How would your company handle a bill for over $100 million following a security breach? That was the likely impact of the theft of data early in 2015 from Anthem, the second-biggest US health insurance provider.
Anthem confirmed that as many as 80 million records had been stolen from a database with past and present customer and employee details. The data lifted included names, dates of birth, addresses, medical IDs and Social Security numbers, but apparently no financial or medical details.
Unfortunately, that did not mean that the hackers went away empty-handed. Moreover, the moral of this story applies as much to a distributor in LA as to a health care insurance provider in Indianapolis.
1. A Security Breach Can Be Surprisingly Expensive
Even if Anthem itself did not suffer prejudice from the theft of the data, it still needed to inform the people concerned and repair the damage to its reputation as best it could. The company was insured against cyber-incidents for up to $100 million.
Costs however were expected to exceed that already imposing figure. Similarly, if a distributor lost reseller payment details to hackers, the real impact could be devastating even if the details of the distributor’s own bank account were not compromised.
2. Data Encryption? Just Do It
As an extra egg-on-face factor, no encryption had been applied to the Anthem data before the theft. Even if there is a strong industry-specific (HIPAA) recommendation that healthcare providers encrypt their data, there is no regulatory obligation.
But it made Anthem’s security look all the weaker and it also meant the hackers could immediately exploit their digital booty. Yet systematic data encryption is neither expensive nor onerous, but simply effective.
3. Tax Refund Hoaxes and Other Creative Uses of Stolen Data
On the face of it, health care has little to do with tax refunds. However, similar end-user data applies in both cases. Thus hackers could use the data from Anthem for instance to file false tax refund claims and divert the payments to their own accounts. Likewise, wholesaling information that you hold could be highly attractive for other reasons to cybercriminals.
4. It All Started a Long Time Ago…
…in Internet terms, at least. There are indications that the attack on Anthem’s database started weeks, if not months before the information theft was discovered. After the event, Anthem shared ‘indicator of compromise’ information, such as suspicious Internet addresses and malware signatures revealed by its system records. The idea was to help other organizations to identify illicit activity earlier and prevent a possible security breach of their own.
5. Bite the Bullet and Own Up
Anthem published content on the web about what happened, with its apologies. Crisis management and communication are critical in this kind of situation. But more than this, appropriate disclosure of security breaches is also mandatory in certain industries. In these cases, not only do you have the personal embarrassment, but you have to go public with it too.
6. Lock Down that Perimeter
For Anthem, the attack already happened. But for all other enterprises, prevention is better than cure. Information security must be properly planned and implemented. That includes technological protection, as well as a sufficient level of employee awareness of the need and the way to keep data confidential.
Basic precautions can be taken by the enterprise itself. Others such as security audits, advanced firewall policies, and penetration testing may be best performed by competent third-party professionals.
Can good IT security also become a competitive differentiator? Tell us how your resellers and business partners perceive your initiatives to protect your distribution company in the Comments box below.
And to follow-through on the tips introduced in this short article, be sure to download your free guide, How COOs at Los Angeles Distributors and Manufacturers Get More Done: A Guide to Productivity, Data, Staffing, Delegation, and Making It Home for Dinner Most Nights.