As the British Insurance Brokers Association (BIBA) announce the launch of a cyber committee dedicated to helping the insurance sector as a whole tackle the increasing numbers of security breaches, Robert Rutherford shares his insights on how life and health insurance providers can create a successful cybersecurity strategy that will protect their business and confidential data.
Rutherford, CEO of IT Support and consultancy firm QuoStar, says hackers are capitalising on the dated technology and legacy systems. An issue that has plagued the insurance industry for decades. However, there’s no need for insurers to revamp their entire IT systems to implement a successful cybersecurity strategy. In fact, technology is the last piece of the “cyber puzzle”.
QuoStar CEO Robert Rutherford says that the number of security breaches that have occurred in the last year alone suggests that insurers have been inconsistent in maintaining their IT security levels.
His comments come as the British Insurance Brokers Association (BIBA) announce the formation of a cyber committee at their 2016 conference. The aim of which is to help the insurance industry as a whole to tackle the vast number of security breaches it currently faces. Rutherford says one of the main issues facing insurance firms, among others, is outdated technologies and legacy systems. This issue has plagued the industry for decades and hackers continue to capitalise on it.
In the wake of the Panama Papers data leak, security experts are once again calling for the c-suite and senior leadership to better understand cybersecurity requirements, strategy and technology.
The data leak released 11.5 million files and 2.6 terabytes of information from the internal database of Panamanian law firm Mossack Fonseca. The documents include shareholder registers, emails and bank statements, and reveal the ways wealthy individuals can exploit offshore tax regimes. Six members of the House of Lords and dozens of political donors are among those with offshore assets.
The implications of the Panama Papers are far-reaching – not only for those involved. It should provide a “wake-up call” to companies of all sizes and sectors.
Security professionals, including Robert Rutherford, CEO of QuoStar, have reiterated that no company is immune to an attack and there are many points to consider when it comes to effective cybersecurity.
Unsecured networks can often facilitate password theft.
As you can clearly see the number of risks to a user’s password are significant. They are old and proven methods to in effect steal passwords and use them for malicious intent, such as to enter systems and steal information, hold firms to ransom and the like. Passwords have been insecure for some time, yet many businesses don’t close the hole unless they have a significant security breach. The fact that underground communities swap and trade access details makes this even worse. There’s money in knowing passwords, thus you can buy them online!
How can you increase your security levels?
It’s actually fairly simple to up your levels of security and protect against these risks. You can make your remote system access robust by simply implementing multi-factor authentication as a minimum level of security. It doesn’t make your system hack-proof of course, but it does dramatically increase the security level of systems.
What is two-factor authentication?
Two-factor authentication simply means you use two elements to access your systems, something you know (your password) and something else, i.e. a token device. You may have one for access to your bank, they’ve been in use for years. You can also have the same technology installed as an app on your smartphone.
The fact that you must have at least 2 elements to log in naturally increases your level of security. Every time you log in you must for example first enter your password and then you must enter a unique number which changes say every 5 seconds. Now it doesn’t matter if someone knows your password as they don’t also have the token with the ever-changing number. On the flip side, if you lose your token on the train and someone picks it up, they won’t be able to access your account as they probably don’t know where you work and most importantly they won’t know your password.
It all sounds very simple. That’s because it is. All firms who have people accessing their systems from outside the corporate firewall should be using multi-factor authentication. Actually, it also makes sense for those within the firewall to use it. It’s inexpensive, straight-forward and now a necessity. Passwords on their own are not secure and the threat landscape is changing all the time Organised crime gangs and lone-wolf hackers are on the hunt to extort and steal money from firms – many are sitting ducks.
“The rise in targeted email attacks against solicitors and their clients continues to dominate the headlines, with one couple recently losing a £45,000 deposit after succumbing to an email from a hacker claiming to be their solicitor. These attacks are clearly dangerous in their current form, but the increased frequency and intelligence behind the attacks means that solicitors will need to become increasingly vigilant in this area, not only for their clients but for the sake of their reputation as well.”
This article was originally published in Property Law Journal (February 2016) and is also available at www.lawjournals.co.uk
Another year has passed, and now we’ve already come to the end of the first full week of January 2016. As we’re back into the swing of things here in the office, I thought now was a great time to review the technology predictions we made for 2015 and see how they fared.
