Protecting and Insuring

By Elizabeth Millard  |  Posted 2008-10-29 Print this article Print

Software as a service may be on the rise, but so are security threats targeted at loopholes in application code. Here are some application security strategies from industry experts, with a closer look at one area not generally associated with security and information technology management--insurance.

Protecting and Insuring
Creating a more comprehensive security strategy helps to mitigate the types of risks posed by Web applications, but some companies are also turning to insurance.

In early 2008, The Hartford introduced CyberChoice 2.0, liability insurance that covers data privacy. The interest has been overwhelming, says Drew Bartkiewicz, vice president of Cyber and New Media Risk at the insurer.

"When you look at things of great value, like homes or cars, those are insured," he says. "No one thinks that because they have an alarm system they're fully protected. In the same way, just having security controls doesn't eliminate all risk."

But not all companies can get the coverage; first, they have to prove that the CIO and the IT team are doing everything they can to secure their applications and their data.

With a surge in applications, Bartkiewicz has been able to see the type of surprising security gaps that exist at companies of every size, and notes that only about 30 percent of those who ask for coverage actually receive it.

"What that tells you is that there are still a lot of companies that are uninsurable for data risks, because they haven't done enough to protect themselves," Bartkiewicz says. "They haven't done a privacy audit, or they've had their Web server taken down three times in the past few months by a hacker in Eastern Europe, or they have no privacy policy with employees."

To create a more comprehensive protection plan, a CIO might look through the CyberChoice criteria for coverage as a good head's up as to what's needed to be more bulletproof.

Also helpful, according to Arce, is to pay closer attention to the adoption and deployment of new variations of Web application technologies and be aware that problems will need to be rooted out in the early stages of development. Assessing and monitoring production systems more frequently should be part of every security strategy, Arce notes.

Bartkiewicz believes that CIOs will grow more aware of the risks of Web apps, and most likely, they'll find out the hard way. There is a great amount of openness now, he adds, thanks to social networking applications and SaaS popularity, but if the protection doesn't amp up along with the use of these apps, companies will increasingly become targets.

"With Web apps, it's not just the risk of what the company's IT staff is doing, but also, companies are picking up the risk that their users are doing stupid things, and they'll be held responsible for that," says Bartkiewicz.


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.