Tag Archives: FireEye

Psychology’s Relevance in Security

The best way to defeat or at least largely mitigate hackers is with a dynamic defense system. When combined effectively, anti-virus software, NGFWs and the products and services from cybersecurity companies like CyberArk and FireEye can provide an organization with a resilient cybersecurity framework. However, such security measures are expensive and are dependent on companies that employ IT professionals, which is why many organizations try to fend off cyber attacks only with anti-virus software and a NGFW. Yet there is another method with which to mitigate or prevent cyber breaches, and it is a method that cyber liability and technology E&O insurers need to understand and immediately employ: human psychology.

The most common meeting of psychology and the binary world is the door to the binary world: the password. Most, if not all, underwriters have read an article or heard a lecture about how “password” and “123456” are the most frequently used keys when people attach a password to anything. Moreover, the commonality of those two keys has been a fact for decades, but the insecurity of using commonly known passwords as a passport remains virtually immune to change.

The longevity of weak keys is due to many factors, but at the heart of all the factors is human psychology. It is a behavior that does not want to be bothered with memorizing a multitude of passwords, and one that tries to find the easiest way to meet a password requirement instead of trying to create a strong passport. Most importantly, it is risk and reward psychology that governs the creation of any password. Who cares in the professional world what a person’s password is as long as the work gets done and a person gets paid?

Yet current cyber liability and technology E&O wording does not even try to tackle this most basic insecurity, one that costs insurers large amounts of currency time and again. Insurers will continue to lose vast amounts of money due to the insecurity of a key like “123456” until insurers decide to tackle human psychology and work with technology companies to create a safe path forward out of the current mess with which the digital community finds itself.

See also: How to Identify Psychosocial Risks  

If passwords were the only element of enterprise cybersecurity that needed to be reformed, then, to a high degree, the issue would not have far-reaching implications. However, the fact is that the weakness of keys is only a symptom of a larger problem.

Cybersecurity may be a topic that crops up in news headlines on a regular basis, but it is a topic that also is generally viewed as a fringe area of thought. At the enterprise level, this can be seen in one prominent way beyond dysfunctional passports, and that is in individual cybersecurity responsibility. Cyber breaches have cost the global economy no less than $400 billion each year since 2013, have affected essentially every part of the professional sphere, and are bringing governments around the world into conflict with their taxpayers as represented, in one way, when a government, like the U.S. government, tried to force Apple to make its products less secure.

Nonetheless, to this day a majority of the companies around the world do not put part of the onus on individual employees for a company’s cybersecurity posture. Most companies do not include, in annual employee reviews, an area that deals with how the individual contributed to the strength or weakness of the company’s cybersecurity approach.

Did the employee use a strong password over the past year? Did the employee lock her computer each time she stepped away from her desk? Was the employee’s company computer linked to any cyber attacks? If the employee’s computer was linked to a cyber attack, then had the employee shown an appreciable improvement of her cybersecurity awareness?

By not enforcing the need for every employee to contribute to the cyber safety of the company, employees at all levels are allowed to have a carefree outlook, which is clearly detrimental to the cybersecurity posture of every organization. Even potential employees are not vetted for their sense of healthy cybersecurity. Companies ask numerous questions when interviewing a potential candidate, but very few companies try to assess the individual’s sense of responsibility when it comes to cybersecurity. If employees, and even applicants, are not expected to carry part of the responsibility, then what reason does any employee have to be responsible from a cybersecurity standpoint?

Perhaps more disturbing than the previous issues is that cyber liability and technology E&O insurers do not account for how human behavior influences the development of computer hardware and software. From about 1990 to the present, there has been a relentless movement by technology companies to get products to market at breakneck speed.

While a hardware company like Intel has produced some products of dubious quality, like trying to push its Pentium III processor beyond the 1Ghz level and the Rambus fiasco, hardware producers have largely avoided major mistakes. However, software developers are almost entirely responsible for the creation of a binary world where security has almost always been an afterthought, and human psychology is at the heart of this issue as well.

