Tag Archives: cybersecurity

The Case for Cloud Computing

Insurers must regain competitive ground in the digital race for the customer, and all roads that make sense … lead to cloud adoption.

Growing ransomware attacks should be the weight that tips the scales. T-Mobile was breached just recently. Half of its customers (105 million) now have their Social Security numbers, names and birthdates exposed. The information is already up for sale. Last year, insurers and healthcare systems were hacked in greater numbers. Ransomware victims across all industries paid out $370 million in cryptocurrency in 2020, 336% more than in 2019.

Vigilance in cybersecurity requires a different approach

Cybersecurity is not optional. It is table stakes. The issue is no longer all about keeping the data and systems safe. It is about looking out for and being able to nip potential vulnerabilities and hackers in the bud, before the hack actually happens. Vigilance is not reactive, it is proactive.

Pre-cloud security matched pre-cloud threats.

It used to be that the typical trajectory of a security exercise within a company would be periodic business continuity and disaster recovery checks. You might also have audits that are mandated by a public service organization or you might have specific customers that request to be in conformance with SOC audits, etc.

That type of security practice has spun 180 degrees. What changed?

Anyone can hack now.

The increasing consumerization and democratization of data and technology tools has made nearly every citizen in the world a potential hacker. Any interested party with a high IQ is potentially someone who can hack into your systems. The new urgency and vigilance is no longer about conforming to audits, conducting periodic checks or conforming to state or public-sector-driven regulations. It’s about continually being secure by examining your own insecurity. Cybersecurity is an enabler to doing business.

See also: Why Cloud Platforms Are Critical

The frequency of hack-possible events is making security far more complex.

Insurers and vendors all have security measures in place. But cyber hackers are twice as fast at breaking solutions as the solution providers are at updating their security tools. This makes cybersecurity a process rather than an event-driven initiative. Hackers have also improved in their ability to handle complexity. Where hacks come from and who can be a perpetrator is always expanding. Corporate security teams are doing their best, yet they are still sometimes scratching their heads, asking themselves, “Just which part of our data and systems do we protect?” And the answer, of course is, “all” and “everything.” Nothing is truly safe. Cybersecurity is no longer a point-in-time exercise, and it has to cover every part of your data and platform framework. 

Answer = Cloud

Public cloud vendors answer these two related problems: expansion of the hacker community and the increasing complexity of protecting against hacking events. With public clouds, the large cloud vendor is doing the job of security for all of us — proactively taking responsibility for their customers.

Microsoft Azure is a great example. Microsoft invests more than $1 billion annually in cybersecurity research and development for Azure alone. This doesn’t include Microsoft Office or any of their own products. Microsoft Azure has more than 3,500 dedicated security experts. Their job, day in and day out, is to counsel their customers and close gaps. “Here is how well-designed your technology stack is against cybersecurity, and this is what Azure can do for you.”

With the cloud, security is job zero

If an insurer gets one takeaway from this blog, it should be this: Cybersecurity is job zero. It is not an add-on.

When we talk about securing a customer’s stack, there are six key things that we should do for them. These principles are universally adhered to:

