"Physician, heal thyself" is an expression that many people useto criticize a lack of standards among groups or organizations thatare charged with enforcing those same standards among others. And aparaphrase that applies to the insurance business is "insurer,protect thyself."

It turns out that for a business that is so conscious — andconscientious — of all things involving risk, the insuranceindustry neglects its own risk, especially when it comes todata breaches. That neglect has cost companiesmillions in court settlements and regulatory fines.

You've been breached

Among the insurance companies that have paid a price for failingto prevent data breaches is Nationwide Mutualand itssubsidiary, Allied Property and Casualty Insurance Company.Nationwide is on the hook for a more than $5million fine resulting from a 2012 data breach that divulgeddetails on 1.27 million customers.

Also on the firing line are CareFirst, which is the target of aclass-action lawsuit for a 2014 data breach that affected more thanone million people, and Horizon Blue Cross Blue Shield, which is in themidst of class-action suit over a 2013 breach that hit 800,000victims when their data was accessed.

The Horizon case is notable because the records were on twolaptops stolen from the insurer's Newark, N.J., headquarters andwere not encrypted, as required by federal law. Horizon hasnumerous procedures (and presumably numerous employees) dedicatedto risk assessment and evaluation, but when it came to its own riskassessment, the company was unprepared.

These are just a few examples; the industry knows it has aproblem and is anxious to solve it. According to a report byAccenture, insurance companies experience on average 113 cyberattacks each year — with one out of every three successful incausing a data breach. With that, two thirds of companies said theydidn't even realize they had been hacked until the damage was done— and 61% admitted that it took them "months" to detectbreaches.

Related: 4 lessons companies can (and should) learn from2017's data breaches

Recipient beware

These organizations have presumably installed state-of-the-artcybersecurity systems. The report says that 72%of companies believe they have "completely embedded cybersecurityinto their cultures." Despite that effort, according to theAccenture report, the danger from hackers for the insuranceindustry is even greater than in the financial industry.

"The ability of cyber crooks to monetize stolen data, enabled bythe dark web and crypto-currencies like Bitcoin, has changed thefocus of many attackers," Accenture says. "The actual money isheavily guarded, even in cyber space, but personal data is mucheasier to steal." Companies may believe they are sufficientlyprotected, but the statistics prove otherwise.

If insurance companies are major targets for hackers, it standsto reason that they will try harder to breach security systems —which means that companies need to shore up their weakest securitylinks. In insurance companies, like almost everywhere else, it'sthe people who work there who are the weakest link. A whopping 91%of cyber attacks  and resulting databreaches in 2016 started with a spear phishing email, according toa recent study.

In a spear phishing attack, victims are tricked into clicking onsomething — a web link or an e-mail attachment — that allowshackers to surreptitiously connect to their systems, allowing thema foothold they can exploit to laterally move throughout thenetwork until they find useful information.

As a result, many companies have instituted programs to educate,persuade or threaten employees into being more careful whenhandling links or attachments, and as a result there is a greaterawareness of the dangers involved in making those connections. Buteven with that awareness, victims apparently can't help themselves;a study at Freidrich-Alexander University shows that even with fullknowledge of the risks involved, as many as 56% of e-mailrecipients and some 40% of Facebook users still clicked on linkssent them by an unknown sender.

Related: Cyber insurance soaring as risksrise

Employees are one of a company's most vulnerable areas forcyber security, so implementing multiple safeguards providesgreater protection. (Photo: Shutterstock)

Smarter computing

Companies clearly can't rely on their employees to protect the organization; yet itappears they can't rely on cybersecurity systems either, whichapparently are unable to mitigate the risks posed by phishing.

What's left, then? One idea is to prevent employee access to theinternet altogether; but in an interconnected world, that'simpractical. However, companies can opt for a system based onpreventing hackers from getting into a system by breaking thedirect connection between an employee's click, and a hacker'saccess. Connections are made in a "safe zone," where they areevaluated before they are allowed to proceed. The concept, known asnetwork segregation, is an upgrade of the sandbox, which enablesusers to isolate suspicious files and run them without impactingthe rest of the computer.

In a network segregation scheme, internal corporatenetworks containing essential information — user records, corporatedata and the like — are kept out of the internet altogether. E-mailmessages and attachments are broken down and analyzed in the safezone, where their connections and activities are checked to ensurethey are legitimate — such as if a link that is supposed to go to aspecific website does indeed lead there, or is redirected toanother site, a sure sign of a cyber-attack.

If malware, redirection, or any other suspicious activity isdetected, the element responsible for that activity is neutralized,and the message or attachment is reconstructed and forwarded to therecipient. Thus, the suspicious item is sanitized, but workflow isnot interrupted — an improvement over a sandbox, which would justdump a suspicious file.

With this system, insurance companies or other businesses couldbetter protect themselves from breaches based onphishing campaigns, the root of much of the cyber-insecurityencountered today. While cybersecurity is essential for anycompany, staying cyber safe is a matter of business life and deathfor insurance companies — especially since courts are taking aharder stance against companies that fail to protect theircustomers' personally identifiable information.

Tal Vegvizer ([email protected])is the director of R&D at BUFFERZONE.

Related: The Equifax breach: Here's what insurers should donext