Insurance Industry Must Confront Data Breaches on Two Fronts
July 18, 2016 by Gary S. Miliefsky
While protecting others from a menu of breaches, industry must also protect itself
IMAGE COURTESY OF NATIONSWELL.COM
The overwhelming number of data breaches over the last few years has every private company and government agency desperately trying to guard its system against cyber criminals.
But unlike most other professions, the insurance industry is affected in two ways by the threat.
Insurance companies themselves can be the target of a breach that would shut down their network, at least temporarily, or put the personal and private information of customers at risk.
At the same time, insurance companies that offer cybersecurity policies can be impacted by how well their customers protect their own systems.
Smelling a RAT
How costly can these breaches be? The average is $4 million per breach, up from $3.8 million in 2015, according to a study from IBM and Ponemon Institute.
“That’s a staggering amount,” says Gary S. Miliefsky, CEO of SnoopWall (www.snoopwall.com), a company that specializes in cybersecurity.
“The good thing is that those in the insurance business are starting to realize just how serious the problem is and that, just like the businesses they insure, they face costs not only in terms of the breach itself, but also in terms of their firm’s reputation.”
Sometimes those breaches are ridiculously easy, Miliefsky says. A cyber criminal can gain access by sending a company an email with an attachment called a Remote Access Trojan, or RAT, that looks like a normal file. All it takes is for an unsuspecting employee to open that file and security is compromised.
“Certainly, hackers can be very clever and very skilled, but often all they need to be is patient,” Miliefsky says.
Awareness, Training & Defense
For better protection against those cyber criminals out to do harm, Miliefsky says insurance companies should:
- Train their staffs
Those employees sitting at their computers each day are a company’s first line of defense. If they click on an attachment or a link in the wrong email, they have essentially unlocked the front door. Employees should be made aware of the dangers and told what do about suspicious email. - Routinely update their defenses
Outdated technology and outdated security software make a company’s computers vulnerable to attack. It’s important that insurance companies periodically review their IT operations to make sure what worked last year still provides the needed security.A cyber criminal can gain access by sending a company an email with an attachment called a Remote Access Trojan, or RAT, that looks like a normal file - Enforce better password management policies
Employees often aren’t creative enough with their passwords, making it easier for cyber criminals to work their way in. In setting a password, employees should use any unique characters they can think of, such as a dollar sign ($) or an exclamation mark (!) or replace a letter “O” with a 0 (zero). Employees also should be directed to change their passwords often. - Manage Their Intranet
Most breaches happen behind firewalls. You’ll need more than antivirus to stop the bad guys. This includes anti-phishing tools, network access control (NAC), zero-day malware quarantining and other next generation approaches focusing on the root cause of how you get breached.
Without a NAC solution, you won’t be able to tell who is on your network, including if the cleaners are plugging in a laptop at midnight or if a consultant is on the wrong VLAN, like HR or Payroll where you don’t want them to have access. In addition, you should find and fix all your common vulnerabilities and exposures (CVEs). Learn more about them at the National Vulnerability Database at nvd.nist.gov or cve.mitre.org. By finding and fixing your holes, you’ll have a stronger, less exploitable infrastructure. - Be prepared for the worst
It’s essential to have a backup and recovery plan in case data is lost or corrupted. That plan should be tested frequently.
“Because of their unique position, insurance companies also should make sure that their cybersecurity policy holders are taking these steps to protect themselves as well,” Miliefsky says. “This is definitely a situation where an ounce of cyber prevention is worth a pound of cure.”
About Gary S. Miliefsky
Gary S. Miliefsky is founder of SnoopWall Inc. (www.snoopwall.com), a cutting edge counter-intelligence technology company offering free consumer-based software to secure personal data on cell-phones and tablets, while generating revenues helping banks and government agencies secure their networks. He has been active in the INFOSEC arena, as the Executive Producer of Cyber Defense Magazine and a regular contributor to Hakin9 Magazine.
