“Physician, heal thyself” is an expression that many people use to criticize a lack of standards among groups or organizations that are charged with enforcing those same standards among others. And a paraphrase that applies to the insurance business is “insurer, protect thyself.”
It turns out that for a business that is so conscious — and conscientious — of all things involving risk, the insurance industry neglects its own risk, especially when it comes to data breaches. That neglect has cost companies millions in court settlements and regulatory fines.
You’ve been breached
Among the insurance companies that have paid a price for failing to prevent data breaches is Nationwide Mutualand its subsidiary, Allied Property and Casualty Insurance Company. Nationwide is on the hook for a more than $5 million fine resulting from a 2012 data breach that divulged details on 1.27 million customers.
Also on the firing line are CareFirst, which is the target of a class-action lawsuit for a 2014 data breach that affected more than one million people, and Horizon Blue Cross Blue Shield, which is in the midst of class-action suit over a 2013 breach that hit 800,000 victims when their data was accessed.
The Horizon case is notable because the records were on two laptops stolen from the insurer’s Newark, N.J., headquarters and were not encrypted, as required by federal law. Horizon has numerous procedures (and presumably numerous employees) dedicated to risk assessment and evaluation, but when it came to its own risk assessment, the company was unprepared.
These are just a few examples; the industry knows it has a problem and is anxious to solve it. According to a report by Accenture, insurance companies experience on average 113 cyber attacks each year — with one out of every three successful in causing a data breach. With that, two-thirds of companies said they didn’t even realize they had been hacked until the damage was done — and 61% admitted that it took them “months” to detect breaches.
These organizations have presumably installed state-of-the-art cybersecurity systems. The report says that 72% of companies believe they have “completely embedded cybersecurity into their cultures.” Despite that effort, according to the Accenture report, the danger from hackers for the insurance industry is even greater than in the financial industry.
“The ability of cyber crooks to monetize stolen data, enabled by the dark web and crypto-currencies like Bitcoin, has changed the focus of many attackers,” Accenture says. “The actual money is heavily guarded, even in cyberspace, but personal data is much easier to steal.” Companies may believe they are sufficiently protected, but the statistics prove otherwise.
If insurance companies are major targets for hackers, it stands to reason that they will try harder to breach security systems — which means that companies need to shore up their weakest security links. In insurance companies, like almost everywhere else, it’s the people who work there who are the weakest link. A whopping 91% of cyber attacks and resulting data breaches in 2016 started with a spear phishing email, according to a recent study.
In a spear phishing attack, victims are tricked into clicking on something — a web link or an e-mail attachment — that allows hackers to surreptitiously connect to their systems, allowing them a foothold they can exploit to laterally move throughout the network until they find useful information.
As a result, many companies have instituted programs to educate, persuade or threaten employees into being more careful when handling links or attachments, and as a result, there is a greater awareness of the dangers involved in making those connections. But even with that awareness, victims apparently can’t help themselves; a study at Freidrich-Alexander University shows that even with full knowledge of the risks involved, as many as 56% of e-mail recipients and some 40% of Facebook users still clicked on links sent them by an unknown sender.
Companies clearly can’t rely on their employees to protect the organization; yet it appears they can’t rely on cybersecurity systems either, which apparently are unable to mitigate the risks posed by phishing.
What’s left, then? One idea is to prevent employee access to the internet altogether; but in an interconnected world, that’s impractical. However, companies can opt for a system based on preventing hackers from getting into a system by breaking the direct connection between an employee’s click, and a hacker’s access. Connections are made in a “safe zone,” where they are evaluated before they are allowed to proceed. The concept, known as network segregation, is an upgrade of the sandbox, which enables users to isolate suspicious files and run them without impacting the rest of the computer.
In a network segregation scheme, internal corporate networks containing essential information — user records, corporate data and the like — are kept out of the internet altogether. E-mail messages and attachments are broken down and analyzed in the safe zone, where their connections and activities are checked to ensure they are legitimate — such as if a link that is supposed to go to a specific website does indeed lead there, or is redirected to another site, a sure sign of a cyber-attack.
If malware, redirection, or any other suspicious activity is detected, the element responsible for that activity is neutralized, and the message or attachment is reconstructed and forwarded to the recipient. Thus, the suspicious item is sanitized, but the workflow is not interrupted — an improvement over a sandbox, which would just dump a suspicious file.
With this system, insurance companies or other businesses could better protect themselves from breaches based on phishing campaigns, the root of much of the cyber-insecurity encountered today. While cybersecurity is essential for any company, staying cyber safe is a matter of business life and death for insurance companies — especially since courts are taking a harder stance against companies that fail to protect their customers’ personally identifiable information.