  1. We implement a strong security foundation. We must begin with role access. No matter who you are, your role is given only a certain sphere of access, and that is all you can access. As a cloud software vendor, we ensure that level of identity foundation.
  2. Insuring traceability. A traditional issue in security was that, until three or four years ago, when hacks happened, it could take months for companies to figure out the root cause. What was hacked? What was the precise level of leakage, especially in insurance companies? The delay in understanding could lead to billions of dollars in loss. Insuring traceability, which includes monitoring alerts and audit action and changes to your environment, happens in the cloud in real time. You don’t need to wait two months for some IT guy to get into the old logs and figure out what has been lost or hacked. Your systems have real-time traceability.
  3. Security must be applied on all layers. When you consider an organizational stack that resides in the cloud, that includes a client’s network, their servers, their websites, their applications and databases. Everything is now in the cloud. When we say that we manage their security, we apply security at all of these layers as well. We aren’t just securing their database or their front end.
  4. Data must be protected both in transit and at rest. This is a modern, cloud-driven cybersecurity attribute. If you think of a traditional insurance organization, volumes of data are stored in their archival systems, such as their legacy administration and billing systems. This is data at rest. But an incredible amount of data is in constant transfer between the insurer and brokers or the insurer and customers. That is data in transit. What a cloud-native environment does is to protect data both in transit and at rest.
  5. Least access as privilege. This is a logistics issue related to role-based access. Another traditional problem within internal IT shops has been that there is not always transparency if an employee leaves or is fired. HR may take 24 hours before notifying IT.  IT takes two hours to deactivate that person’s access from the respective systems. By this time, security has already been compromised. All cloud systems function on a different principle — the principle of least access privilege. A person only has access to the portion of the system that they are supposed to touch. There is no universal access. The CFO doesn’t automatically get access to everything. Cloud security functions on the basis of least access privilege. If a person needs greater access, they have to ask for it and gain permission before it is granted. This is paradigm shift in security that the cloud has brought about.
  6. Security guidance through the well-architected playbook. Let’s say that your organization moves to the cloud to improve their digital presence and manage their data more effectively and to save additional expense. What you’re getting is so much more than that, though. Integrated security is the “value-add.” You’re receiving protective security and security expertise. This is life in the cloud. When you sign up, you get measured for how secure your full system is. The playbook has security design principles that will allow you to measure your system security. “Here’s how well-designed your systems are, based on key design principles. Here are some gaps that you need to fix.” The playbook also provides things like incidence response simulations. It has investigation policies and processes available as templates. It is a ready-to-use “security cookbook” supported by subject-matter experts. It is less prescriptive and more actionable. “Here’s where you are. Here is what needs to happen for you to get where you need to be.”

And if that’s not enough…there’s the financial picture

Cybersecurity costs money. If you are investing in internal security, you will likely spend more than if you are letting your environment be managed as a cloud-native environment where security is a part of the solution. The cloud hands you cost avoidance as a part of your business case or return on investment. The cloud provider is taking on this responsibility. This is intentional cost-avoidance on the part of the insurer.

In data-intensive organizations, such as financial, healthcare or insurance organizations, there is a significant amount of leakage every year due to security breaches. These aren’t necessarily data thefts; they are losses that are just eliminated by the cloud. The razor-sharp, stringent data security mechanisms that are in place for cybersecurity naturally fix other data leakage issues. This is an unintentional cost-avoidance, but it happens nonetheless.

Which brings us to our last point. The same real-time monitoring that can be used for security purposes will even help insurers to adopt better real-time monitoring for any issue. If you extend the concept, moving to the cloud forces the organization to whip its data and processes into shape enough to migrate, then the cloud takes over. The simple process of preparation is a beneficial exercise. Every aspect of cloud migration makes an excellent case for doing it now.

See also: A Novel Approach to Cybersecurity

For a broader look at many of the key benefits of cloud adoption, be sure to view the Majesco and Microsoft webinar, New Normal: The Catalyst for Cloud Adoption, or read Denise Garth’s interview/blog with Manish Shah, President and Chief Product Officer, Majesco, and Jonathan Silverman, Director of Insurance Industry Solutions, Microsoft, titled Majesco CloudInsurer Plus Microsoft Azure: A True Insurance SaaS Platform.

3 Ways for Agencies to Improve Cybersecurity

In the current wave of ransomware attacks, large insurance agencies have a bright red target on their backs because they have lots of personally identifiable information (PII) and have the means to pay high ransoms. Smaller insurance agencies are just as vulnerable but might not have the means to secure or reclaim client information. Regardless of size, insurance agencies that do not properly educate their staff are leaving major gaps that can be exploited.

One of the most common ways for agencies to lose valuable information is through insider threats, which occur when employees or people with approved access to your systems take or leak information through sabotage, theft, espionage, fraud or just plain ol’ human error.

By preparing agents to be the first line of defense against cybercrime, insurance agencies can change employees from risks to guardians and minimize the chances of an attack that harms their clients, reputation and bottom line.

Improve email security with agency-wide policies and multi-factor authentication

Compromised emails are the entry point for 60% of cyber attacks and create opportunities for criminals to plant ransomware, steal funds and misuse sensitive information. Hackers have access to databases chock full of compromised email accounts. Agencies want to keep employee emails off these lists, but they also need to protect themselves if an agent’s accounts find their way there. Criminals can use these accounts to gain access to your agency network like a lily pad, leaping from a personal account to a work account to a company-wide breach.

