in all these cloud providers’ models: the data always remains the responsibility of the customer,” he said.
The data security expert said cloud providers don’t want responsibility for the data itself.
“That brings all sorts of legal obligations for them, for example, if there’s something inappropriate, or something that they shouldn’t be storing,” he said.
“The challenge for us here is that what used to work 10 years ago no longer works from a security risk management perspective,” said Grant.
He said the old way of doing things was based on perimeter security, or not letting anything in. “You only allowed certain connections, certain people and certain devices - it was very restricted,” he said. That’s all changed.
“The digitalization of the world, remote work and everything being delivered as an application on mobile devices, it’s forced us to open up our digital kimono, so to speak,” he said.
This means the “surface of attack” is much bigger today.
“Sadly, the cyber security industry - this is where I’m going to get controversial - is still trying to defend digital and data systems the way we used to do it [permitter defence] and just give it another name,” he said. “You might hear cybersecurity companies talking about edge security but what’s the difference between a perimeter and an edge? I’m not really sure there is a difference.”
Grant said the goal of cyber criminals is to disrupt a company’s critical data and data systems.
“Yes, it’s important to defend your border, but don’t invest all your effort and assets and resources on defending the border because you will fail,” he said. “I encourage all my clients to look at what are the critical data and digital assets that their organization can’t operate effectively without - that should be what they focus on.”
“I have a little CEO story that I’ll share with you,” said Grant. “The CEO asked me what questions should he be asking his cybersecurity team in order to stay on top of the risks facing his organization?”
Grant suggested to the CEO that he probably has a natural bias that impacts his perspective on the issue. He asked the CEO if he used a laptop for work? The CEO said he lived on his laptop. Grant asked the CEO what would happen if a cyber incident made the laptop unavailable for, not just a day, but a week, or even a month? The CEO said he would be frustrated enough to sack someone.
Grant extended this example.
“Let’s pretend that your whole company’s digital data system was unavailable or compromised and you couldn’t make sure items were manufactured the right way,” he said. “For a day - how much would it cost your organization? Half a million dollars? What about a month?”
The CEO said there’s a chance they’d be out of business. Grant suggested that the CEO hadn’t really considered cyber issues in this way. Despite the gravity of a major cyberattack, Grant said many people, like the CEO in his example, tend to have a natural bias and see it from the wrong perspective.
“There are two factors here, there’s the deliberate attack and then there’s the accidental exposure,” said Grant. “In cloud, accidental error is actually a pretty large proportion of data exposure.”
He said a company that relies on people always doing the right thing for its data security to be effective, is bound to fail.
“To err is human and we’re all human, we’re all going to make mistakes, so don’t ever rely on people for critical infrastructure and data and digital systems security,” he said. “You’ve got to have a balance between relying on people versus building security that doesn’t need people.”
“Whenever a customer comes to me and says they need data encryption, my response to them is actually this…” said Grant. “I’ll be perfectly frank, it’s literally, ‘Sorry, are you saying you need data encryption? Or do you want to make your data secure? Because data encryption doesn’t equal data security.’”