Tag Archives: social engineering

6 Cybersecurity Threats for Insurers

The connectedness of everything – assets, people, business and commerce – has increased the severity and frequency of cyber attacks. The insurance sector faces a bigger threat than most industries because insurers deal with extremely sensitive data. Several insurance companies, such as Premera Blue Cross and Anthem, have experienced significant data breaches over the past years. However, these are not the only insurers affected. A report by Accenture shows that an average insurance company receives over 100 cybersecurity attacks each year, with 30% of the attempts being successful.

As an insurance leader, being aware of the potential cybersecurity threats puts you in a better position to adopt the right prevention measures. Here are the top cybersecurity threats in the insurance sector that you should know.

6 Cybersecurity Threats for Insurance Leaders

1. Cloud Vulnerabilities  

Cloud data access and storage has become a common practice for many people. However, this practice can increase the risk of a data breach. You can be susceptible to denial of services (DoS) and account hijacking attacks. With such attacks, hackers can access and tamper with your company’s data while preventing your team from accessing it. This threat can be prevented by implementing an extensive cyber risk management plan.

2. Patch Management

If your insurance company is using outdated software, you have a higher risk of cyberattack. Most cybercriminals exploit software vulnerability to access and steal company information. Failing to update your software patches makes your organization vulnerable to numerous data breaches.

Cybercrime vulnerability can be through something you consider as minor as the computer operating system. For instance, most organizations became exposed to cyber-attacks in 2018 for failing to update their Microsoft Office software following a patch release for Eternal Blue vulnerability. Therefore, it is advisable you stay up-to-date with any software you are using in your organization to avoid costly attacks.

3. Social Engineering

With the increase in social interactions, cybercriminals are exploiting such opportunities to launch social engineering attacks. Deception is the major aspect of such attacks. Usually, these criminals use trickery and manipulative approaches to lure individuals into taking various actions. For instance, you can be lured to disclose sensitive information or even bypass set security measures.

Social engineering threats are high because targets simply give hackers access to the system. Thus, it is hard for you to prevent these crimes with cybersecurity systems. However, regular training on cybersecurity is necessary for ensuring that your team members know how to detect and prevent such crimes.

See also: A Novel Approach to Cybersecurity

4. Ransomware Threats

If you thought it was only individuals who can be held hostage, think again, because your computer systems and data can, too. Ransomware attacks are some of the serious cyber threats you should worry about in the modern era. A report by the U.S Depart of Homeland Security reveals a rising number of ransomware attacks. The hackers attack your network and prevent you from accessing any data in it until a certain amount is paid. Such attacks are associated with significant losses. For example, besides the immediate losses, a ransomware attack can lead to huge monetary damages because of lost data and loss of productivity.

5. Third-Party Exposure Threats

The use of third-party services is a common practice nowadays, especially for payment processing. Most organizations do not take the necessary precautions when engaging in third-party transactions. Even where the party you are transacting with does not handle personal data directly, it can put your organization at risk of attack.

Hackers are using malware to access personal data, such as credit card numbers and Social Security numbers, through third-party companies. Therefore, it is important to take all the necessary precautions when dealing with a third-party vendor. For instance, inquire about their policy on data breaches and find out whether they have any measures in place to prevent cybersecurity attacks.  

6. Outdated Hardware

There is a common misconception that cybersecurity threats have to come from software. If you are using outdated hardware, your company data is vulnerable, too. With the increasing rate of software updates, some hardware may find it challenging to keep up. Obsolete hardware may be difficult to accept the latest security measures and patches. In such cases, your organization’s data is exposed; hence, at a high risk of cyberattack. Therefore, it is critical to regularly check your devices and replace any obsolete ones to avoid outdated hardware-related cyber-attacks.

See also: The Missing Tool for Cyber Resilience

Holistic Risk Management Plan

There you have it – a comprehensive overview of some of the top cybersecurity threats in the insurance sector. Evidently, as technology advances, insurance companies will continue to face different forms of cybersecurity threats.

While there might not be a one-size-fits-all approach to address or prevent cyber threats, being knowledgeable on the various cybersecurity vulnerabilities can help you adopt better risk detection and prevention measures. Therefore, make sure to adopt a holistic management plan to stay away from most of these threats.

Hacking the Human: Social Engineering

Virtually every business relies on a network to conduct its daily operations. This often involves the collection, storage, transfer and eventual disposal of sensitive data. Securing that data continues to be a challenge for organizations of all sizes and across multiple business sectors. Social Security numbers, W-2 forms, payment cards and intellectual property have significant value on the black market and provide motivation for hackers to steal.

Many corporate IT departments respond to these threats by devoting vast amounts of resources to technological defenses. Criminal perpetrators, however, seem to remain one step ahead of even the best cybersecurity efforts. They have altered their strategies by perpetrating human-based fraud. One emerging tactic involves what we have come to know as “social engineering.” This type of fraud occurs in a multi-stage process. Criminals first gather information, form relationships with key people and finally execute their plan.