Since 1990, constant pressure has been placed on software engineers to meet deadlines set by a management system that is focused on everything but cybersecurity, which means that quality is almost always sacrificed to include a flashy software feature or simply to get a product to market quickly. Windows Me, Windows Vista, and Windows 8 are the results of a management system that showed great disregard for the safety of the end user.

Moreover, software engineers themselves also have the psychological outlook that, if an issue does comes up after a piece of software is released, it can always be patched at a later date. Perhaps the most obvious example of the patching system in overdrive is that of smartphone operating systems and applications. It is not uncommon for one smartphone application to receive updates two or three times each month. However, the present wording of technology E&O policies and the questions asked in technology E&O applications continues to demonstrate a severe lack of understanding on the part of insurers as to how human behavior gives rise to technology E&O claims.

When it comes to human psychology, it seems that the most egregious lack of understanding by insurers is not comprehending their most prominent adversary: hackers. However, hackers are not all the same, which means that they are driven by different attitudes, thought processes and rewards. More than that, hacking is an art and, just like any other art, there are “newbies,” and there are actual artisans.

In the first of the four hacker tiers are elementary hackers, meaning those people under the age of 14. For the most part, elementary hackers are going to focus on their local geographical community. This is partly due to the experimenting nature of such a young hacker, because a 10- or 12-year-old is still trying to figure out how to hack. Therefore, locally geographical targets present the best chances to hone a person’s skills. After all, the basic educational system, especially in the U/S., but elsewhere, too, spends very little on defensive technologies of any kind.

The local courthouse and sheriff’s office spend only slightly more than the educational system, and local merchants still largely maintain the attitude that they somehow do not appear on the radar of any hacker. Therefore, local venues often are the best targets because they often have the least security, in all forms, and consequently are the easiest ones on which to test a person’s skills.

However, insurers largely ignore this first tier and appear to have the mindset that these hackers are unworthy of recognition and that no solution as to how to engage with this group is needed.

The next tier contains the rookie hackers. These are the hackers who successfully “graduated,” unopposed, from the elementary group and who are generally 14 to 22 years old. For this next tier, the motivation is still whether the individual is capable of a hack, but now the target of the hack is going to extend, with ever greater frequency, beyond the immediate geographical location. It will also increasingly encompass working with and learning from others.

This is often the stage where hacktivists are going to begin to form and where the psychology of the hack is going to extend to obtaining items like currency and prestige. As hackers in this group encounter other hackers, they often start to form a set of ethics that make sense, but that are hard for a majority of people to understand. This same group is also going to start to attack national law enforcement institutions, yet even this tier is largely ignored by insurers around the world even though attacks from this group often involve PII, PHI, and payment card data.

Tier three is the first tier that has widespread acknowledgment from all insurers, and this tier encompasses both artisan and professional hackers. The hackers in this tier are often going to be 23 years old and older. One factor that makes this tier of hackers so effective in entering systems where they are not welcome is that they have been able to hone their skills from the age of 10 to 23.

Most people who build and hone a skill set over the course of 13 years will be fairly capable. Another factor is that this tier is composed of people who have a sense of identity, which means that this group has formed its own moral compass and conforms to ethics and outlooks that often fall outside of the global mainstream. This sense of identity and associated ethics gives rise to groups like the FireEye branded FIN6 group, or the hacktivist group Anonymous.

A group like FIN6 is capable of inflicting hundreds of millions of dollars in damage on the global economy, but, because cyber liability and technology E&O insurers have ignored the first two tiers of
hackers, they are unable to appreciate the depth and abilities of tier three hackers.

The fourth tier of hackers have been known to insurers for years now ,as well as law enforcement organizations around the world. This tier is also composed of hackers who work for effective cybercrime groups, like FIN6, or larger cybercrime groups, hackers who are ardent supporters of a sociological or political philosophy (hackers for ISIS are a current example of this) and hackers who work for nation-states, whether directly employed or occasionally contracted to work.

These hackers have narrow views of the world, their ethics often fall outside of the norm of most hackers, and they are constantly trying to expand ways by which to wage cyber warfare (Stutnex is a recent successful example) and are the embodiment of ghosts in the network. Tier four hackers are almost always the hackers who cause the most damage while leaving virtually no trace of their activities, and they are beyond insurers’ ability to engage with in any reformative manner.

