Insurance companies typically generate high volumes of data from their many customers. Legislation requires that insurers retain their data on existing and old customers, so these organisations retain and secure old data for an extended period of time. However, as technology has progressed, many insurers have moved or are moving away from legacy systems, replacing them with digital systems.
The challenge is that more than often, insurers can't migrate old data from a legacy system and as such, the data is kept in these older systems in the event it may be needed again. However, maintaining both legacy systems and new systems doesn't make financial sense as it is a costly exercise. Insurers typically do this anyway as keeping the data - old and new - is a compliance requirement. Unfortunately, legacy systems aren't always able to keep data properly secure, either due to the costs or due to system support coming to the end of its life.
Insurers need to be aware of what data they have and where it sits, whether it's on current or legacy systems. They need to build a solid and mature security and risk management programme around this information to prevent breaches as best as possible. Regulatory compliance can help insurers gain a view of their data and where is it located within the organisation, enabling them to build a strategy that ensures data is protected.
The travel industry
Most individuals have heard stories of fraudulent transactions where flight tickets are purchased using stolen credit card details. Online payments within the travel industry are very easy for cybercriminals to manipulate, due to the level of detail required which is minimal and security checks for secure transactions aren't always in place.
Similarly, it's still common practice for hotels to request a guest's credit card details at the time of booking or checking in, in order to process payment at check out. This poses a risk as hotel groups often store a number of credit card details - including CVV numbers - at any given time.
The travel industry is slowly digitalising, however, it is a lengthy process. Recently, a major air carrier experienced a system failure that required the processing of travellers’ details manually.
Beyond the risks associated with manual transactions, cybercriminals were able to access the carrier's systems and take advantage of its dependence on technology to infiltrate the system and steal a vast amount of data.
Cybercriminals are clearly taking advantage of the gaps between old systems and full digitalisation.
Nevertheless, there are many industry standards and payment regulations that are being imposed on the travel industry to curb data theft.
Businesses operating in this industry should ensure that systems are reviewed and updated regularly, retaining old data only as long as necessary and protecting it while the data is in the businesses’ possession.
Importantly, travel agents and hotels should modernise their systems, adding layers of protection to secure customers’ information.
There is not enough information to ascertain what level of protection government institutions have in place to protect citizen data. However, the number of paper-based processes seen in public facing departments gives an indication of the level of digitalisation - and the outlook isn't encouraging.
The government departments hold large amounts of incredibly sensitive data. Beyond personal information, some of these departments also have access to military information, state-owned enterprise data, and highly confidential records of valuable resources, utilities distribution and town planning. Cybercriminals, especially of the cyberterrorist variety, are desperate to access this information.
Most government organisations are also exempt from regulations such as the Protection of Personal Information Act, meaning that there is no way for citizens to verify that their data is protected, nor do these organisations need to disclose any data breaches. Digitalisation of infrastructure and systems is crucial in order to keep a firm finger on the pulse of the entity's data.
Prevention is better than cure. Regardless of the industry, organisations need to do everything within their power to protect their information and that of their customers.
Simeon Tassev is the managing director and Qualified Security Assessor at Galix Networking.