Access denied

The wave of new technology has brought with it new opportunities for criminals and vandals, which means insurers now face a rapidly increasing range of possible danger points as they embrace electronic and web-based developments.

"Ten or 12 years ago," says Mike Schenstrom, group infrastructure manager at Hiscox, "you were only required to have physical security for your computer installations. You locked the door and everything was okay. But there have been dramatic changes, with internet access for example, and everything has moved to a different level."

Last year, the Association of British Insurers (ABI) published a report focusing on future crime trends in the UK. It suggested that technology was often introduced without consideration of the crime consequences and outlined four fundamental relationships between technological innovation and crime. These were that: future technology goods and services could be mistreated or misappropriated; future technologies could be used as tools in committing crime; technology could be used to prevent or mitigate crime: and new or modified environments could help or hinder criminal activity.

Most concern among insurers centres on so-called cybercrime (crime on or through the internet) and tends to focus on hacking, viruses, fraud and scams. Three years ago, criminologist Mike Sutton and IT expert David Mann wrote in the British Journal of Criminology that people "are more likely to engage in criminal behaviour online than they are in the physical world". They believe the apparent anonymity of the internet and the ability to operate from afar is drawing criminals to the internet, it is claimed.

According to John Antoniazzi, partner at accountants Deloitte & Touche, most e-businesses and websites are at serious risk of attack that could bring their operations to a halt, ruin their reputations and have severe financial consequences. This is particularly the case in the financial services sector, where many companies already have a false sense of security, since their precautions and countermeasures may not be up to the task.

Get serious
Antoniazzi recommends a structured risk assessment process, weighing up the types of attack, their likelihood of occurrence and their potential impact, followed by the formulation of an information security policy, providing procedures and guidelines for appropriate controls and countermeasures. He stresses, however, that the protection provided is only as good as the quality of its management.

Schenstrom says insurers' systems are now part of a "vast environment, which is opening up so that virtually anyone can get access".

Of the dangers posed by this increased accessibility, he says that insurers can't afford not to take them seriously.

Experts say the number of attacks against electronic and internet-connected systems are increasing at an alarming rate. Website defacements are a growing problem for both e-businesses and those more traditional firms with just a website to promote their products and services. Doing the past 12 months, significant security breaches have been reported worldwide by major financial services groups.

Combating the criminals
Groupama's IT production manager, Chris Wallace, says the way to prevent such incursions is to use technologies that are more difficult to abuse. "We've considered unauthorised access for some years now, and it is part of our continuing IT strategy to build secure infrastructures in two key areas. For instance, we use IBM's AS400 technology to produce the most secure environment and we base our email system on Lotus Notes."

Using Lotus Notes was an informed decision, he explains, because system violators tend to use Microsoft products and processes. "It's more difficult to write viruses in IBM and Lotus Notes." He is proud that Groupama's internal policemen detected the Melissa and I Love You viruses before they became prevalent in the UK. "In any event, they were stopped coming in through our firewall."

He says that what is necessary is a high level of security to control access to vulnerable systems - "for instance, we require authorised users to change their passwords every 30 days" - and to have thorough internal security advice and guidance publications and procedures.

"We have a firewall for access to the internet that uses the latest anti-virus software, together with the most up-to-date content-checking software. If there's any doubt about an email message or attachment, it's put into a `demilitarised' zone for our people to look at later."

All desktops and laptops and servers are also protected by anti-virus software.

At Hiscox and other insurers, the picture is much the same. The target is to be aware as quickly as possible of any problem or incursion and to take effective steps to counteract or prevent any recurrence.

UK insurers have either been extraordinarily fortunate or are reluctant to reveal any trespass or damage, but there has been no reported instance of significant intrusion or tampering.

Wallace says Groupama's systems have not been breached to date, either through email interference or unauthorised access. "We take these kinds of risks very seriously and have robust measures in place to protect our systems and prevent abuse, which are regularly audited by the company's external auditors."

But, as Antoniazzi cautions, without suitable audit and control processes, protection solutions may fall into disrepair and lull businesses into a false sense of security. A further safeguard is to regularly monitor new developments within the hacking community and keep up-to-date with the tools and devices used by cybercriminals.

Allied to these problems are those of maintaining the integrity of brand names and products, which may be the target of attacks by third parties. For instance, website visitors may be hijacked and sent elsewhere, or websites with similar names may be registered.

Schenstrom says the Hiscox website is checked daily, but warns that the sites of larger and more commercial companies may be more susceptible to such attacks.

But it isn't just the dangers associated with new technologies that are likely to cost insurers money.

Paul Evans, insurance systems manager at specialist consultancy Michaelhouse, believes insurers are being inordinately slow in taking decisions to move ahead with technological developments.

No time to waste
He estimates millions of pounds are being wasted through delayed decisions, saying that each company could incur unnecessary costs of £2m, simply through failing to move quickly enough.

And there is an associated point to which all insurance company directors should be paying close attention. While they don't need to be technology experts, they should know enough to understand the broad issues.

More importantly, say consultants and industry specialists, e-commerce and IT systems must not be marginalised. The benefits of electronic wizardry can be demonstrated all too easily, but the pitfalls need to be understood just as clearly.

And if all this wasn't enough, there are a few final points to worry about. Insurers around the world are giving thousands of intermediaries easy access to their systems and databases, and expanding extranet facilities to provide that access. More insurers are launching transactional websites and many more are introducing email networks for doing business.

Insurers have to quickly get the message that each entry into its systems infrastructure represents potential danger - and build adequate protection.

Getting down to numbers
There are an estimated 400 million internet users worldwide, accessing well over one billion webpages.

There are also around 20,000 different computer viruses in existence, many of them deliberately distributed to cause damage and disrupt host systems.

The new breed of viruses are self-propagating, subverting a computer's email program and spreading globally within days. The Melissa virus cost North American businesses more than $80m (£55.5m) in damage to their systems, while last year's Love Bug virus is estimated to have cost businesses worldwide more than £5.4bn (£3.7bn).

Pricewaterhousecoopers estimates that fraudulent e-commerce transactions account for half the annual fraud total in the United States, where online shopping is well entrenched. Widespread protection measures are in place across the US, including a $2bn (£1.3bn) programme to train anti-hackers.

Combating cybercrime is becoming a priority for UK and other European governments. The European Union's draft convention on cybercrime is currently being revised and will be adopted by the Committee of Ministers later this year.

In the UK, the Home Office has established a multi-agency National Hi-Tech Crime Unit which has just commenced operations following £25m funding to recruit 80 or so dedicated investigators at the unit and in each of the police forces in England and Wales.