Here’s an example: John Doe is unaware his Facebook credentials are in one of these illicit databases. Hackers have access to his full name, personal email address, password and place of work: ABC Insurance. They learn from the agency website that agents’ email format is firstnamelastname@abcinsurance.com. With this information, they can email John and other agents or attempt to log in to his work email. Whether or not he’s reused his password, an experienced hacker can get access in a matter of minutes.

See also: 6 Cybersecurity Threats for Insurers

There are multiple steps agencies can take to minimize the chances of compromised emails:

  • Don’t publish any employee emails on your website. Limit public emails to aliases such as info@abcinsurance.com<mailto:info@abcinsurance.com> or use a contact form.
  • Don’t let your agency’s security hinge on another site’s vulnerability. Ensure employees don’t use their work emails to sign up for other websites.
  • Use multi-factor authentication (MFA) for all email log-ins. While text messages are one way to add an authentication factor, SMS channels are vulnerable to hacking. MFA apps are the gold standard and are likely free to use with your agency management system, such as Microsoft 360.

Educate agents about phishing and safe email habits

All agents must be vigilant about phishing emails that steal PII by impersonating another person or organization. Phishing has become sophisticated enough to fool multiple employees within an organization, posing as legitimate emails from systems that criminals know an agency uses. Whether your agents are working on-site or remotely, all it takes is one successful phishing attempt for a bad actor to install malware or steal sensitive information.

Good email habits and open communication can thwart phishing attacks:

  • Err on the side of caution when opening links and entering log-in information. Agents should not log into a website directly through a form in an email.
  • Verify the domain name/URL of any link opened from an email. Cybercriminals create fake, nearly identical pages that can fool anyone not paying close attention to what website they’re really on.
  • If your agency uses Slack or a similar platform, you can dedicate a channel to report suspected phishing.

Encourage vigilance in and out of the workplace

A great way to ensure that agents are vigilant is to test employees with a mock-phishing email to see if they catch it. There is software available that can help with this, or you can have a close contact from outside your agency send an email asking agents to reply with a phone number or other piece of PII. If the email sounds urgent enough, many times people will reply with the requested information thinking they are helping in an emergency. Collect the emails that come back to your outsider contact and discuss them with the team as an opportunity for education on cyber security awareness. Once you have a baseline, repeat the test every few months and monitor how your agency’s cybersecurity improves (we hope) over time.

It’s also a good idea to educate agents on the value of regularly checking their personal account security to prevent a lily pad breach. Websites like Avast and haveibeenpwned inform you if there are PII leaks associated with your email address. Agents can check their personal accounts at these sites and keep on top of their own data security for the security of their agencies.

See also: Hidden Dangers for Cybersecurity

Insurance agents need to treat their emails like they’re the keys to the agency vault — because they are. Increasing email security through these simple methods makes your agency much harder to breach and will ultimately save money and prevent headaches, including lost goodwill among clients.

Premiums Climb as Ransomware Bites

Ransomware is on the rise and posing significant challenges for the insurance industry. Ransomware attacks soared by 485% last year compared with 2019, according to Bitdefender. Cybercriminals and state-sponsored hackers alike are employing ransomware to line their pockets and cause mayhem. The Colonial Pipeline, the Harris Federation, CNA Financial and Acer are just a few of the high-profile victims so far this year. 

Without proper planning and protection, a ransomware attack can sink a company. The average ransom cost is now $154,108, according to Coveware, and the average downtime caused is 21 days. 

As more and more victims pay up, cybersecurity insurance carriers are changing their products, increasing premiums, and limiting coverage. 

Attackers Targeting Insurance Providers

While cybersecurity policies covering ransomware used to be relatively easy to find and offer generous potential payouts, that’s no longer the case. Ransomware gangs have been doing their homework. They gain access to insurance company client lists and hack into networks to study individual policies for the purpose of uncovering maximum policy limits of targeted companies.

An anonymous spokesperson for the REvil ransomware gang was recently asked about targeting insurers in an interview for The Record, and said, “Yes, this is one of the tastiest morsels. Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”

Any insurer that responds to this onslaught with a blanket policy of not paying ransoms is soon under siege. Cybercriminals unleash coordinated attacks designed to make examples of these carriers and warn off other insurers that may be considering a similar no-pay policy. Inevitably this has impacted the coverage carriers offer. 