Human behavior is at the core of every single data breach initiated by a human. In perhaps the most recent egregious example, the hacking of Equifax is a foul example of this. The Equifax hack occurred because of a psychological company mindset of complacency as well as the hackers’ own psychological reasons. Complacency is clearly demonstrated in the cybersecurity posture that the company was maintaining: It can be done later.

The hole that allowed the hackers to gain access and successfully acquire copious amounts of non-public data had a fix that was released in March 2017, but by May 2017 Equifax still had not patched the vulnerability. There is also evidence that Equifax was notified as early as December 2016 that its systems were not secure.

With the PII that a credit rating agency has, such a delay in updating critical data is unacceptable. However, with no government or market pressure to behave responsibly, Equifax and its ilk will continue to suffer data breaches time and again, and time and
again consumers, and ironically insurers, will continue to exist in a world of ever-increasing uncertainty as to which direction financial harm will arrive from.

See also: The Costs of Inaction on Encryption  

While the undeniable importance of accounting for human psychology is a severe oversight on the part of insurers, the path forward is equally undeniable: Engage with as many tier one and tier two hackers as possible and ensure that cyber liability and technology E&O applications allow insurers to assess the psychological outlook an applicant has with regard to cybersecurity.

In the April 2016 edition of the PLUS Journal, it was argued that insurers need to work with other companies involved in technology, marketing and lending and in other parts of the private sector to create an international competition. This competition would give students a creative outlet to display their skills whether they be in coding, design or writing. By establishing such a competition and working with educators, world wide insurers and other companies can give potential tier one and two hackers a creative outlet for their skills as well as an affirmation that their skills can lead to healthy career paths.

By finding these individuals through an international competition, not only can insurers reduce the risk to their insureds of being hacked by the reduction in numbers of hackers, but they can also find the people who are capable of creating next-generation products.

Without spending the needed effort, though, insurers will continue to lose money at unsustainable levels to cyber liability and technology E&O claims, claims that could have been avoided by investing in adolescents, who, after all, are the future, but who also are the most vulnerable to negative influences.

By also asking the right questions in a cyber liability and technology E&O application, insurers can assess the psychological outlook of a corporate applicant and make a far more informed decision as to whether to underwrite the risk. Had insurers asked Equifax questions that appropriately gauged its perception of the importance of cybersecurity, they could have avoided the risk of underwriting the firm.

Surely, asking eight psychological questions to save $100 million is better than accepting $300,000 in insurance premium and all the uncertainty attached to that premium.

Over the past four thousand years, battles and wars have often been won by the continued incorporation into the battlefield of new technology, whether the technology was metallurgical or
mechanical, but understanding the psychological mindset of the enemy has also been a determining factor. The ever-present value of human behavior has not been lost on most of the private sector, either. Psychology is at the core of a multibillion-dollar industry like advertising, and it is represented daily in the greed and fear index on Wall Street. Understanding the psychological mindset of a company as it concerns its cybersecurity posture and understanding hackers without question must be embraced by insurers.

However, until insurers realize the virtual relevancy of human psychology they, and their insureds, will continue to lose substantial amounts of currency, time and sense of security, and the stability of the global economy will continue to be destabilized.

It’s Time for the Cyber 101 Discussion

In my role as a sales and business development consultant, I come in contact with sales professionals and business executives across numerous industries. I understand the trends involved with the integration of physical security, IT infrastructure and cyber solutions. The emergence of the Internet of Things (IoT), perhaps more appropriately described as the “Integration of Things,” has created more visibility to the convergence model generally and cyber threats specifically. That said, I see a fundamental problem with sales organizations, outside of the cyber industry, with initiating a cyber discussion. This is the first step in aligning cyber threats in the context of overall business risk, and for providing the managed services and secure products that the industry increasingly requires.

This Cyber 101 discussion is more of an informal conversation than a deep technical discussion. Cybersecurity is a confusing topic to many people and is at times assumed to be overly complex. In reality, it is a crime and espionage discussion with a rich history and interesting as a business case study. Put into this context, it is actually a compelling narrative and promotes a lively conversation that inevitably turns to the topic of operational risk and specific business issues.

