Robert Rutherford, CEO of the business and technical consultancy, QuoStar, explains why insurance firms can be more susceptible to cyber attacks.
Hacking is becoming a relatively effortless procedure and this is a major concern for many businesses. The Financial Conduct Authority (FCA) was the latest organisation to suffer an IT outage, affecting a variety of systems including Gabriel, a repository for roughly 50,000 regulatory reports.
Whilst the FCA has reassured both businesses and consumers that the outage was not caused by a cybersecurity breach and rather a data centre failure, it easily could have been a security problem if it had happened to a firm whose systems were not up to scratch.
With more and more cyber attacks being reported each month, it is crucial that companies are taking the right measures to protect the data stored on their systems.
The FCA outage, alongside other recent high profile data breaches, must serve as a warning to insurance firms that cyber criminals are intelligent and they can get past the most protected of systems. In fact, according to ThreatMetrix, the financial services sector suffered 6.3 million cyber attacks last year alone.
Why can insurance firms be more susceptible to cyber attacks?
The reasons behind insurance firms potentially being more of a target than other organisations is two fold.
These firms not only have a large amount of capital funds on their systems at any one time, they also have access to a wealth of information about each individual customer they provide insurance services to.
For an insurance conglomerate specialising in several different areas of protection, a data breach can be catastrophic.
Often, insurance firms can be preyed upon because at times their IT security strategies, or IT systems more generally, are legacy systems which have not been updated for months – or in some cases, years.
If these firms are not keeping personal data entirely secure, this makes them an easy target. Even if a firm has yet to suffer a data breach, it can still be fined for failing to follow the Data Protection Act 1998 and putting client information at risk.
Health insurance firm Excellus is one recent example in the sector for having suffered a cyber attack.
In 2015, it was revealed that hackers gained full access to all personal data of its 10 million customers over a two year period as a result of an ‘intrusion campaign’.
The report from ThreatMetrix also revealed that there has been a 40% increase in cyber attacks hitting the financial services sector, demonstrating that insurance firms are undoubtedly a target.
What methods should firms use to prevent future security breaches?
Firms of all sizes in the insurance sector are exposed to two main breach methods: software vulnerabilities, or the social engineering of staff within a firm.
A majority of security breach attempts, not just for the insurance sector, are founded on social engineering, in an attempt to gain access to funds or confidential information which can be used for extortion purposes later down the line.
Gone are the days of basic spam emails, the constant stream of attacks used by modern hackers is a targeted approach that requires patience, but can reap the rewards if a firm is vulnerable.
Ransomware is still a real threat to the insurance sector and as such, staff are the first line of defence when it comes to dealing with these attacks.
They must be trained to understand what a cyber attack looks like, whether that is a suspicious email, a phone call or an instant message and how to stop, block and report any suspicious activity. If its staff are not properly trained and fail to spot a red flag straight away, it is far more likely that a firm will suffer a breach.
Top tips on how to improve existing cybersecurity strategies
Improving technology is the last piece of the cybersecurity puzzle – the real work comes in undertaking risk assessments and understanding what the potential risks to a firm’s assets are.
A reliable starting point for establishing a security strategy altogether, or improving on existing methods, is considering the ISO 27001 standard.
This standard manages IT security globally and reviews, assigns controls and monitors the process of a business’ IT security. It is vital for insurance firms to complete risk assessments a few times a year as a minimum, and regularly remind members of staff at all levels of what to look out for when it comes to a cyber attack.
Regardless of how or when a cybersecurity strategy has been implemented, it is imperative that the senior management within an insurance firm takes responsibility for its security.
It is an organisation’s responsibility to understand the risks, and prepare for the constant attempts by hackers to find a way into its network. The potential reputational and financial damage to an insurance firm is huge and may even be impossible to recover from, particularly if client data or funds are attacked.
Only when all systems are in place and policies implemented to regularly review cybersecurity efforts, can a business be certain it is doing everything to keep the threats at bay.