Tag Archives: joseph

How to Immunize Against Cyber Attacks

Cyber-attacks see no signs of abating. In fact, deadly threats such as ransomware and malware have now become mainstream. Enterprises have no option but to expect cyber-attacks as a fact of life. They need to make their systems immune from such attacks.

The State of Cyber Attacks

Cyber-attacks increase in magnitude and scale with every passing day. A case in point is the WannaCry ransomware, which wreaked havoc in more than 200,000 systems across 150 countries in the world, during May 2017. This attack, the largest ransomware delivery campaign to date, held up everything from surgical operations to public information display systems, and from government initiatives to corporate work. And WannaCry is just one example. More than 4,000 ransomware attacks have taken place since the start of 2016.

Ransomware damages will touch $5 billion by the end of 2017, a 15X increase from the damage levels just two years ago!

Data-encrypting ransomware such as WannaCry is socially engineered malware. The hackers trick unsuspecting victims in many ways to install Trojan horse programs. They may:

  • Compromise an otherwise trusted site on a temporary basis, to offer a malicious download link.
  • Arrive as a rogue friend or application install request through mainstream social media.
  • The innovation of their attacks is matched only by the ingenuity in the ways they breach the network.

Close on the heels of socially engineered malware are password phishing attacks. A good proportion of the unsolicited emails try to pry out login credentials from gullible account holders. Despite the best anti-spam software, good phishing replicas of legitimate emails slip in. All it takes is a single careless employee for the hackers to breach the corporate network.

Countermeasures

Cybersecurity has been fighting a losing battle against cyber attackers for many years now.

Traditional security approaches, such as firewalls and antivirus suites, are now inadequate to protect against the entire gamut of attacks. Many enterprises realize this fact and now invest heavily in security. Gartner estimates information security spending to exceed $86.4 billion in 2017. However, many enterprises go after the latest tools and technologies, while neglecting the basics.

See also: Quest for Reliable Cyber Security  

Time-tested basic security hygiene is the basics of any countermeasure against cyber threats. Some of the basics include:

  • Installing advanced anti-malware suits
  • Regular patching and updating key software
  • Regular data backups
  • Controlled access to resources within the network
  • An Enterprise-wide whitelist of authorized apps and software.
  • Strong two two-factor authentication (2FA), with smartcards, biometrics, or OTP through SMS.

Another key component of basic security hygiene is training users on safe browsing. The ideal end-user education is ongoing. It covers the latest threats, and make employees aware of what to do in the face of various eventualities.

However, all these basics serve only as a foundation on which to construct sound security architecture for the enterprise. These basics alone are no longer effective in keeping cyber criminals at bay.

Patch Management: Vital for online security

Socially-engineered malware such as WannaCry spread across the organizational network without user interaction. The malware exploits latent vulnerabilities in the operating system of application software. Browser add-on programs such as Adobe Reader are especially rife with vulnerabilities, and hackers exploit it at will. In WannaCry’s case, the malware exploited “EternalBlue,” a known Microsoft Windows vulnerability.

Software vendors and cyber criminals are locked in a never-ending battle. Cyber criminals are always looking to unearth some vulnerability. The “good guys” try to beat cyber criminals to the game, to identify vulnerabilities before cyber criminals discover it first. Either way, the software developer releases a patch as soon as the vulnerability becomes known.

But, it is rare to find any enterprise with perfectly patched software. Enterprises do not install the patch updates even when one becomes available, owing to many reasons, such as:
Operational constraints and exigencies
Concerns about whether a newly patched version would contain some other bugs, rendering the system unstable.

Continuous Monitoring: Around the clock website check-ins

Today’s cyber criminals are sophisticated, and the attacks they launch are unpredictable.

Enterprises would do well to ensure continuous monitoring of the network environment. They would also do well to manage the implemented security controls on a proactive basis.

An effective network monitoring system offers end-to-end visibility of the network traffic. It:

  • Understands legitimate traffic patterns in the network, and issues prompt alerts when discovering unexpected traffic flows.
  • Triggers automated responses, such as shutting down the network, or blocking the user, on detecting anomalies.
  • Integrates threat intelligence capabilities, aggregating threat information from multiple sources.