See also: Best Practices for Cyber Threats  

The first step is to know your cyber history. This does not have to entail a debate as to when and how hacking evolved. I believe an appropriate starting point would be the first Gulf War. Perhaps the 1990s are ancient history for some, but most senior executives can identify. The important fact was the ease with which the U.S. military demonstrated technical dominance over the Iraqi army. Nightly newscasts of American generals proudly showing video clips of guided missiles accurately striking buildings and vehicles was enough to send chills down the spines of our nation-state adversaries, and jump start their offensive cyber commands.

“I believe the Chinese concluded from the Desert Storm experience that their counter approach had to be to challenge America’s control of the battle space by building capabilities to knock out our satellites and invading our cyber networks. In the name of the defense of China in this new world, the Chinese feel they have to remove that advantage of the U.S. in the event of a war.” –Adm. Mike McConnell (ret.), former Director NSA, and Director National Intelligence

Not to be left out, the Russian military also accelerated its cyber capabilities (post-Gulf War I), as well. In fact, many “retired” military cyber warriors established the early Russian cyber criminal syndicates and promoted global cybercrime as a business model.

As a result, cybercrime evolved, and Cyber Crime as a Service eventually exploded.  It is a well-known operational fact that you only exist as a significant Russian cybercriminal if you abide by three hard and fast rules:

  1. You are not allowed to hack anything within the country;
  2. If you find anything of interest to the government, you share it;
  3. When called upon for “patriotic cyber activities,” you serve.

In exchange, you are “untouchable” and immune from prosecution.

Tom Kellermann, CEO of Strategic Cyber Ventures, is a cyber intelligence expert, author, professor and leader in the field of cybersecurity serving as a global fellow for the Wilson Center. He is the previous chief cybersecurity officer for Trend Micro and vice president for security at Core Security. Kellermann has told me there are approximately 200 “cyber ninjas” globally: truly elite hackers. This select group of black hat ninjas realized they could produce “malware for dummies,” (or criminals with average skill sets), along with online “how to hack” support services, in return for a cut of the profits. This business model returned more personal revenue at scale, compared with individual hacking activities, with much less risk. These operations created the original “Malware as a Service” business models, and, as a result, cybercrime has since exploded. (By the way, the model provides a recurring monthly revenue stream.)

According to the Serious Organized Crime Agency (SOCA), global cybercrime has surpassed narcotics trafficking in illicit revenues, and in the U.K., more than 50% of all crime is now cyber-related. Kellerman added that cybercrime has moved from traditional burglary to digital home invasion: “The economic security of the West is in jeopardy.  Civilizing cyberspace must become a national priority.”

Research firm Cybersecurity Ventures (not to be confused with Strategic Cyber Ventures) produced a report that predicts that cybercrime worldwide will grow from $3 trillion in 2016 to more than $6 trillion annually by 2021! As a comparison, the entire gross domestic product (GDP) for the U.S. was $14 trillion in 2016.

Cybercrime today is professional, organized, sophisticated and most importantly “relentless.” These are not personal attacks. If you have any digital footprint, you are a target, period. The entire internet can be scanned for open ports within a few days, and IP cameras being activated on the internet are normally pinged within 90 seconds. You can’t hide very long. When it comes to security, the adage that “offense informs defense” is appropriate when protecting your specific business operation. A former client of mine, John Watters, CEO of iSIGHT PARTNERS (now FireEye), used an example: “A burglar and an assassin can use the same tools and tradecraft to gain entry to a location, but the intent, once inside, is very different. One wants your property; the other wants to kill your family. Prepare yourself accordingly.”

Another challenge is that the risk of cyber attack is growing. This is a dual-edged sword in many regards. IoT and the Industrial Internet of Things (IIoT) open a much wider attack surface of many more devices. However, the operational efficiencies and human productivity advances cannot be denied and will move forward. This situation creates a new reality; essentially, cyber threats are morphing from a virtual threat into a physical danger. Matt Rosenquist, cyber security strategist, Intel Security Group, explained in his 2017 ISC West Keynote address that the same controls that provide auto assist to parallel park your vehicle can be hacked to force a car (or hundreds of cars) to accelerate to high speeds and turn abruptly, causing fatal accidents. Imagine for a moment what that hack does to that specific automobile manufacturer’s reputation? Would the corporation even hope to survive?