After 20 years in IT this year it appears that I still have a relatively good handle on the market. I’m no oracle but hopefully, our clients can gain some peace of mind knowing that we are always looking forward. Not simply reacting.
Here’s how our technology predictions stacked up
What happened in 2015:
I wouldn’t have been surprised if we saw a major breach on a mobile platform but we didn’t really see that, except for a large potential around Android and security certificates. We did, however, see a real uptick in attacks and exploits against applications installed on mobile devices. This is pretty logical really – go for the open window rather than the front door. This will be an ongoing concern throughout 2016 unless perhaps you use a Blackberry device (which the outlook still isn’t looking great for I must say) or a robust MDM (mobile device management) solution, such as Airwatch or Good.
What happened in 2015:
This was pretty much a given really and although the figures aren’t out really out yet some research firms in October are stating global growth of the market at around 30% – Amazon has been reporting in figures that point toward an 80% growth on their side. As stated, the rise of smaller niche players has certainly started to make an impact across all sectors. Although many are simply spinning their marketing rather than truly engineering around particular sectors. I would expect this to change over the coming 24 months.
What happened in 2015:
Thankfully the Big Data noise dropped significantly. It was ridiculous and the market, in general, stopped labelling BI (Business Intelligence) as big data. You’ll see the second coming of BI this year en-masse as firms need greater information to make appropriate business-focused decisions.
What happened in 2015:
Hybrid cloud is pretty much the norm in all but small enterprises. We are thankfully returning to proper engineering – using the right tools (architecture) for the right jobs. In many ways, there has been a reversal. People are using the cloud for their main business operations and replicating key systems back on-site for continuity purposes. The tech is now cheap, the skills aren’t so expensive and are much more widespread – it makes sense.
What happened in 2015:
Gartner was stating back in September that they expect global security spend to rise to $75.4bn by the end of 2015. That’s a jump of 4.7% which is certainly significant. I would have expected an extra 1-2 % but it appears that the upping of prices of many security systems has led to a prioritisation of spending. Again, I expect spending to rise by a similar percentage in 2016 with all the noise around security threats ‘growth’.
What happened in 2015:
The noise around IoT has been relatively deafening throughout the year and has continued to grow. Everything is now becoming connected, from old manufacturing equipment (retrospective) through to TVs and heating in the home. We’ve seen 90% of large network operators (over 100,000 IP addresses) actively deploying or have already deployed IPv6 according to a BT survey which will aid in further growth of IoT technologies. Another key point from the same survey is that two-thirds of enterprise companies also signalled IPv6 deployment activity.
What happened in 2015:
We’ve certainly seen an uptick in the demand for improved disaster recovery and business continuity. Particularly in the finance, legal and manufacturing sectors. Regulators are driving much of this but clients expectations of their ‘suppliers’ are also higher. I’ve not seen any real demand for the ISO 22301 standard (Business Continuity) as I believe that anyone considering protecting their business from disruption understands that this falls into IT security and the ISO 27001 standard covers the whole area.
What happened in 2015:
As detailed people do generally do need more from their device than the iPad can deliver. It’s old tech and for the last seven quarters sales have declined – that’s significant. We’ve seen Microsoft Surface outsell the product, particularly online, with a 45% of online sales vs Apples 17%. Sure online sales aren’t everything but you cannot ignore those figures. Yes, Apple has launched a business-focused iPad device but once behind in the game, it’s a long hill to climb back up. The iPhone is still popular as it’s still superior to the rest of the market for the everyday user in my opinion. This gives Apple a good foothold to pull back from. Personally, I’d expect to see an uptick in the Microsoft Lumia sales in 2016 as they really start to pull the eco-system together.
In this case, the hacker monitored emails between the buyer and solicitor. Then sent a fraudulent email from the solicitor’s address asking the deposit to be paid into an alternative account. It was only when the solicitor said the money had not arrived that the scam was revealed.
According to the Solicitors Regulation Authority, around four companies a month are being targeted by fraudsters.
In response, Robert Rutherford, CEO of IT consultancy QuoStar, recommends that solicitors use encryption technologies and secure online portals to prevent consumers from losing their hard-earned savings.
Andrea Beech asks how digitising the courtroom could affect law firms.
