In the face of the pandemic there was an enormous shift in the way insurance companies operate. To allow this to happen there was rapid implementation of both remote working practices and technological solutions to ensure business continuity, writes AJ Thompson, CCO at the IT consultancy Northdoor. Understandably, as a result there has been some loss of focus on other areas of the business.
So, whilst networks and processes have, on the whole, been improved and most businesses have been able to continue in one form or another, gaps have appeared in other areas.
One area that might have be somewhat neglected as a result of companies focusing on business continuity is cyber-defences and as a result made insurance firms potentially more susceptible to cyber-attack. Indeed, the very nature of the new way of working that many insurance firms are experiencing has changed the security landscape dramatically. Suddenly, insurance firms were faced with the prospect of entire workforces having to work from home. For many, home working was not on the radar and so equipping employees with the tools to work effectively was a huge priority. We saw supply of laptops dry up around the country as companies scrambled to provide for their workforce. Employees were also encouraged to use old devices. This combination patched the hole that existed for the first few weeks of the first lockdown allowing companies to continue operating in some form; but this is not a viable solution for the long-term.
Old devices particularly have the potential to open huge holes in an insurance firm’s cyber defences. Many old devices are no longer supported or been updated in years, meaning that the latest threats can easily bypass any legacy security installed on the device. Combine this with the fact that many of the workforce are now working outside of the corporate environment the opportunity for criminals to gain access to insurance firm’s data and infrastructure has never been greater.
The opportunity for criminals to take advantage of insurance firms, who remain in somewhat of a state of flux, is a great one. Not only are devices being used that are at risk of being breached, but the criminals themselves have also upped their efforts and style of approach.
The opportunity the pandemic has presented criminals is too good to turn down. Companies are desperately implementing ad hoc ways of working, employees are turning on outdated and unprotected devices and working outside of the corporate environment; this all seems to tick many of the boxes of a cyber criminal’s wish list. To take advantage of all of this and to make as money as possible whilst the situation lasts, criminals have added increasing levels of sophistication to their attacks.
Phishing attacks particularly have increased. In July 2020, Google reported to the Australian Senate, that globally its systems had detected 18 million malware and phishing messages through Gmail a day, directly related to COVID-19. As well as being a numbers game for criminals, persuading individuals to click on the malicious link has become an art form. Messages are looking increasingly authentic disguised as being sent by suppliers, personal contacts or colleagues. For all employees, but particularly those working outside of the office environment, maintaining concentration and taking a cynical approach to unexpected emails is crucial in preventing criminals taking advantage.
The nature of the data held by insurance firms means that any breach can have a huge impact. The loss of sensitive data hurts firms in multiple ways. It hits a company’s reputation, it alerts regulators and can have a devastating financial impact.
Supply chain and third-party risk
It is not just the ‘insider threat’ that insurance firms have to be aware of. Any partner or supplier that has some kind of access to data or infrastructure can inadvertently provide easy access for a criminal. This supply chain risk is one that is increasing in the insurance sector as the market becomes more digitally connected.
There is no point in ensuring that internal security is water tight if partners defences are leaving your infrastructure wide open. Failure to understand and secure supply chain risk is a major area of exposure for the sector. There is regulation in place that stipulates that this must be addressed and failure to do so will make any investment in internal defences a complete waste of time.
Reviewing
The last few months has seen unprecedented changes to the way we work and as a result a large scale adoption of solutions that have allowed businesses to continue working effectively. However, the next weeks and months are crucial. There has to be some time to reflect on the changes and solutions put in place, whether they are effective in the long term and if inadvertently they have made the company more vulnerable to cyber-attack.
Undoubtedly, the insurance sector will be, if it is not already, a main target for criminals. The very nature of the data held by industry means that it is a particularly prized target. We have seen the huge pressure that the healthcare sector has experienced over the past few months as criminals target organisations that are particularly vulnerable at this time. Ransomware has been a particularly effective tool for criminals with healthcare organisations forced to shut certain aspects of their front-line services or pay a hefty ransom in order to get data back and allow services to continue. The impact of a large breach on the sector could be disastrous and with criminals beginning to circle, now is the time to act.
By identifying current vulnerabilities both internally and across partner networks, insurance firms can begin to close gaps. Reviewing solutions and working policies that have recently been introduced without perhaps the usual levels of due diligence, will be crucial to ensure they have not inadvertently opened gaps in defences. Most importantly though will be the continued education of employees about security risk, what the threats look like and how best to deal with them once identified.
Some insurance firms are investing in automated solutions to highlight potential phishing emails and AI supported technology to monitor supply chain and partners’ vulnerabilities. AI and machine learning solutions will also ensure that insurance firms are keeping up with the latest threats and as technology continues to learn and evolve over time.
2020 has very obviously been a year of huge change piling massive pressure on the insurance sector. However, by taking a couple of steps back and reviewing all of this recent, and necessary change, will hold companies in good stead. It is crucial that in the rush to ensure business continuity and protecting the bottom line and reputation, companies have not left the door wide open to let criminals take that all away.