Planes, trains and automobiles are just the beginning. Intelligent buildings, campuses, hospitals, retail outlets, branch offices and mobile emergency services, etc., all need to be secured. Security, followed closely by privacy protections, will be at the top of all buying requirements to win business.

The bottom line is that cybersecurity, like terrorism or tornados, is about risk management. This is a discussion that owners, managements and boards of directors know well. It is the responsibility of the sales professional to educate prospects and customer organizations to the sophisticated level of cyber risk that exists today and into the future. This is why understanding and explaining the evolving cybercrime business model is so important as an initial discussion.

See also: How to Anticipate Cyber Surprises  

In 2017, I have had the “Cyber 101 Discussion” with sales leadership and executives from many companies and industries:

  1. The regional insurance firm in Texas (1,000 employees) that recognizes a huge and expanding cyber insurance market opportunity generating more than $3.5 billion in 2016, and growing at 70% annually! Yet the sales organization does not know the first thing about starting the cyber dialogue with potential clients. ‘‘We know insurance, not cybersecurity.”
  2. The global video camera distributor that needs assistance in aligning marketing and sales messaging to answer customer concerns about cybersecurity. The industry needs a response to the Mirai botnet attacks that virtually guarantee that the internet will be flooded by hacks of new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.
  3. The physical security integrator that recognizes the need to provide secure solutions and endpoints for enterprise customers, but needs to provide internal cyber education while recruiting strategic partners offering cyber solutions and support resources.
  4. The domestic security monitoring company that now offers cyber managed solutions to the SMB market but struggles with positioning a compelling ROI and explains that customers cannot “quantify” the cyber risk to their business? (Hint: That’s the job of your sales organization; your customers need cyber education.)

It begins with a cyber sales comfort level within your own organization. Cyber education allows you to pass knowledge on to others as a trusted adviser. Get the Cyber 101 discussion started as a first step. Additional education and specific solutions can always be provided to secure passwords, mobile devices, access control, VMS, encryption and backups, etc. It’s a long list, but security managed services are providing recurring revenues and need to be positioned correctly.

Whether providing cyber insurance, hardening physical security equipment or selling secure managed services, the Cyber 101 discussion starts with understanding cyber history and the evolution of adversary intent. Today’s cyber threat is a component in the new definition of digital business risk. Not always overly technically complicated, but essential to be countered and monitored constantly.

Y2K Rears Its Head One More Time

In the late 1990s, in the run up to Jan. 1, 2000, insurers deployed Y2K or “electronic date recognition” exclusions into a multitude of insurance policies. The logic made sense: The Y2K date change was a known risk and something that firms should have worked to eliminate, and, if Armageddon did materialize, well, that’s not something that the insurance industry wanted to cover anyway.

Sixteen years later, one would expect to find Y2K exclusions only in the Lloyds of London “Policy Wording Hall of Fame.” But no so fast.

Electronic date recognition exclusions are still frequently included in a variety of insurance contracts, even though it’s doubtful that many folks have given them more than a passing glance while chuckling about the good old days. And now is the time to take a closer look.

Last month, various cybersecurity response firms discovered that a new variant of the Shamoon malware was used to attack a number of firms in the Middle East. In 2012, the original version was used to successfully attack Saudi Aramco and resulted in its needing to replace tens of thousands of desktop computers. Shamoon was used shortly thereafter to attack RasGas, and, most notoriously, the malware was used against Sony Pictures in late 2014. Shamoon has caused hundreds of millions of dollars of damages.

The new version, Shamoon v2, changes the target computer’s system clock to a random date in August 2012 — according to research from FireEye, the change may be designed to make sure that a piece of software subverted for the attack hasn’t had its license expire.

