Insurers may believe they are protected from cyber attacks by guarding against external threats, but glaring internal risks remain if a carrier does not implement a layered approach to security that includes educating employees about how to recognize and avoid attacks.
According to the 2011 CyberSecurity Watch Survey conducted by the U.S. Secret Service, the CERT Insider Threat Center at Carnegie Mellon University, CSO Magazine, and Deloitte, 21 percent of identified electronic crime perpetrators are company insiders, whether those with malicious intent or unsuspecting victims of a phishing attack.
Almost half of responding corporations believe that damage caused by insider attacks is more severe than damage from outsider attacks, and not without without reason: CERT identified more than 800 “insider” threat cases since 2001, with more than 100 significant incidents occurring in the last year.
PC360 spoke to two IT experts specializing in the insurance industry about how layers of security (“onions”) and a solid ERM approach are replacing the hard-crust, soft-center (“Skittle”) mentality corporations used to take towards cyber protection.
Q: What kind of cyber security measures could insurance companies implement?
A: The question is not the steps large insurers ‘could be’ implementing, but ‘bloody well should be’ implementing. They need layered, defense-in-depth protection, starting with encrypting their actual data, protecting the application that processes the data, protecting the computer that holds the data, protecting the computer’s network, installing a firewall, and then training the employee user base—the weakest link in IT security—about avoiding spamming or phishing attacks. Think of it like layers of an onion.
Q: How can companies train their employees to be the outer shield of protection against cyber attacks?
A: It’s a three-step process: KnowBe4 sends everyone in the company a simulated phishing attack via email to see who clicks on it. Then we do a 40-minute web training about avoidance techniques. We continue to send two or three simulated attacks per month—then every email in their system becomes a test. The click rate on phishing attacks goes down by 80 to 90 percent.
Q: How does an insurance company usually fall prey to a hacker’s attack?
Employees in the company are sent a message encoded with special technology, and when the e-mail is opened hackers are able into network databases containing health and financial information owned by insurers. Many insurers haven’t realized that cyber crime has gone pro as a $3 billion industry: organizations pick the best and brightest out of universities, pay them a good salary and give them benefits. In some Eastern European countries it is not illegal to hack American companies.
Q: Are there legal regulations or frameworks for insurers that deal with cyber risk training and monitoring?
A: There are no specific laws requiring training, but business frameworks, such as those published by the International Standards Organization (ISO) and state-by-state measures such as the New York State Department of Financial Services’ (DFS) “308 Letters”. [The program, launched by Governor Andrew M. Cuomo in May 2013, sends letters of inquiry, to which recipients are legally required to respond, into the steps insurers are taking to protect their customers from cyber threats]. If an insurance company is self-insured and processes sensitive health information on their employee’s behalf, then they would have to follow HIPAA rules about data privacy.
Q: What kinds of information are hackers looking to gather from insurance companies?
A: They are looking for intellectual property, merger and acquisition ideas, pricing data, pricing models, and personally identifiable information (PII). They are also looking for conduits into other organizations.
Q: Should insurers be following a layered approach to security, and how can they implement it using their available time and resources?
A: It takes a village to create cyber security. You can’t have what we call a “Skittle approach,” where your security is hard on the outside and soft inside. If you don’t have an interconnected ERM approach from company governance to compliance and HR to IT staff, you’ll never win the cyber battle just through training or technology. Cyber risk is as much a strategic issue as pricing when it comes to the risk pool—the most important ability is to detect and monitor threats, learn and adapt.