Large enterprises could consider setting up an in-house security operations center, with robust incident response capabilities. Smaller firms could consider enlisting the services of a managed security services provider, to monitor their network and respond to incidents in real-time. Either way, proactive network monitoring is essential to keep the network safe.

See also: Paradigm Shift on Cyber Security  

Security Assessment: Third party independent security reviews

Network security does not work in isolation. An effective security set-up offers tight integration, without leaving any loose ends. Enterprises would do well to conduct a thorough security audit to ensure such a state.

A sound and comprehensive review compare the existing state of cybersecurity with best practices, in terms of:

  • The integration of basic and advanced controls to the security architecture
  • Integration of the existing security environment architecture with the business and IT vision
  • How the security framework leverages latest technologies, such as Machine learning, behavior analysis, and threat modeling, to detect and mitigate identified threats
  • The scalability of the security architecture to defend against future threats
  • The preparedness of the architecture to deliver Intelligent and flexible responses

The state of cybersecurity is fluid. Enterprises need to adopt an adaptive and evolving approach the security. They need to re-evaluate security processes, practices, policies, platforms, and tools, on a regular basis.

With cybercrime damage estimated to touch $6 trillion annually by 2021, the stakes have never been higher.

Why Blockchain Matters to Insurers

First, a definition. Distributed ledger/blockchain technology, increasingly abbreviated as “DLT,” transfers value in a decentralized, consensus-based and immutable manner using cryptographic tools and is different from technology today because it offers transactions occurring between unknown counterparties that are mathematically trusted in real time. DLT is at once a network and a database that can host applications like Smart Contracts, with the potential to be interoperable across trade ecosystems. This technology seems tailor-made to help administer the claims end of insurance.

Let’s talk about claims. It is well known that insurance claims are the storefront of an insurance business. Claims processing and resolution provide touchpoints for extended customer engagement, and a bad experience can poison an insurer in a customer’s mind, which can affect policy renewal. The claims experience should be seamless and easy to manage for all.

Imagine if you could smooth out your claims process so that it is more accurate, frictionless and cost-efficient and can even provide easy access to data for benchmarking and analysis to improve your customer’s digital experience.

See also: What Blockchain Means for Insurance  

I had my “aha” moment when I first learned about DLT technology. I was struck with an immediate vision of how things could be made better within the insurance industry. As a prior general counsel of an insurer, and now a consultant specializing in the strategic use of this technology, I understand how it can be implemented (once fully developed) and can envision how it can change and improve business from end to end.

Practically speaking, on the claims side, at the very least, the industry would never again have to suffer “the dog ate my homework” excuse for lost documents, duplicate or other document mishaps and related lawsuits. Claims provenance could be automatically established and adjudicated by so-called “smart contracts” (in the most general sense, they are protocols that have deterministic outcomes) in real time with an easily auditable and immutable trail. Identity proof would be less onerous. Those developments alone go a long way to reducing fraud and risk and their associated costs.

While modernizing claims processes is not a “sexy” thought, it is one that directly affects all insurers and their bottom lines by reducing risk. A small shift in the actuarial calculation based on a risk reduction goes a long way. There is not a business person on earth who does not want to increase revenue.

While there is a lot of hype, I believe we are only seeing the beginning of its potential. Education is needed. Imagination is needed. And innovation and execution are needed. The financial services industry has looked at this technology over the past year and is engaging with it, and some practical applications are expected to go into production in 2017. Insurers/asset managers should take notice. For instance, Delaware will begin using blockchain technology for UCC filings powered by Symbiont. Financial industry regulators, both domestically and internationally, are evaluating this technology and are listening and learning. In part, we owe the financial services sector a debt of gratitude for creating awareness overall.