This change raises issues under existing electronic date recognition exclusions because many are not specifically limited to Jan. 1, 2000; they instead feature an “any other date” catch all. For example, one of the standard versions reads, in part:

“This Policy does not cover any loss, damage, cost, claim or expense, whether preventative, remedial or otherwise, directly or indirectly arising out of or relating to any change, alteration, or modification involving the date change to the year 2000, or any other date change, including leap year calculations, to any such computer system, hardware, program or software and/or any microchip, integrated circuit or similar device in computer equipment or non-computer equipment, whether the property of the Insured or not.”

See also: Insurance Is NOT a Commodity!  

By our estimation, this exclusion is written broadly enough to exclude any losses resulting from a Shamoon v2 attack, if indeed the malware’s success is predicated on the change in system dates to 2012.

Given that the types of losses that Sony and Saudi Aramco suffered can be insured, firms shouldn’t be caught off guard. We advise a twofold approach: Work with your insurance broker to either modify language or consider alternative solutions; and ensure that your cybersecurity leaders are monitoring your systems for indicators of compromise, including subtle measures like clock changes.

Insurance Disrupted: Silicon Valley’s Map

With $5 trillion in premiums, an incredibly low level of customer satisfaction, aging infrastructures, an analytically based, high-volume business model and a “wait until we have to” approach to innovation, insurance is now fully in the sights of the most disruptively innovative engine on the planet, Silicon Valley. The tipping point for insurance is here.

More than 75 digitally born companies in Silicon Valley, including Google and Apple, are redefining the rules and the infrastructure of the insurance industry.

Inside the Insurance Tipping Point – Silicon Valley | 2016

It’s one thing to listen to all of the analysts talk about the digitization of insurance and the disruptive changes it will bring. It’s quite another to immerse yourself in the amazing array of companies, technologies and trends driving those changes. This post is the first of a series that will give you an inside look at the visions, culture and disruptive innovation accelerating the digital tipping point for insurance and the opportunities that creates for companies bold enough to become part of it. (Join us at #insdisrupt.)

Venture firms are catalysts for much of Silicon Valley’s innovation, and insurance has their attention. Frank Chen of Andreessen Horowitz sees software as rewriting the insurance industry, AXA insurance has established an investment and innovation presence here. Others, including Lightspeed VenturesRibbit Capital and AutoTech Ventures, are investing in data and analytics, new insurance distribution plays and other technologies that will change the shape of insurance.

New business models: MetromileZenefitsStride HealthCollective HealthClimate Corp., Trov and Sureify, are using technologies to redefine and personalize insurance and the experience customers have with it.

Rise of the Digital Ecosystem – Expanding the Boundaries of Insurance

Digital ecosystems are innovation catalysts and accelerators with power to reshape industry value chains and the world economy. They dramatically expand the boundaries within which insurance can create value for customers and increase the corners from which new competitors can emerge.

Silicon Valley is home to companies acutely aware of how to establish themselves as a dominant and disruptive platform within digital ecosystems. That includes Google, which is investing heavily in the automobile space with Google Compare and self-driving vehicles and has acquired Nest as an anchor in the P&C/smart homes market. Fitbit is already establishing health insurance partnerships. And let’s not forget Apple. The Apple Watch already has insurance-related partners. Apple has clear plans for the smart home market and has recently launched AutoPlay, its anchor entry into the auto market. There are rumors that Apple plans to develop an iCar. And that’s just what we know about.

There are a host of other companies placing digital ecosystem bets in Silicon Valley, as well: GE, which is driving the Industrial Internet of Things; Parstream, with an analytic platform built for IoT; the IoT consortiumJawboneEvidation HealthMisfit Wearablesicontrol NetworkGM and its advanced technology labcarvi; and DriveFactor, now part of CCC Information Services.

Then there are the robotics companies, including 3D robotics, the RoboBrain project at Stanford University and Silicon Valley Robotics, an association of makers.

Customer Engagement and Experience – New Digital Rules, New Digital Playbook.

