By Paul Peeples
FAIA Vice President & CIO
Ever since Citizens started requiring a Written Information Security Plan (WISP) FAIA started looking to backfill a vacancy in the area of Managed Service Providers (MSP), and Cyber Security experts. This was no easy task since we were not provided an example of an acceptable WISP. Admittedly, technology significantly contributes to the ease of data collection and reduces the time required to write and service policies, but these improvements create risks and exposures of their own that evoke a potential catastrophe for agents if not addressed properly.
After researching several potential providers, the FMS Board vetted a company called VineIT to fill the need of our members. This is a Florida based company that specializes in not only Managed IT services, but Cyber security too, and can help you be compliant with Citizens requirement (which is also being looked at by NAIC)!
Most agencies have tried to manage their own hardware, software, and security. This is a landscape that is changing rapidly, and one little mistake can cost your agency big. How big? Statistics show that 50% of small and medium-sized business have suffered a cyber-attack in the last 12 months (through YE 2016) – this is only going to increase. Also, the U.S. National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyberattack. According to the Ponemon Institute, the average price for small businesses to clean up after their businesses have been hacked stands at $690,000. Oh, and for middle market companies, it’s well over a million dollars.
OK…now that I have spooked you, and you should be (since this is some serious stuff), what do you do? Below is a list of key strategies you should consider very seriously when it comes to your agency’s protection and cyber security.
- Network Security Assessment: Every compliance standard recommends that a third party perform this type of analysis, and not your IT team. Many lenders even require it. This is basically a comprehensive assessment of your network that tests your core systems using National Institute of Standards and Technology (NIST) framework based security analysis (800-53). This is like the starting point for everything. Wouldn’t you or your IT team want to know how healthy your IT environment is?
- Risk Assessment/Vulnerability Analysis and Remediation: This is a comprehensive area where basically “ The Good Guys” try to hack your systems from inside, and outside your organization using real world exploit type frameworks to find potential vulnerability exploits. The internal testing uses OpenVAS and the Metasploit framework…The what??? Suffice it to say, it is the most widely adopted exploit framework in existence that test your systems!
- Security Policy and Procedure Creation: Here it is… the creation of a Written Information Security Policy (WISP) which defines exactly how the organization is accomplishing your security policy objectives. This is the living document that states in writing how your agency plans to protect your physical and information technology (IT) assets as well as safeguard the data they collect. This must detail your agency’s operations on security, governance, inventories, controls, continuity & disaster planning, systems monitoring, and internal/external mitigation policies.
- Security Procedure Auditing: This is an ongoing process. That ensures your procedures are being carried out as defined. You do not want to attest to practices you are not following through on.
- Security Program Updates: Be sure to regularly update your Policies, Procedures, Risk Register, and Employee Training materials as your environment changes.
OK, so that was a mouthful, and I am sure your eyes are glazed over a bit, but make no mistake, this is very serious stuff, and sorry to tell you this…it’s only going to get worse. Cyber Crime is big business, a fifty billion dollar a year business!
If you don’t have someone helping you in this area, and need some assistance, you can contact VineIT, an FAIA Member Services preferred provider.