Generally speaking, insurers have been slow to the table to learn about this technology, but it is imperative that they engage as early as possible because DLT has the potential to be very valuable for them. Some reinsurers already understand this and are experimenting. The diamond industry understands this and is experimenting with digital representation of hard assets on a blockchain for asset management and insurance purposes through Everledger. Other insurers have made some attempts to test similar concepts.

Indeed, the insurance industry can benefit on more than just the claims side.

We all know customer acquisition is the most uncertain and expensive part of the process in any business. Well-designed digital processes can prove invaluable in customer acquisition and retention. On the front end of the insurance industry, smart contracts can aid in creating easy-to-manage customer policies, which can be fed into databases and tailored and segmented in any way that makes business sense. Data management and security can be enhanced using blockchain technology. In fact, the Estonian company Guardtime has embraced the cyber security end of this technology and evolved a keyless signature infrastructure (KSI) that DARPA is verifying.

See also: Blockchain: What Role in Insurance?  

Blockchain/DLT technology is not a panacea for all. But it is worth exploring as the technology evolves. We are at an inflection point in the development of this technology—a point in time where insurers and others can have a say in how it evolves. Once standards emerge and practical applications are in production, it may be too late.

Time to get on board, insurers, and weigh in! All you need do is participate to make sure your interests are heard and accounted for.

To the insurance industry, I ask you: How do you see this technology affecting insurance?

Three Ways to Fix Health Insurance (No Matter What Happens With Obamacare)

Whether Obamacare is fully implemented or collapses under the weight of its 906 pages of law, its 15,000 pages of regulations, and the well-publicized glitches in its rollout, the underlying, ineluctable problems with health insurance remain largely unresolved. How we respond will determine whether we hit the iceberg and sink or veer away in time to save our private health care system.

To understand some of the real cost drivers for health insurance, let’s look at the “Doe” family. John and Jane Doe pay $600 per month for health insurance for their family of four. Most states have a list of benefits, or “mandates,” that, by law, insurers must cover – from gastric electrical stimulation to breast implant removal. While some states have fewer mandates, others have piled them on. (Utah has 26, while Rhode Island, Maryland, and Minnesota all have at least 65.) The Doe family could see savings up to 50% or more on their insurance rates if they could just buy a basic health plan without the mandates. That could drop their monthly premium to as low as $300.

Premiums would come down even further if tort reform ended “jury lotto,” where patients get large, unjustifiable settlements or jury awards for medical treatment gone awry. While doctors are human and are certainly capable of errors, the legal system allows for these big settlements even when doctors are not at fault.

Here’s the scenario: Imagine that Doctor Smith treats a woman who complains of an ear infection and gives her a prescription, telling her to call if the condition doesn’t improve. The woman dies a few days later from a brain tumor. The family sues, alleging the doctor should have been able to diagnose the tumor. The jury sympathizes with the grieving family, believes that doctors should be omniscient, and reasons that rich doctors and their insurers can easily afford a large payment, so the family receives a $10 million award. The pestilential result is that everyone’s health insurance rates go up to cover such settlements, the doctor’s malpractice rates increase, and he now orders extra tests for the next patient to protect himself from the next lawsuit.

Tort reform could provide significant savings to the health care system, resulting in insurance premiums dropping as much as 10%. The Doe family might now see its insurance rate go down to as low as $240 – a whopping 60% drop in their monthly premium.

(Some have talked about allowing consumers to buy across state lines to reduce premiums even further by increasing competition and making it easier to buy policies in states that mandate fewer benefits, though this has not yet been shown to be true.)

A third way to drive insurance rates down is consumer engagement – changing the dynamic so that people actually know and care about what their health care costs. As long as it is Other People’s Money (OPM), there is little incentive to lower the cost of care, which continues to rise and, in turn, drives up insurance rates. (Contrary to public opinion, a recent analysis by the accounting firm PriceWaterhouseCoopers found that health insurers pay an average of 87 cents to providers of medical and pharmaceutical services out of each premium dollar and, after expenses, earn just three cents in profit. The problem, then, with health insurance isn’t that insurers are gouging people; it’s that costs are high, and consumers are generally unaware and unconcerned.)