When your customer satisfaction and trust is one of the lowest in the world and companies like Apple and Google enter your market place, it’s really time to pay attention. There is a customer value-creation and design led innovation culture in the valley unrivaled in the world, and the technology to back it up. Companies like Genesys, and Vlocity are working on perfecting the omni channel expereince. Hearsaysocial and, declara, are working on next gen social media to help customers and the insurance industry create better relationships. Many of the next generation of insurance products will be context aware, opening the door to new ways of reaching and supporting customers. Companies like mCube and Ejenta, are working to provide sensor based insight and the analytics to act on it. TrunomiBeyond the Ark, and DataSkill via cognitive intelligence are developing new innovative ways to use data & analytics to better understand and engage customers. Lifestyle based insurance models are being launched like Adventure Adovcates and Givesurance, And some of digital marketing automation’s most innovative new players like Marketo, and even Oracle’s Eloqua are rewriting and enabling a new digital generation of marketing best practices.

Big Data and Analytics – Integrated Strategies for the New “Digital” Insurance Company

The techno buzz says big data and analytics are going to affect every business and every business operation. When you are a data- and analytics-driven industry like insurance that deals with massive amounts of policies and transactions, that buzz isn’t hype, it’s a promise.

The thing about big data and analytics is that when they are used in operational silos, they provide a tactical advantage. But when a common interoperable vision and roadmap are established, analytics create a huge strategic advantage. That knowledge and the capability to act on it is built into the DNA of “born digital” entries into the insurance market like Google.

The number of companies working on big data and analytics within the valley is staggering. We have already discussed a few in the Customer Engagement section above. Here are a few more, In the area of risk: RMS is building its stable of talent in the big data spaceActian is delivering lightning-fast Hadoop analytics; Metabiota is providing epidemic disease threat assessments; and Orbital Insights is providing geo-based image analysis. In the areas of claims and fraud, PalantirScoreDataTyche and SAS are adding powerful capabilities for insurance. Improved operational effectiveness is being delivered by Saama Technology, with an integrated insurance analytics suite; by Prevedere, with data-driven predictive analytics; by Volumetrix, with people analytics; and by Sparkling Logic, which helps drive faster and more effective decision making.

Insurance Digitized | Next Generation Core Systems

With insurance boundaries expanding, integration with digital ecosystems, increasing reliance on analytics and the demand for personalized and contextualized outcome- and services-based insurance models, core systems will have huge new sets of requirements placed on them. The requirement for interoperability between systems and data and analytics will grow dramatically.

Companies like GuidewireISCS and SAP are building a new generation of cloud-based systems. Scoredata and Pokitdoc are bringing new capabilities to claims. SplunkSymantec and FireEye are addressing emergent cyber risks. And companies like Automation EverywhereOcculus RiffSuitable Technologies and Humanyze are enabling the digitally blended and augmented workforce.

The latest investment wave includes artificial intelligence, deep learning and machine learning, which core systems will need to incorporate.

Surviving the Tipping Point – Becoming One of the Disruptive Leaders

This is a small sampling of the technologies, trends and companies just within Silicon Valley that are shaping the digital future of insurance. The changes these will drive are massive, and they are only the tip of the iceberg.

An Insurance Tech meetup group open to all the insurance-related companies within Silicon Valley was just announced by Guillaume Cabrere, CEO of AXA Labs, and already has 64 members. For established companies to survive the tipping point and thrive on the other side of it requires more than handing “digital transformation” off to the CIO or marketing team. Success requires a C-Suite that has become an integral part of the community and culture building the digital generation of insurance companies.

For technology companies and next-generation insurance companies, success requires building partnerships with established and emerging players.

This blog series is designed to inform and accelerate that dialog and partnering formation. It will include a series of interviews with disruptive leaders from industry and Silicon Valley. If you or your company would like to be a part of that series, please let me know.

Join us for the next Insurance Disrupted Conference – March 22-23, 2016 l Silicon Valley

svia

ITL readers receive a 15% discount when registering here.

The New Cyberthreat You Face at Work

The latest greatest swindlers in the cybercrime racket know you’re onto their digital three-card monte, and they’ve made a few adjustments, putting yet another wrinkle in the corporate-hacking game by targeting top-level employees for major profits.

