AGIA: Identity Crisis
Bill Tyson was excited to see how his latest brainstorm, an insurance policy that protected customers against identity theft, was faring.
As the chief marketing officer for AGIA Insurance Services, he had found a creative way to sell what he thought was a poorly understood productone that would repay consumers for the costs of having their identities forged and misused by online miscreants, and provide credit monitoring and other protective tools.
Tyson's direct mail campaign had already failed, but he figured that was because the customers AGIA was targetingmembers of the Good Sam Club and the National Rifle Associationwere more likely to be reached on the Net than through snail mail. With higher-than-average incomes, they would likely be worried about having their personal information stolen and misused. He also decided that an e-mail campaign was a cheaper and more effective way to reach these potential victims, just in time for the Christmas buying season.
Like any conscientious marketing executive, Tyson opened an e-mail promoting the insurance. He clicked on the link embedded in the message, expecting to be directed to a Web page with educational videos discussing the consequences of identity theft and an offer to buy insurance online. Instead, he got an eyeful: a Brazilian Web page hurling insults at President Bush. AGIA's own Web sitehosted by a third party the company was using while its own servers were being upgradedhad been hijacked.
"They didn't let us know," Tyson says. "That was the big aha. If I had not brought it to their attention, would I have ever known? ... It left me feeling vulnerable."
Aghast, he immediately severed AGIA's relationship with the hosting company, which he declines to name, and pulled the project in-house. But the incident underscores important lessons for companies that handle sensitive customer information, particularly smaller companies like AGIA. They must fiercely protect the integrity of their systems and networks, even when it means stretching limited resources to do so. How was AGIA supposed to build a business on protecting consumers from identity theft if it couldn't protect itself?
Just this year, far bigger companies than AGIA have suffered serious security breaches. In March, for example, GMAC Insurance informed customers that their personal data had been stolen by thieves who took two computers from a regional office.
Although U.S. losses from cybersecurity breaches declined to $141.5 million from $201.8 million, according to the 2004 Computer Crime and Security Survey released in June, viruses and denial-of-service attacks replaced intellectual property theft as the biggest costs.
The attack on the hosting company did not expose AGIA's customer data, but Tyson worried that AGIA's credibility could end up in shreds. Also, why should he believe what AGIA's information-technology department was telling him? In his previous job as head of JLT InterActive, the U.S.-based e-business consulting division of British insurance broker Jardine Lloyd Thompson Group, Tyson and the chief technology officer had hired a white-hat hacker who exposed vulnerabilities with user registration and authentication before the system was deployed.
AGIA is not a household name, but many of its clients are well known. The 48-year-old company, based in Carpinteria, Calif., sells, markets and administers insurance programs on behalf of groups such as the Good Sam Club and the American Legion. AGIA insures about 2 million people, or about 5% of the aggregate membership of these affinity groups, professional societies and other organizations. It also hosts and manages over 50 Web sites for some of these clients.
Tyson joined AGIA in July 2003, lured by CEO John Wigle, the son of AGIA's founder, to do "new and innovative things." That directive included using the Internet to expand the business. The insurance industry is conservative and resists transacting business onlineAGIA sells most of its policies through direct mail and advertisements, supported by call centers and the Internet. Still, customers want to buy services like emergency travel assistance online, and AGIA needed to be ready when and if the industry shifted to the Web.
Tyson didn't expect his new job to be too daunting. At JLT InterActive, which he founded, he was working on creating community portals for unions and trade groups before JLT stopped funding the division after Sept. 11.
Yet, the identity-theft hack spooked Tyson. Though he dealt with that incident by dumping the Web host, he thought that AGIA's Web sites and systems were not performing as well as they should, nor were they as secure as he would like.
For example, customers could not download brochures or access encrypted forms. No one at AGIA knew when servers were down unless they physically checked. Furthermore, a consulting firm Tyson had hired after he arrived, the Comdyn Group, told him that some of AGIA's coding techniques were out of date.
More and more, the company was fielding questions from clients and prospective clients, particularly financial partners, about how often it checked the security of its servers and what it was doing to proactively mitigate security threats.
Like other insurers, AGIA is subject to a host of security and privacy regulations. These include the federal Health Insurance Portability and Accountability Act, which requires companies to write a security policy and prove they are following it, as well as a California law that mandates companies to tell residents of that state when their personal information is compromised.
At the same time, cyberattacks were becoming more severe. The SQL Slammer worm in January 2003 was followed by the Blaster worm on Aug. 11 and the Sobig.F virus on Aug. 19. In response, 10 employees, including Tyson, were spending up to 10 hours each week scanning the Web for information on vulnerabilities and manually patching software as quickly as they could, an expensive and ineffective use of their time.
Without being able to prove that AGIA was securing its network on an ongoing basis, Tyson might have trouble attracting new clients. In fact, the company risked losing existing ones if they felt their customer information was in jeopardyeven though Tyson insisted that it was protected.