So how can we get engaged? Even while we wait for the regulatory and legal changes that will need to occur to reduce mandates and rein in unjustified malpractice awards, here are two things for consideration in lowering health care costs.

First, we need to change our mindset as consumers when it comes to health insurance. What if we treated health insurance more like homeowner’s insurance? In other words, what if we bought coverage for the unexpected (illness or injury), while paying for our day-to-day medical needs out of pocket, as we do for home repair and maintenance? Great insurance options to consider include high-deductible health plans with linked Health Savings Accounts (HSAs). In general, we need to shift our thinking on health care from OPM (Other People’s Money) to MM (My Money).

Second, how about a radical “Groupon” type of approach? Let’s say John Doe is diagnosed with a hernia and needs an operation. There are three hospitals in town. All three are fully credentialed and meet quality standards. John’s surgeon can admit to them all. Hospital 1 is an older, traditional facility in a more frugal setting, with an estimated cost for the surgery at $10,000. Hospital 3 is a new, state-of-the art “Hyatt” hospital with high end amenities and a fancier environment – estimated cost: $50,000. Hospital 2 is in the middle, with an estimated $25,000 price tag. Here’s what John’s health insurance company tells him:

“You are covered at all three hospitals. But if you go to hospital 3, you have an additional $2,000 copay. If you go to hospital 2, we’ll cover the cost at 100%. If you go to hospital 1, we’ll pay you $2,000. Your choice.”

John is comfortable at hospital 1 and likes the idea of getting rewarded for choosing a lower cost setting. He has his surgery done there. He gets the $2,000, while the insurance company saves $38,000 off the cost of hospital 3.

This kind of savings will eventually be reflected in lower premiums for everyone. Decisions like John’s will also encourage hospitals to lower costs, as market forces come into play, leading to even more reductions in insurance costs.

Conclusion

We are not going to reform the health care system and resolve our health insurance problems overnight. And even if Obamacare is fully implemented, we still need to make fundamental changes, including how we see and use health insurance as consumers. If we are going to steer the Titanic away from the iceberg, we as consumers need to change our mindset and get engaged – and have financial incentives to do so, leading to powerful market forces. Once the sleeping giant of the American consumer awakens, watch out.

Could Obamacare Collapse Under Its Own Weight?

Despite everything written and said about Obamacare, few seem to have noted the possible analogies to the debacle known as Section 89 of the Tax Reform Act of 1986. Section 89 was the federal government’s attempt to require employers to provide non-discriminatory life and health insurance benefits to all employees, without regard to income. But the nightmarish rules and regulatory burden it was poised to foist onto businesses was so onerous and complex that, as it neared implementation, there were 13 bills before Congress to change or eliminate it, before it was finally killed in 1989.

Could this same fate befall the Affordable Care Act, or Obamacare?

Yes, the possibility that Obamacare will simply collapse under the weight of its 906 pages and more than 15,000 pages of regulations is not just a wish of conservatives but a real possibility.

Here are some of the shoes that have already dropped:

  • Waivers – More than 700 organizations and 2 million Americans have been given waivers.
  • Delays – Companies with more than 50 employees have been given a one-year delay in implementation.
  • Important rule changes – Individual income verification, required for those purchasing through Obamacare’s insurance exchanges, has been replaced with the  “honor system” for now.
  • Missed deadlines – Half of the deadlines for implementation (41 out of 82) have been missed.
  • Insufficient funding – Some of the 18 separate tax increases needed to fund Obamacare are being eliminated or postponed, and some groups are finding ways to avoid them. The lack of funding, combined with an overly optimistic initial estimate about how much would be needed, may lead to a significant shortfall and debt.
  • Messy rollout – Initial enrollment, which started Oct. 1, has been glitch-filled.

So, despite the administration’s relentless efforts to keep pitching President Obama’s landmark legislation to restructure the healthcare and insurance for more than 310 million Americans, there are dark clouds looming on the horizon that may portend its demise.

It happened before. It can happen again.