By exploiting our natural tendencies to trust others, criminals have been highly successful in convincing people to hand over some of their most valuable data assets. In fact, according to the FBI, from October 2013 to August 2015, more than 8,000 social engineering victims from across the U.S. were defrauded of almost $800 million (the average loss amounted to $130,000.)

See also: Dark Web and Other Scary Cyber Trends

There are several methods of social engineering that are seen frequently, including the following seven:

  • ­Bogus Invoice: A business that has a long-standing relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The email request appears very similar to one from a legitimate account and would need scrutiny to determine if it was fraudulent.
  • ­Business Executive Fraud/Email Phishing: The email accounts of high-level business executives (CEO, CFO, etc.) may be mimicked or hacked. A request for a wire transfer or other sensitive information from the compromised email account is made to someone responsible for processing transfers. The demand is often made in an urgent or time-sensitive manner.
  • ­Interactive Voice Response/Phone Phishing (aka “vishing”): Using automation to replicate a legitimate-sounding message that appears to come from a bank or other financial institution and directs the recipient to respond to “verify” confidential information.
  • ­Dumpster Diving and Forensic Recovery: Sensitive information is collected from discarded materials — such as old computer equipment, printers, paper files, etc.
  • ­Baiting: Malware-infected removable media, such as USB drives, are left at a location where an employee may find them. When an employee attaches the USB to her computer, criminals can ex-filtrate valuable data.
  • ­Tailgating: Criminals gain unauthorized access to company premises by following closely behind an employee entering a facility or by presenting themselves as someone who has official business with the company.
  • ­Diversion: Misdirecting a courier or transport company and arranging for a package/delivery to be taken to another location.

How to avoid being defrauded in the first place:

Given the rising incidence of social engineering fraud, all companies should implement basic risk avoidance measures, including these eight:

  • Educate your employees so they can learn to be vigilant and recognize fraudulent behavior;
  • Establish a procedure requiring any request for funds or information transfer to be confirmed in person or via phone by the individual supposedly making the request.
  • Consider two-factor authorization for high-level IT and financial security functions and dual signatures on wire transfers greater than a certain threshold.
  • Avoid free web-based email and establish a private company domain, and use it to create valid email accounts in lieu of free, web-based accounts.
  • Be careful of what is posted to social media and company websites, especially job duties/descriptions, hierarchical information and out-of-office details.
  • Do not open spam or unsolicited email from unknown parties, and do not click on links in the email. These often contain malware that will give subjects access to your computer system.
  • Do not use the “reply” option to respond to any financial emails. Instead, use the “forward” option and use the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
  • Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via a personal email address when all previous official correspondence has been on a company email, the request could be fraudulent.

Despite these efforts, organizations can still fall victim to a social engineering scheme. These incidents can be reported to the joint FBI/National White Collar Crime Center – Internet Crime Complaint Center (IC3) at www.ic3.gov.

See also: Best Practices in Cyber Security

The initial concern after such an event often focuses on the amount of stolen funds. However, there could be an even greater threat because these incidents often involve the compromise of personally identifiable information, which can later be used for identity thefts from multiple people. This prospect for more theft will often trigger legal obligations to investigate the matter and to communicate to affected individuals and regulators. The thefts often then lead to litigation and significant financial and reputational harm to businesses. Costs can include fines, legal fees, IT forensics costs, credit monitoring services for affected individuals, mailing and call center fees and public relations costs.

Fortunately, the insurance industry has developed insurance policies that can transfer these risks. Crime insurance policies can cover fraudulent funds transfers, while cyber insurance policies may cover costs related to unauthorized access of personally identifiable information. However, the insurance buyer needs to be wary of various policy terms and coverage limitations. For example, some crime policies can contain exclusionary language for cases involving voluntary transfer of funds, even though they were unknowingly transferred to a criminal. Other insurers might add policy language to crime policies to cover this situation.

Cyber insurance policies can be customized to offer coverage for the following:

  • ­Network Security Liability: Liability to a third party as a result of a failure of your network security to protect against destruction, deletion or corruption of a third party’s electronic data; denial of service attacks against Internet sites or computers; or transmission of viruses to third-party computers and systems.
  • Privacy Liability: Liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information that had been entrusted to it in the normal course of business.
  • Electronic Media Content Liability: Coverage for personal injury and trademark and copyright claims arising out of creation and dissemination of electronic content.
  • Regulatory Defense and Penalties: Coverage for costs associated with response to a regulatory proceeding resulting from an alleged violation of privacy law causing a security breach.
  • Breach Event Expenses: Expenses to comply with privacy regulations, such as notification and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm, outside counsel and forensic investigator.
  • Cyber Extortion: Payments made to cybercriminals to decrypt data that has been encrypted by ransomware.
  • Network Business Interruption: Reimbursement of your loss of income or extra expense resulting from an interruption or suspension of computer systems because of a failure of network security or system failure. Includes sub-limited coverage for dependent business interruption.
  • Data Asset Protection: Recovery of costs and expenses you incur to restore, recreate or recollect your data and other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.

