With 70% of large insurance firms having reported a serious hacking attempt, Robert Rutherford, CEO of the business and technical consultancy QuoStar, says it is clear hackers are still capitalising on dated technology. He explains insurers do not have to entirely revamp their IT systems to implement a successful cybersecurity strategy – in fact, technology is the last piece of the cyber security puzzle.
At its 2016 conference, the British Insurance Brokers’ Association (BIBA) announced the formation of a cyber committee to help the insurance industry as a whole tackle the vast number of security breaches it is currently facing.
With 70% of large insurance firms having reported a serious hacking attempt, it is clear that hackers are still capitalising on dated technology, something that has plagued the insurance industry for decades.
Whilst BIBA’s committee is certainly a step in the right direction for the industry, organisations remain at risk on a daily basis and must educate themselves as to the importance of an IT security strategy and an Information Security Management system before this committee is put into action.
The insurance industry is notorious for its legacy systems and outdated technology. Due to the richness of data held on aging systems – which not only includes financial and medical data of clients, but also confidential information from the firms themselves – insurers are finding themselves facing a barrage of cyber attacks on a daily basis.
What happens if an insurance firm is hacked?
In January last year, US health insurer Anthem was hacked through an employee opening a seemingly harmless internal message, which turned out to be a phishing email.
Using the employee’s credentials, hackers mined Anthem’s database to gain access to records of over 78m customers who had used the insurer’s plans.
This breach understandably sent shockwaves through the healthcare industry as a whole, but this didn’t stop the hacks from occurring.
According to the US Department of Health and Human Services, eight of the 10 largest hacks ever recorded in the healthcare industry have happened over the past year, with over 100m health records accessed by fraudsters.
Any firm in the UK insurance industry, whether health, life or car insurance, is required by law through the Data Protection Act to safeguard its clients information.
The number of breaches over the last year alone would suggest that insurers have been inconsistent in maintaining the IT security levels, and this must be looked at and taken seriously at a senior level if firms are to protect themselves and their clients in the future.
How are firms leaving themselves vulnerable?
Typically aged software and not keeping up to date with security patches in the insurance industry exposes firms of all sizes to vulnerabilities in software.
However, the primary route to a breach is via social engineering of staff. Scam emails are a typical route, as demonstrated by the Anthem hack. This can take months of preparation, from setting up a similar domain name, copying email styles and signatures, through to even visiting a firm’s office to gain further information to create a convincing imitation.
Insurance firms must note that any device connected to the network can have a weakness. If a weakness is identified, the vendor of that software will issue a ‘patch’, or update, to fix said weakness, and the cycle continues.
The risk to an insurance firm lies in the time between the vulnerability being identified, and it being fixed. In order to ensure that this window of opportunity is as small as possible, firms must concentrate on running more frequent cybersecurity checks.
Firms across the insurance industry must also train their employees well, and ensure that they are kept informed of any current and potential threats to a firm’s security. By training employees in a seminar-based format, organisations can demonstrate just how easy it is to succumb to a hack.
If a majority of insurance firms in the UK undertook this simple step, it would dramatically increase the cyber defences of the industry as a whole.
Developing a security strategy
It is important to note that insurers do not have to entirely revamp their IT systems to implement a successful cybersecurity strategy – in fact, technology is the last piece of the cyber security puzzle.
The work involved is about improving existing systems and transforming employees to become the first line of defence. At this current moment in time, it is likely that a majority of employees are the biggest point of weakness in a firm.
The security landscape can change drastically in a short space of time – despite this; many firms are still relying on the basics for preventing a hack. The basics of antivirus software and firewalls are no longer enough.
Most risk assessments in insurance firms will highlight the need for additional controls – or the ‘new basics’. The list will typically include multi-level encryption, multi-factor authentication, intelligent firewalls, endpoint protection and control, data leak prevention solutions, intrusion detection systems and adaptive intrusion prevention systems.
It is also important to consider the ISO 27001 standard, which is a global standard for a business in any industry to manage its IT security, and can act as a reliable starting point when establishing (or improving) a cybersecurity strategy.
It essentially boils down to a firm identifying where its risks are, assigning controls to these risks and then ensuring to regularly review and improve this process. Through this method, the senior leadership team, staff and importantly clients know the business takes IT security very seriously.
Regardless of when a cybersecurity strategy has been implemented, it is crucial that the senior management within an insurance firm takes full responsibility for its security.
Ahead of BIBA’s cyber committee being implemented, and even following its introduction, it is a business’ responsibility to understand the risks and prepare for the constant attempts by hackers to get into its network.
Only when a rigid Information security management system is in place and all staff are aware of a firm’s cybersecurity policies can a business be comfortable that it is doing everything to keep their data and the data of their clients safe.