These hackers appear to be based in North America or Western Europe, and they know a great deal about the companies and industries they’ve been cracking. They could be “white-collar hackers” or just good studies of character. It really doesn’t matter. Here’s what counts: They are hatching cyberthreats so nuanced you may not see the hack that takes out your company ’til the smoke clears.

These hackers may have worked for your company, or one like it. They are going to know how your teams communicate. They’ll use the lingo and shorthand that you see every day. Emails may be super simple, like, “I need another pair of eyes on this spreadsheet about [term of art only people in your business would know].” They may know what you are likely to be talking about after certain kinds of industry news releases, and they’ll have a good idea of what times of day get busy for you so that you are more distracted and less likely to think before you click.

“The attacks are becoming much more sophisticated than anything we’ve seen before,” says Jen Weedon, a threat intelligence officer at the Silicon Valley-based cybersecurity firm FireEye.

The New York Times reported about one such group of hackers targeting senior executives at biotech companies with a goal of garnering insider information to game the stock market.

FireEye has been tracking the group, which the company calls Fin4, for a year and a half. (The “Fin” designation is assigned by the company to indicate groups where the main goal is to monetize proprietary information.)

“Fin4 has reached a threshold of capability that sets them apart,” Weedon told me during a phone conversation. “They are very thoughtful about who they target. They go after specific companies and are a lot more scoped in their approach.”

Attacks of this kind may start with the studied e-impersonation of trusted colleagues, business associates or anyone from a constellation of contacts—compliance officers, regulators, legal or financial advisers—with the single purpose of getting someone in a senior position to personally, unwittingly hand over the keys to the castle. Once Fin 4 is in, sensitive—potentially lucrative—information can be accessed and put to use.

“They will send a very convincing phishing email,” Weedon said. “It may prompt a link that looks just like Outlook.” The target enters her credentials to see the attachment, not realizing that she was not in Outlook at all. There may even be a legitimate document on the other side of that fake login page, but it’s a trap. Once the hacker gets into a key person’s inbox, Outlook settings have been reset to send any messages containing the words “hacked” or “malware” directly to the user’s trash folder, thereby giving the cyber-ninja more time in the system to collect information about mergers and acquisitions, compliance issues, press releases, non-public market-moving information—anything that can be used to make a smarter stock market trade.

According to Weedon, the group has been able to infiltrate email accounts at the CEO level.

Once they’ve gained access, the hackers may simply collect everything in the CEO’s inbox or take an attachment found there and plant malware that then spreads throughout the company, thereby exposing still more information. The difference here is that the hack relies on legitimate credentials to gain access, so it’s a much lighter touch with potentially much more information being compromised. If the hackers forgo malware, there aren’t necessarily any traces at all of the compromise.

The “old” way these breaches worked—one still very much practiced by Chinese and Russian groups—involved the use of general information, kinda-sorta knowledge of the target’s business and hit-or-miss English. Because there is often less specificity and more variables in these kinds of softer attacks, the dodge is easier to spot. It’s more likely to find a lower-level employee falling for it. In most cases, these targets don’t have the kind of access to information that can cause major damage. Having gained whatever access is possible through their mark, old-school hackers move laterally into the organization’s environment, whether by recording keystrokes to exploit privileged employee credentials or blasting a hole in the company firewall. They might as well be Bonnie and Clyde robbing a bank. The goal is to siphon off information that can be turned into an easy profit, but the process leaves traces.

What’s so worrisome about Fin4 is that the hackers can come and go—gaining access to everything and anything pertaining to your company—and you may never know it. For the numerous healthcare and biotech companies that they targeted, the only real-life consequence could be an advantageous trade that somehow anticipated the announcement of a new drug, or shorted a stock associated with a failed drug trial.

If you are the target of choice, you will have to be exceptionally well trained by a cutting-edge information security professional and completely tuned in to the subtleties of your workflow to avoid getting got. These fraudsters will have at their fingertips the kinds of information that only an insider should know, and the bait they dangle in front of you will be convincing.

While the art is very different, the basic mechanism is the same. Company-killing compromises require human error. While more common hacks rely on a weakest link that can be exploited, the more hackers evolve, the more we all must evolve with them.