Insurers Building Experience

The silver lining here is that the cyber insurance industry has a vested interest in keeping costs, risk and recovery time down. To that end, insurers engage the very best incident responders with a proven track record. For a victim seeking a ransomware recovery specialist, a cybersecurity carrier might be the fastest and easiest route to the top talent. 

As insurers build a knowledge base and deal with the aftermath of more and more ransomware incidents, they are also gaining a deeper understanding of how to guard against such attacks. 

Organizations seeking consultation on what they might do to prevent ransomware infiltrating their networks, how to cope during an attack, and the fastest path to recovery can get solid advice from carriers. But all this experience comes at a price.

See also: 6 Cybersecurity Threats for Insurers

More Stringent Requirements and Fewer Options 

Any organization shopping for cyber insurance will find the market very different than it was just a few years ago. Many carriers are now refusing to insure for ransomware and those that do require solid proof that strong security controls are in place before they will issue any policy. Coverage scope and optional add-ons have been drastically reduced across the board, but particularly in industries with high exposure and susceptibility.

Even with every box ticked, the amounts that insurers are offering now are relatively limited. Premiums in general are higher, but for organizations considered to be high-risk with large limit requirements, policies may be prohibitively expensive. It’s important to remember that even with the climbing costs, cybersecurity insurance will still be cheaper than a breach for most organizations. A third-party assessment and strict requirement for strong controls can also prove invaluable in strengthening your security posture.

No Substitute for Proper Cybersecurity Planning

Ultimately, cybersecurity insurance is a complementary product that can help reduce business risk. It’s crucial to take appropriate steps to guard against ransomware and to fully plan and practice how to deal with an incident. Consider that the most likely way for ransomware to break in is through social engineering. Train your staff to spot phishing attacks and build response plans to investigate and deal with them.

Other smart protective actions include a regular patching procedure to ensure software is kept up to date, a comprehensive asset list that gives you a complete picture of company hardware, and properly protected off-site backups from a variety of points in time. Craft incident response and recovery plans to clearly delineate correct procedures and responsibilities and then test them in a mock attack to ensure you’re ready for the real thing.

If you are operating without coverage or your policy is coming up for renewal soon, make sure you dig into the details and fully assess your options. You may find that the budget you have allocated based on previous policies is no longer suitable. Just remember, the stronger your defenses are, the easier and cheaper it will be to secure a cybersecurity insurance policy that gives you the cover you need.

Aggressive Response to Ransomware

Ransomware attacks are increasing at an alarming rate — Colonial Pipeline, JBS and now McDonald’s, where cybercriminals stole some data. And those are just a few of the growing number of cybersecurity breaches being reported.

According to the Institute of Security and Technology, victims paid $350 million in ransom in 2020, more than four times the amount in 2019. Around 2,400 government organizations, healthcare facilities and schools in the U.S. were reportedly attacked.

The economic impacts from these evolving cybercrimes are massive. Apart from the loss of money paid in ransom, companies and governments have to go through several additional challenges, such as service downtime, loss of private data and recovery cost. 

This surge in ransomware attacks highlights the urgency in dealing with the national security threat before it gets out of control. Businesses should carefully evaluate every potential alternative available before paying the ransom. When hackers succeed in extortions, these kinds of crimes become more attractive. And there is no guarantee that the hackers would give the decryption keys even if a ransom is paid.

The government organizations and the private sector should work hand in hand to deal with cyberattacks and ensure data is recovered without paying a ransom. Companies should keep law enforcement agencies in the loop when tackling a ransomware attack and support the administration in disrupting the hackers’ network. There should be an aggressive, joint strategy and an unbreakable security network to combat these cybersecurity challenges.

Meanwhile, a collaborative global effort involving governments and security agencies is crucial in the fight against cybercrimes. Nations should aggressively investigate and prosecute cybercriminals operating from their land. Governments should use strategies, such as sanctions, to pressure countries refusing to act against cybercriminals.

