www.generali.rs

INDUSTRY: Insurance

BUSINESS: Generali Osiguranje Serbia is the country’s second-largest insurer.

SCOPE: National

SIZE: 1,500 employees

BUSINESS CHALLENGE: Generali was storing the personal data of the three million people it insures but lacked a coherent approach to cyber threat detection. How could the company find a dedicated solution to secure its data before disaster struck?

SOLUTION:

• Qualys VM

WHY THEY CHOSE Enterprise TruRisk Platform:

• Weekly scans keep personal data safe from emerging threats
• Vulnerability classification provides easy-to-digest reports
• Scanning capabilities enable technical audits to support regulatory compliance
• Saved 50 percent on cost of previous external tools and scans

Generali Osiguranje Serbia Protects the Data of the Three Million People It Insures with Effective Vulnerability Management

To help protect stored personal data for the three million people it insures, Generali Osiguranje Serbia previously relied on ad hoc third-party scanning services. Aiming to reduce both risk and costs, the company deployed an automated vulnerability management solution.

A subsidiary of Generali Group, Generali Osiguranje Serbia is the second-largest insurer in its domestic market. Insuring three million people and employing over 1,500, the company is a leader in the Serbian life and health insurance sector – earning 19.8 billion Serbian dinars (approximately 190 million USD) in premiums in 2017.

Shoring Up Defences

Storing personal data is a necessity in the insurance industry, and people expect that their insurer will handle and manage their information securely. As one of the leaders in its domestic market, Generali Osiguranje Serbia holds financial and other sensitive types of data on the three million people it insures, but it lacked a mature solution for identifying the latest cyber threats and safeguarding data.

Nebojsa Varoscic, IT Security and Risk Manager at Generali Osiguranje Serbia, says: “We previously had no formal vulnerability management tools in place. We relied solely on third-parties to come in and run scans to identify any risks, which was both costly and not sufficiently frequent.

"It was clear to us that this approach was unsustainable in the longer term. Our parent company, Generali, launched new information security policies and guidelines to better protect our data. These guidelines included making a dedicated employee responsible for the information security domain at each subsidiary. Also, given the speed at which cyber threats can emerge and evolve, and the extensive damage they can do, it was clear that we needed to adopt dedicated tools sooner rather than later."

Generali Osiguranje Serbia ran into further challenges when faced with new data protection regulations from the Serbian government. Following the adoption of the General Data Protection Regulation (GDPR) in the European Union, the Serbian Ministry of Justice published its own Data Protection Act, mostly replicating the principles of GDPR. The deadline by which companies must align their business with the new act is August 21st, 2019.

Nebojsa Varoscic says: "The new regulations meant we had to work even faster to find a solution, so we quickly identified our key requirements. We wanted a solution that could quickly and clearly identify threats to our heterogeneous environment, as well as provide a view of the assets on our network to support the push for compliance."

Choosing Qualys

Generali Osiguranje Serbia reviewed offerings from several leading information security vendors and chose to work with Qualys based on its reputation for excellence and on the ease of use of its solutions.

"Qualys came highly recommended," says Nebojsa Varoscic. "The user-friendliness of the Qualys solutions immediately stood out, and that was a major element in building out our environment."

Generali Osiguranje Serbia deployed Qualys Vulnerability Management (VM) to provide automated monitoring of potential security threats across its heterogeneous infrastructure.

Nebojsa Varoscic says: “We now use Qualys VM to monitor all 56 of our publicly exposed IP addresses, as well as a variety of different applications across our network. All these systems are subject to a weekly scan from Qualys VM. We’ve also adopted a policy of scanning any new server or device for potential risks before we store any sensitive information.

"When Qualys VM detects a risk on one of these systems, we usually prioritise according to the standard Qualys severity rating. We do also produce two customised threat severity reports, but we find the Qualys ranking usually provides everything we need to remediate the most pressing concerns. We deliver summary reports from Qualys to executive board members on a quarterly basis."

Qualys VM is also helping Generali Osiguranje Serbia to comply with internal and external policies.

Nebojsa Varoscic says: "Qualys VM works just as well for asset discovery. With our entire network regularly scanned we can easily see when a new device is added and check that it meets the regulatory standards."

Securing Personal Data

With Qualys VM in place, Generali Osiguranje Serbia has assurance that any potential risks to its infrastructure will be promptly highlighted, and by extension that all the personal data of the three million people it insures is thoroughly protected against the latest cyber-attacks.

Nebojsa Varoscic adds: "Qualys VM really has revolutionised our information security posture. The clarity of reporting and threat prioritisation means even non-experts can rapidly understand the potential scope and impact of emerging vulnerabilities. After implementing the Qualys solution, we were able to remediate at least 50 percent of the vulnerabilities present on our network in just three months."

He continues: "Qualys even helped us avert at least one major security breach, thanks to its fast reaction to Heartbleed. On the morning the vulnerability was discovered, we had an emergency email from Qualys warning us about the severity of the situation. We reacted quickly, first running scans to identify the scale of our exposure, then forming a team to complete the necessary patching.

"Later that evening, I got calls from colleagues at other institutions warning me about Heartbleed, but by then we had already mitigated a third of the risks. Thanks to Qualys, we were well ahead of the game."

Qualys VM has not only enabled more efficient and effective threat remediation at Generali Osiguranje Serbia, but also provides peace of mind during compulsory audits.

Nebojsa Varoscic explains: "The scanning capabilities of Qualys make it easier to complete technical audits, so we can immediately see how all of our infrastructure is configured and whether the latest patches have been completed. This capability is invaluable in helping us to comply with the Serbian Data Protection Act."

Impressed with the flexibility and cost-effectiveness of Qualys VM, Generali Osiguranje Serbia plans to extend its landscape by adding Qualys Web Application Scanning (WAS).

Nebojsa Varoscic concludes: "Qualys VM provides permanent protection and is also more cost-effective than the external scanning approaches we used previously. All in all, we estimate that our vulnerability management costs are now 50 percent lower with Qualys. It’s benefits like this that make us want to do more with Qualys, and we look forward to using the Qualys WAS solution to help improve the security of customer-facing systems."