However, Tyson could not make AGIA more secure all by himself. For that he needed cooperation from Garry Boswell, the new director of information technology, but Boswell was slammed with work. Boswell had been in his job for about three months, did not report to Tyson, and had just taken over a project to install a Cisco voice-over-Internet Protocol phone system so AGIA could more easily report call center statistics to clients. The project was demandingBoswell discovered that he had to replace switches and routers throughout the company.
On top of that, Boswell was updating AGIA's security policy, which dictates how the company responds to security threats in compliance with federal regulations. He was well aware of the Comdyn Group's report, and he was simultaneously installing antivirus software and evaluating new security products from some of the 500-plus vendors on the market for possible installation in 2005.
Making an End-Run
When Tyson asked Boswell if he would install a new security appliance that would scan AGIA's network for vulnerabilitiesand do so right awayBoswell said no; the network wasn't ready to be tested. So Tyson, who already had the appliance picked out, wound up making a corporate end-run around Boswell and appealingsuccessfully, it turned outto CEO Wigle.
Cybersecurity is a young field, and much of the technical innovation is coming from first- and second-generation products, says Jon Oltsik, an analyst with Enterprise Strategy Group. Smaller companies may use free open-source tools like Snort and Nessus, but those are notoriously difficult to manage. Nessus, for example, scans networks for flaws the way a hacker would, by shooting bad data packets at them to see if they can be exploited.
Tyson talked with his own Web developer, Jim Mannix, about using Nessus, but did a Web search and found a startup called PredatorWatch instead. PredatorWatch's strength, says Oltsik, is that it has "baked" open source modules into a package suitable for companies whose technology staff has to handle security along with everything else.
The appliance, which runs on a secured version of Linux, finds IP addresses and scans the hardware or software associated with them for Common Vulnerabilities and Exposures (CVEs), a federally funded list of flaws maintained by the Mitre Corp. When it finds flawsa Web server with an extra open port, for example, like the one that attackers probably used to take control of the hosting company's serverit can flag them. PredatorWatch also integrates with automated patch management software and issues reports classifying vulnerabilities by severity. Each is identified by IP address and can include likely scenarios of attack, suggested remedies, and any impact on a company's regulatory requirements.
Tyson had never heard of PredatorWatch, and when he called he was surprised that CEO Gary Miliefsky himself answered the phone. But PredatorWatch was an IBM business partner with three customer references, and Miliefsky was accustomed to taking calls from distressed executives.
Boswell resisted. He, too, had years of experience with cybersecurity, and wasn't convinced that PredatorWatch had the best approach. He had sent questions to Tyson: Who'd maintain PredatorWatch? How would sensitive reports be kept inside the building? How would AGIA's network handle potential traffic?
At AirTouch Cellular in the 1980s, Boswell supervised engineers who would hack the Sun operating system so they could install their favorite tools. Occasionally the network would crash. Boswell feared PredatorWatch would behave like Nessus, which is also known to crash networks, and he didn't know how much stress AGIA's network could take, particularly with the traffic already generated by the new Cisco phone system.
In retrospect, Boswell also admits he felt his job would be on the line if PredatorWatch discovered vulnerabilities in AGIA's network that should have been caught by his department.
So that's when Tyson made his end-run, bypassing Boswell and going to Wigle to make his case. Waiting until 2005 was unacceptable, Tyson argued; AGIA had to do something immediately. Wigle gave him the go-ahead.
With no choice but to go forward, Boswell negotiated the terms of PredatorWatch's installation with Tyson. They agreed that the box would run once a month on Sunday nights, when network traffic was low, so Boswell would have ample time to monitor its effects. Mannix pointed PredatorWatch at three Web servers and within a half-hour, the box was issuing reports.
As Boswell had feared, it found vulnerabilities that his department didn't know aboutopen ports, an out-of-date service pack for SQL Server, and unauthorized write permissions that would allow intruders to place files on one Web server.
But Boswell's biggest fearthat he'd lose his jobnever materialized. He thinks that's because he was able to fix everything PredatorWatch found. Also, he says, "Nothing was so bad that it kept me awake."
In fact, Boswell is now happily in charge of PredatorWatch, which he upgraded to an IBM xSeries server so it can scan the entire enterpriseso far, over 50 servers, 300 workstations and the Cisco phone system, as well as laptops brought in from outside the building. Although he declines to reveal what new security products he's adding, Boswell says PredatorWatch's reports on vulnerabilities found and fixed make it easier for him to make the case to his boss, the chief financial officer.
Tyson, meanwhile, says AGIA is ready to expand its business on the Internetwhenever the rest of the insurance industry is ready to make the leap.
Agia Base Case
Headquarters: 1155 Eugenia Place, Carpinteria, CA 93013
Phone: (805) 566-9191
Business: Sells, markets and administers insurance programs for affinity groups such as the National Rifle Association; aggregate membership of over 40 million.
Chief Marketing Officer: Bill Tyson
Financials: National, privately held company with 300 employees.
Challenge: Expand amount of business done online while protecting customer information from cybersecurity breaches, at an affordable cost.