Robert Rutherford, CO of the business and technical consultancy QuoStar
It’s no secret that the number of cyber-attacks on increasing year on year, and while this trend is noticeable across many industries, the insurance sector has become a prime target for hackers.
The Financial Conduct Authority (FCA) was the latest organisation to suffer an IT outage, affecting a variety of systems including Gabriel, a repository for roughly 50,000 regulatory records. Whilst the FCA has reassured consumers and businesses that the outage was a result of a data centre failure rather than a cybersecurity breach, it could have easily been a cyber-attack.
In recent years, insurance firms have been targeted by numerous cyber-attacks, both internal and external, including those by disgruntled former employees and organised cyber criminals. With the Association of British Insurers estimating that UK insurance industry is managing investments of £1.9 trillion, it is no surprise these firms are such an attractive target. Not only do they have a large amount of capital funds on their systems at any one time, but they also have access to a wealth of customer data – the perfect tool for blackmail, or to release to the public with intent of damaging a firm’s reputation.
How do cyber criminals target insurance firms?
Gone are the days when individuals just hacked for “fun” or to prove that they could access a company’s systems, now the motives of cyber criminals are far more calculated, leading to a change in the method of attack. Now, these motives are lead by the potential for financial gain or to damage a firm’s identity and reputation, sometimes irreparably. Cyber-attacks are rapidly becoming more sophisticated and for those willing to be patient, the rewards stand to be substantial.
While insurance firms can be exploited through software vulnerabilities, social engineering is another popular tactic for many hackers. This involves using tricks and tactics to gain information from legitimate users of a system in order to gain unauthorised access, without having to break in. Examples include calling targeted employees pretending to be from IT or maintenance and request log in details to “fix a problem”. As this can be a common helpdesk request some users may respond, which highlights the need for continual training and education with new and existing members of staff. Employees are often a firm’s first line of defence and, as such, must be able to recognise any red flags – such as suspicious emails or calls – and understand the appropriate escalation process.
How can insurance firms protect themselves?
When it comes to determining a security strategy, and an overall IT strategy, the insurance sector is facing pressure from multiple angles. Not only does the sector face increasing regulatory burdens, but from a technical aspect firms are also under continual pressure to modernise their systems to ensure that data is kept highly secure, yet instantly available for review and processing.
These pressures combined can result in increased overheads and reduced margins, which can result in decreased technical investment. However when it comes to cybersecurity, technology should actually be the last piece of the puzzle.
Determining a security strategy should really begin with a firm understanding what their assets are, and identifying what the potentials risks to these are. A reliable starting point is the ISO 27001 standard, a global accreditation which helps firms manage IT security by reviewing, assigning controls and monitoring processes.
Education will always be a key element of any security strategy.As social engineering is developing at a rapid pace, the human element (i.e. a business’ staff) remains vulnerable as these attacks are essentially a manipulation of trust. A comprehensive policy should cover basic tools such as password strength, disclosing confidential information and physical security among others. Having a security aware culture means that potential threats will flag up with employees and they will be able to make the correct decisions, even when the request seems incredibly genuine.
The FCA outage, along with other recent high profile security breaches, must serve as a warning to insurance firms that they are a prominent target for cyber criminals and security is an issue which must be prioritised and addressed.
Taking steps to protect customer and financial will protect an insurance firm’s reputation and profitability, so these organisations must take the time to implement policies and systems to secure the business, and ensure these policies are reviewed regularly. The consequences of failure can be devastating, or even fatal, so it’s imperative that cybersecurity is made a priority.