As a company that has no physical channels to serve customers, insurance-comparison giant iSelect has been heavily reliant on its contact centre and online presence since its inception nearly two decades ago. But with customer demand booming, the business expanding and its high profile attracting unwanted attention from online cybercriminals, the company began a two-year overhaul of its information-security environment to ensure it had a flexible could ensure the security and integrity of its core technology well into the future.
The decision was driven by a noticeable uptick in suspicious activity, iSelect Group network and infrastructure manager Samil Nervuz told CSO Australia. “As the company grew, we had seen more and more people doing vulnerability scanning through our Web site, DDoS attacks, and attempts to infiltrate the systems,” he said.
“As our environment grew to more than 350 servers, our traditional ways of trying to secure things were quickly becoming unmanageable. We realised we had to centralise our security to make sure we had a team that could look after all of our solutions on a 24x7x365 basis.”
The security overhaul, which included elements for protecting both against external threats and internal threats, finished earlier this year after an extensive redesign of the company’s security processes.
That redesign included extensive evaluations of more than a dozen security specialist firms, from which the company chose its preferred choice of tools for firewall, intrusion detection systems, reputation monitoring, and other capabilities.
Yet it was also clear early on that the company’s technical team – which was more focused on software development and infrastructure than specialised security tools – was going to need some help to ensure the kind of responsiveness that the company required.
“These were huge investments for us, and mission-critical ones,” Nervuz said, noting that the requirement to run security and infrastructure at all hours – during which the infrastructure behind the company’s eight websites generates millions of security-log entries per day – increased the costs even more.
”We sat down and made a few calculations internally,” he explained, “about how long it would take to train our current employees to become security experts and how much it would cost to hire security experts. The reality is that some of these tools are not that common, and it’s hard in the Australian market to attract experts to look after them. We quickly realised that the costs were becoming way too significant.”
With ongoing “huge support for IT investment” from the company’s management – a longstanding support that Nervuz said has been critical in helping the company get the technology it requires – the security overhaul saw the iSelect team evaluate the market for managed security service providers (MSSPs). It ultimately chose SecureWorks based on its reputation, management capacity, and experience.
The decision to hand day-to-day administration of the new security environment was also based on continuity of service that can be hard for an individual company to guarantee, Nervuz pointed out: “people are in such niche, skilled markets that it’s very hard to retain them in your business,” he said.
“In security, the last thing you want is for that knowledge to leave once they leave the company. Security specialists have to know the ins and outs of your systems, which is why we needed someone that can maintain that knowledge within its teams and provide continuity. It takes the hassle out of it.”
Months after it completed the transition to the MSSP environment, Nervuz says the decision to bring in outside expertise had proven itself to be by far the best approach the company could have taken. Ongoing reporting has shown “eye-opening” levels of external attacks on the company’s sites on a regular basis, and continuous tweaking over the past 6 to 8 months has helped increase the efficacy of blocking solutions to “pretty much 100 percent”.
That level of effectiveness has not only improved management confidence in the integrity of the company’s business; it has also helped them breathe more easily around the protection of the large quantities of personal information that the company collects from its customers.
That information – which ranges from seemingly innocuous numbers like postcodes to sensitive identifiers such as Medicare numbers – is all protected under current Australian Privacy Principles, while looming breach-notification laws will offer no quarter for companies that don’t maintain the security of their customers’ data.
Those regulations set the high-water mark for data protection, and Nervuz is committed to leveraging its partnership with SecureWorks to ensure that it stays on the right side of those laws. Indeed, the threat of reputational damage from a data breach was a key consideration in selling the security overhaul to the company’s senior management, who were all too aware that the reason customers keep coming back – rather than buying insurance products themselves – is based on their trust in the company.
“Because iSelect is a service provider, our brand reputation and the trust relationship is everything for our customers,” Nervuz explained. “Security is important to us and it was a huge selling point, which helped get support and buy-in from the business. That support makes a real difference when making these sorts of investments.”
With the MSSP relationship established and the environment bedded down, iSelect has been able to add new applications into the mix with some regularity. At the same time, Nervuz added, it has been able to commit its own staff to focusing on building the business in ways where they can add the most value.
“Our IT guys can now focus on the things that they are specialist in,” he explained, “such as developing better applications for customers, improving infrastructure services and response times, and everything else. That’s what the customer feels and sees in the first instance – so, now we are using our employees more effectively and efficiently than ever.”