See also: What’s Next for Ransomware

The increasing number of cybercrimes could also be exposing the security loopholes in the companies’ network with employees working away from the office. Most businesses are operating remotely these days. It is important to note that not all business has the right security system in place, as they were unprepared for a sudden work-from-home migration when coronavirus struck. Organizations should implement security protocols, such as multifactor authentication, endpoint detection and response and data encryption, as well as prepare a plan to deal with these kinds of security threats before it strikes.

Another aspect to note in the recent cyberattacks is that the criminals seem to prefer cryptocurrency, which makes it difficult for law enforcement agencies to track criminals behind transactions. It is high time that the government enforces strict guidelines to ensure that the crypto exchanges follow processes such as Know Your Customer.

Wake-Up Call on Ransomware

The ransomware attack that shut down the 5,500-mile Colonial Pipeline, the largest fuel pipeline in the U.S., contains two important seeds of opportunity.

First, the federal government looks like it may get much more involved in preventing or at least prosecuting cyber attacks, specifically for important infrastructure like pipelines and electric grids, but perhaps more broadly, too.

Second, the attack raises the profile of the ransomware problem to the point that insurance clients may no longer be able to ignore it — which they mostly have even as ransomware activity quintupled globally between the first quarter of 2018 and the fourth quarter of 2020, according to Aon. This higher profile will create the opportunity for insurers to work with clients to finally step up their defenses.

Let me be clear, lest I come across as Polyannaish: This was a serious assault on a major piece of infrastructure and will likely result in higher gasoline prices, at least in the eastern half of the U.S. The attack also raises the prospect of devastating assaults on other pieces of key infrastructure, both in the U.S. and around the world. In addition, because the ransomware attack was arranged by a criminal ring in Russia, the attack brings into play all sorts of geopolitical issues that go well beyond what happens when some lone criminal hacks his way into a single corporation.

I’m merely suggesting that good things could also come out of the attack by the DarkSide group in Russia, because it underscores two problems that have long been obvious but that have somehow been ignored. The actions spurred by the attack won’t be perfect solutions by any means, but they should help.

The main action looks to be an aggressive response by the federal government, which has struck me as too passive as criminal gangs have greatly stepped up their ransomware attacks. There are limits to what the government can do against international gangs like DarkSide — it’s not as though President Biden can just call Vladimir Putin to complain and have him say, “Oh, sure, I’ll get right on it” — but having the Feds in the game should help a lot.

The other main action — the big opportunity for insurers — will occur because companies will increasingly see their vulnerability (finally!) and request help from the experts: the insurance companies that deal with cyber issues every day.

Thought leaders have been warning about ransomware for ages here at ITL — look at “5 Questions That Thwart Ransomware,” “A Dangerous New Form of Ransomware” and “Ransomware Becomes More Pernicious.”

Look, in particular, at this recent article: “How to Combat the Surge in Ransomware,” from Tokio Marine HCC’s Cyber and Professional Lines Group. It describes what I think is the ideal approach for insurers assisting their clients, not just by selling insurance but by helping them reduce their risks — steering clients toward state-of-the-art tools (priced based on the insurer’s bulk discount) that monitor vulnerabilities, toward using multi-factor authentication, toward training, etc.

As long as the bad guys have shown they can work together and take down big targets like the Colonial Pipeline, the good guys need to work together, too. That surely means more help from the federal government on what is a national and, increasingly, international problem but also means insurers need to step up and deliver the sort of expertise and counsel that they possess uniquely and that define the industry’s noble purpose.

Cheers,

Paul

P.S. Here are the six articles I’d like to highlight from the past week:

Workers Comp Trends for Technology in 2021

An efficient workflow passes 60% to 70% of medical bills straight through; workers’ comp has a long way to go.

Are Your Healthcare Vendor’s Claims Valid?

This article, the first in a series, looks at how regression to the mean is often misused to justify false claims about the success of wellness programs.

4 Ways to Seize the Latent Demand

Consumers recognize now more than ever the importance of adequate insurance coverage. Now is the time to seize on this opportunity.

Time to Reimagine the Finance Function

What’s possible for finance has been redefined: Comprehensive data makes it easier to connect performance across the business.

Tapping Into Life, Health Innovation

Those who welcome outsider participation in innovation can unlock new solutions without needing to reinvent their current businesses.

Insurance and Financial Protection

If the life insurance crisis is hard to understand, we must make it easy to comprehend. The insurance industry must lead us through this crisis.