In the Autumn Statement last month, an increased focus on digital and technology was a common thread across all departments, from a £450m investment for the Government Digital Service to a £1bn investment in a 4G communications network for the emergency services.
As part of this huge planned £1.8bn investment in digital, over £700 million has been allocated to fully digitise the justice system in the UK. This removes the need for the current paper-based system and will ultimately generate taxpayer savings of approximately £200m a year from 2020. This will be due to the reduction in basic costs.
It is said digitising the justice system will remove the requirement for over 500,000 pre-trial hearings in the criminal courts. It will also significantly reduce court hearing times and the amount of time spent on basic administrative functions. All of these results would have a positive effect on law firms operating in the UK.
The positives of digitising the courtroom
One of the most obvious benefits here is the reduction in costs. This would be for both the taxpayer and the law firms themselves.
Digital was a key focus of the Autumn Statement this year, with a total of £1.8 billion in planned investments listed by the Chancellor at the end of November. Part of this embrace of digital included an allocation of £700 million to fully digitise the courtrooms, moving from the current paper-based system to an online one, which looks to revolutionise the processes within the justice system once rolled out.
According to the Statement, not only will over 500,000 pre-trial hearings in the criminal courts no longer be necessary, but this digitisation will also significantly reduce the amount of time spent conducting court hearings, ultimately generating taxpayer savings of approximately £200 million per year from 2020.
A digitised justice system has been in the pipeline for several years but is only being implemented now. For law firms who have yet to embrace digital, there could be knock-on effects that will need to be addressed. However, there are certainly many positives to this tech-focused change as well.
What if law firms have yet to go digital?
At the moment, there is definitely a question of whether law firms are ready for this digital change. Unless all lawyers within a firm are fully competent with digital technology, digitisation will almost certainly become a security risk. Private data could be, for example, sent to the wrong person due to confusion about the correct processes to follow. It is, therefore, critical that all individuals are thoroughly trained on the new system from the outset.
Are the courts themselves ready?
The courts will also need to prepare for this large-scale digitisation. Full system integration, continuous network (private or public) access throughout the courtrooms and a means of displaying evidence digitally will lay the foundations for a digitised court system. The level of data required within the courtrooms for each active case also means that the government will need to invest in robust IT platforms to ensure resilience, availability and performance on scale. This is simple enough in many ways, but the size of the deployment will require top-tier architecture and expertise.
Is security an issue?
Law firms will continue to be responsible for their data security in the new digitised system. What remains to be seen, however, is what happens after files are sent outside of a particular law firm. Whether this to the courtroom or to any third parties also working on a particular case.
It is vital that the government and the justice system as a whole can guarantee that the security of any data will be maintained outside the confines of each individual law firm. However, as it stands, law firms cannot yet be certain as to how data will remain secure once released for third-party viewing. At the end of a case, the courts will need to guarantee that the data provided is secure. Also that they will securely destroy the data once no longer required for evidence.
Once risks like these have been addressed, digitisation could arguably offer greater protection from a security standpoint. Due to the highly confidential nature of client information, digital courtrooms would need to have strong security systems. Even if firms are no longer transporting physical files between locations.
It is therefore crucial that the appropriate access rights are determined for all individuals involved with these documents. Solutions such as 2-factor authentication will be essential to ensure that data is only accessed by the right people. The days of passwords are over.
Law firms are increasingly becoming a target for cyber-attacks due to the high levels of sensitive data and access to monetary funds on-site. This is a real concern if the legal sector is being asked to become more digitally savvy, as this makes them an even greater target.
Looking ahead
At the moment, it’s still unclear which processes will be introduced to digitise the courts. This makes it difficult for law firms to prepare for these upcoming changes. However, the move to digital in the legal sector will ultimately be a positive one. It will offer more control, a systemised process and better security, in addition to increasing the economic efficiency of the justice system. Law firms must, therefore, take steps to embrace technology. It’s important to seek expert guidance now, so you can compete and thrive during this digital roll-out in the future.
a whole tackle the increasing numbers of security breaches, Robert Rutherford shares his insights on how life and health insurance providers can create a successful cybersecurity strategy that will protect their business and confidential data.
His comments come as the British Insurance Brokers Association (
