Robert Rutherford, CEO of the business and technical consultancy QuoStar
In the British Insurance Brokers’ Association (Biba)’s 2016 manifesto, the Rt. Honourable Matthew Hancock, MP and Minister for the Cabinet Office, stated that “cyber-security is a significant and growing threat to the UK”. This could not be truer than for the insurance industry.With 70% of large insurance firms having reported a serious hacking attempt, it is clear that hackers are still capitalising on vulnerabilities, both old and new, alongside traditional social engineering techniques. The big guys are at risk, but it’s now the smaller operations that are key targets for exploitation.
The security breaches faced by organisations within the insurance industry are part of a larger cycle – crucially, the time lag between a vulnerability being identified and being fixed by the vendor of the software needs to be as short as possible, and yet many businesses still don’t truly understand the risks and potential damage. In a bid to rectify security awareness within the insurance industry, Biba announced at its 2016 conference that it would be forming a cyber committee to help the industry identify and control their risks more effectively. However, until this committee is put into action, firms remain vulnerable and must take responsibility for their own cybersecurity strategies.
The risks of dated software
The outdated legacy systems retained by a surprisingly large portion of the financial sector does not always hold up in the face of a barrage of cyber attacks, particularly if an attacker gets past perimeter defences. Hackers are attracted by the monetary value of transactions flooding through these firms on a daily basis.
One of the main entry points for hackers is based on the susceptibility of these dated systems. Hackers are constantly evolving and sharing their methods to attack via a weakness in security systems, so firms need to continue to implement controls such as portable encryption, endpoint protection, email content control, data leak prevention, intrusion detection and prevention systems as a minimum.
The ISO 27001 standard is an international standard for best practice and continual improvement in IT security and is an excellent starting point in building an effective Information Security Management system, one which has to continually improve to remain certified. It’s a sensible route for a firm’s leadership to take so they can truly understand and take top-level accountability for risks and controls without needing to get into technical detail.
The primary cause of data breaches comes through a lack of employee awareness, which can lead to staff being unknowingly socially engineered. It is an organisation’s responsibility to understand the risks associated with being hacked; ranging from reputational damage to financial damage, or even to the loss of client data. Employee training is undoubtedly a necessity to complement updated software. It is clear that to protect a firm’s interests; employees must be installed as the first line of defence. Technology is swiftly advancing, and unless employees are regularly retrained in the guises of cyber attacks, they can become easy targets.
The larger the firm, the larger the risk
What is normally lacking from IT security knowledge revolves around just how many access points there are for hackers.It is not just the computers in an office at risk; each server, printer, entry system, or device logged into an office cloud based software is a potential breach. With every new connection to the network, a new risk point is created, presenting a significant problem particularly for larger firms with an extensive employee and client network. Therefore, firms across the insurance industry must train their employees effectively and increase awareness of just how easy it can be to succumb to a hack. Whilst technology is a key part of the cyber security puzzle, it must be recognized that there is a level of human interaction too; without a full risk assessment and employee understanding of how to minimise the chances of a breach, any organisation could be considered to remain vulnerable to hackers. The days of spam emails and simplistic viruses are over, it’s a global threat and people are hacking for financial gain. All insurance firms must realise that they are definitely at risk.