Watch CBS News
Local News

High Bit Security: NY State Justified In Demanding That Insurance Firms Prove Cybersecurity

/ CBS Detroit

ROCHESTER -- High Bit Security endorses the efforts of New York in assessing the cybersecurity posture of the state's largest insurance carriers, a warning to businesses with personally identifiable information, private health information and payment card industry data to get proactive regarding cybersecurity.

On May 28, New York Gov. Andrew Cuomo required the 31 largest insurers regulated by the state to provide information surrounding their cybersecurity preparedness. New York State is seeking information to determine what attacks these companies have experienced over the past three years, definition of their cybersecurity measures in place, IT Management policies, funding and resources dedicated to cybersecurity, and information on governance and internal control policies related to cybersecurity.

"This move by New York State is sure to be replicated in many other states and across many more business sectors than just the insurance industry," said Barb Goushaw, chief business development officer for High Bit Security. "Just think about the amount of sensitive information many businesses possess, and the inappropriate purposes the information could be used for -- personal identity theft, medical identity theft, intellectual property theft, credit card data theft. Cyber criminals and nation states are generating billions of dollars by stealing this information from US companies."

Added Adam Goslin, High Bit Security's COO: "High Bit Security applauds the efforts of Gov. Cuomo to assess the cybersecurity stance of an industry with such high amounts of sensitive data on their systems. High Bit Security expends significant resources evangelizing to business owners across a myriad of business sectors to improve their understanding of the risks posed to their businesses and the information their customers trust them to protect."

High Bit Security's 2012 review of its IT security penetration testing engagements revealed that more than 95 percent of the companies they tested had security vulnerabilities and a full 100 percent of the companies that had never performed proactive security testing had serious vulnerabilities in their external and internal network, host configuration, applications, web services or wireless systems. 

"We have seen staggering and sobering statistics from our testing for years," Goslin said. "It is alarming how few companies take their security seriously enough to engage in proactive penetration testing. Many of our customers that test for the first time are shocked at how many security holes are found. Typically, they have either IT staff or an outsourced IT support company or hosting facility that they entrust with their security, but these business owners need to understand – security is a specialty.  The personnel or companies they have in place are reputable, but security is not their specialty."

Said Goushaw: "Companies that assume their security is covered by the existing IT staff or service provider and depend on automated scanning and monitoring solutions are a security problem waiting to happen. But compare this to your personal health.  If your general practitioner refers you to a heart specialist, that doesn't mean he's a bad doctor. It means he's a good doctor. It makes sense to bring in a specialist to partner with the existing IT provider." 

And Goslin said more than penetration testing is recommended.

"Penetration Testing will provide an in-depth evaluation of the security posture of an organization, and will also reveal how well internal policies/procedures are functioning and the effectiveness of security solutions presently being leveraged," Goslin said. "It is not to say that penetration testing is the only solution needed – there are a whole host of tools, vendors, policies and procedures that need to work harmoniously to mitigate security problems for an organization, and there is no silver bullet.  Many of our customers are shocked to realize that their vulnerability scanner of choice is leaving security vulnerabilities in their systems, because there are many security issues scanning solutions will not identify. Businesses also need to realize that the security companies providing what they term 'penetration scans' are really nothing more than a glorified vulnerability scan, leaving them equally at risk."

High Bit Security is a national security services provider, providing penetration testing solutions to clients who need to protect sensitive data in industries such as health care, credit card, financial, or companies that store other personally identifiable information or intellectual property. High Bit Security also provides security consulting services to our clients to assist them with their compliance objectives across PCI-DSS, PA-DSS, HIPAA, SSAE-16 evaluations or wish to perform a security best practices audit of their organization.
Contact High Bit Security today for a free consultation to take steps toward protecting your sensitive information. Visit www.highbitsecurity.com or call (800) 757-3144.

First published on June 4, 2013 / 4:40 PM EDT

© 2013 CBS Broadcasting Inc. All Rights Reserved.

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.