Compliance-based assessments require the use of vulnerability scanning and penetration testing tools that tend to be unpopular for running on operational systems due to concerns about them causing interruptions, low response times and shutdowns. As such, operations teams are hesitant and often times elect not to perform these scans on their environments as was the case at Anthem, noted in this article — The disturbing truth behind the Premera, Anthem attacks.
Organizations rightly have security policies in place that prohibit external entities from connecting to their networks and testing them for security holes. Perhaps a better policy might be to have a separate, duplicate environment where these scans and tests can be performed. But in most organizations, there may not be ample resources to create these duplicate environments for testing. It is this type of thoughtful analysis and re-allocation of resources that is precisely why large organizations need to begin implementing comprehensive digital risk management platforms that are being evangelized by the new DRM Institute.
DRM provides the foundation for managing risk across various functions by relying on the prioritization and quantification of the business impact of digital risk.
In the case of Anthem, the most egregious mistake was that Anthem had not encrypted the data that was stored on their networks. There are several well-known open source encryption tools and commercial options such as Vormetric and Security First that securely encrypt databases.
As consumers, we should demand that banks, doctor offices and insurance companies who store our personal information encrypt their databases as well as the communications to and from those databases. As businesses, we should begin the process of evaluating and migrating to a digital risk management approach to better allocate resources and protect their customers data.