How to increase security & better protect your insurance firm
November 7th, 2016
In recent years insurance firms have been targeted by numerous cyber attacks, both internal and external, including those by disgruntled former employees and organised cybercriminals. With the UK insurance industry alone managing investments of £1.9 trillion it is no surprise these firms are such an attractive target. Not only do these firms have a lot of capital funds on their systems at any one time, but they also have access to a wealth of customer data – the perfect tool for hackers to use for blackmail or to release to the public with the intent of causing reputational damage.
How do cybercriminal target insurance firms?
Gone are the days when individuals just hacked for “fun” or to prove that they could access a company’s system. Now their motives are far more calculated. This, in turn, has also changed the method of attack. Cyber attacks are rapidly becoming more sophisticated and for the hacker who is willing to be patient and clever the rewards stand to be substantial, whether that’s financial gain or the potential to damage – in some cases irreparably – a firm’s identity and reputation.
While insurance firms can be exploited through software vulnerabilities, social engineering is another popular tactic for many hackers. It essentially involves using tricks or tactics to gain information from legitimate users of a system in order to gain unauthorised access, without having to break in. Examples include calling targeting employees pretending to be from IT or maintenance, and requesting login details in order to “fix a problem”. As this can be a common helpdesk request some users may respond, which highlights the need for continual end-user training. Employees are often a firm’s first line of defence and, as such, must be able to recognise any red flags – such as suspicious emails or calls – and understand the appropriate escalation process.
How can insurance firms protect themselves?
When it comes to determining a security strategy, and overall IT strategy, the insurance sector faces pressure from multiple angles. The sector faces additional regulatory burdens, in comparison to some other sectors. They are also under continual pressure, from a technical aspect, to modernise their systems to ensure customer data is highly secure. Yet this data still remains accessible for review and processing.
These pressures combined can result in increased overheads and reduced margins, which can lead to decreased technical investment. However, when it comes to cybersecurity, technology should actually be the last piece of the puzzle.
Determining a security strategy should really begin with a firm understanding what their assets are, and then assessing them to determine potential risks. A reliable starting point is the ISO 27001 standard. This is a global accreditation which essentially covers best practice in regards to information security. It helps firms manage security by reviewing assets, assigning controls and monitoring processes.
Education will always be a key element of any security strategy. Social engineering is developing at a rapid pace and employees remain vulnerable as these attacks essentially manipulate trust. A comprehensive security policy should cover basic elements such as password strength, disclosing confidential information and physical security. You should then share the policy with the whole company. A security-aware culture will mean that potential threats will flag up with employees, who can then make the correct decisions. Even when the request seems genuine.
Recent high-profile breaches must serve as a warning that they are a prominent target for cybercriminals. This is likely to continue, if not increase. Taking steps to protect customer and financial data will protect your brand reputation and profitability. Therefore it makes sense to implement policies and systems to secure your business and review these regularly. The consequences of failure can be devastating, or even fatal, so cybersecurity must be a priority.
How long should I keep my email for?
A large percentage of business decisions are now made completely via email, yet many organisations have no retention policy in place to protect those messages. While those businesses may have been lucky up until now, there will likely come a time when they need to retrieve a historical email. At best, they will have to […]
Why are passwords insecure?
Too many organisations are still just relying on passwords to allow remote workers, partners and clients to access their business systems. This generally presents an unacceptable level of risk to a business, passwords on their own are not secure. How can passwords be breached? Given to or stolen by another employee Eliminating traceability of actions on […]
In the press: Cybersecurity best practice for insurers
As the British Insurance Brokers Association (BIBA) announce the launch of a cyber committee dedicated to helping the insurance sector as a whole tackle the increasing numbers of security breaches, Robert Rutherford shares his insights on how life and health insurance providers can create a successful cybersecurity strategy that will protect their business and confidential […]