In summary, businesses need to be vigilant in addressing the ever-evolving risks related to their most valuable assets. The most effective risk management plans aim to prevent social engineering fraud incidents from happening and to mitigate the damages if they do. Turning your employees from your weakest link into your greatest assets in the battle is one way; risk transfer to insurance products is another.

How Safe Is Your Data — Really?

The number and the potential severity of cyber breaches is increasing. A recent PwC survey found that nearly 90% of large organizations suffered a cyber security breach in 2015, up from 81% in 2014. And the average cost of these breaches more than doubled year-on-year. With more connected devices than ever before—and a total expected to reach 50 billion by 2020 —there are more potential targets for attackers, and there is more potential for accidental breaches.

What’s more, as of late 2015, companies are, for the first time, listing their information assets as nearly as valuable as their physical assets, according to the 2015 Ponemon Global Cyber Impact Report survey, sponsored by Aon.

So, how do you keep your organization’s data—and that of your clients and customers—safe?

It’s not just a matter of investing in better technology and more robust systems, according to Aon cyber insurance expert Stephanie Snyder Tomlinson, who says, “A lot of companies find that the weakest link is their employees. You need to train employees to make sure that if they get a phishing email, they’re not going to click on the link; that they don’t have a Post-It note right next to their monitor with all of their passwords on it. It’s the human error factor that companies really need to take a good hard look at.”

From intern to CEO: Simple steps everyone can take

It’s easy for individuals to become complacent about data security, says Aon’s global chief privacy officer, Brad Bryant. But, with cyber threats increasing, it’s more important than ever to be aware of seemingly innocent individual actions that can potentially lead to serious cost and reputational consequences for your organization.

According to Bryant, there are four key things that everyone can do to help protect themselves and their organizations from the rising cyber threat:

  • Be alert to impersonators. Hackers are becoming increasingly sophisticated at tricking people into giving away sensitive information, from phishing to social engineering fraud. You need to be more vigilant than ever when transmitting information. Are you certain they are who they say they are?
  • Don’t overshare. If you give out details about your personal life, hackers may be able to use them to build a profile to access your or your company’s information. From birthdays to addresses, small details build up.
  • Safely dispose of personal information. A surprising amount of information can be retained by devices, even after wiping hard drives or performing factory resets. To be certain that your information is destroyed, you may need to seek expert advice or device-specific instructions.
  • Encrypt your data. Keeping your software up to date and password-protecting your devices may not be enough to stop hackers, should your devices fall into the wrong hands. The more security, the better, and, with the growing threat, encryption should be regarded as essential.

Key approaches for organizations to better protect data

To protect your, your customers’ and your and clients’ information, investing in better cyber security is one element. But data breaches don’t just happen through hacks, or even employee errors. At least 35% of cyber breaches happen because of system or business process failures, so it’s vital to get the basics right.

Prevention is key, says Tom Fitzgerald, CEO of Aon Risk Solutions’ U.S. retail operations. There are four key strategies he recommends all organizations pursue to limit the risk and make sure they’re getting the basics right:

  • Build awareness. Educate employees on what social engineering fraud is, especially those in your financial department. Remind employees to be careful about what they post on social media and to be discreet at all times with respect to business-related information.
  • Be cautious. Always verify the authenticity of requests for changes in money-related instructions, and double-check with the client or customer. Do not click on random hyperlinks without confirming their origin and destination.
  • Be organized. Develop a list of pre-approved vendors and ensure employees are aware. Review and customize crime insurance—when it comes to coverage or denial, the devil is in the details.
  • Develop a system. Institute a password procedure to verify the authenticity of any wire transfer requests, and always verify the validity of an incoming email or phone call from a purported senior officer. Consider sending sample phishing emails to employees to test their awareness and measure improvements over time.

Much of this advice is not new, but the scale of the threat is increasing, making following this advice more important than ever. Fitzgerald warns, “Social engineering fraud is one of the greatest security threats companies can encounter today. … This is when hackers trick an employee into breaking an organization’s normal digital and physical security procedures to access money or sensitive information. It can take many forms, from phishing for passwords with deceptive emails or websites, to impersonating an IT engineer, to baiting with a USB drive.”

How governments are driving data protection

The potential consequences of inadequate data security are becoming more serious, and courts and regulators are focusing on this issue globally.

The European Union is considering a Data Protection Directive to replace previous regulations implemented in 1995. The expected result will be a measure that focuses on the protection of customers data. Similarly, an October 2015 ruling by the European Court of Justice highlighted the transfer of customer data between the E.U. and U.S.

Bryant warns: “Regardless of where a company is located, the provision of services to E.U. customers and the collection or mere receipt of personal data from European citizens may potentially subject companies to E.U. jurisdiction. … Failure to comply could present unprecedented risk for companies, including fines of up to 4% of a company’s total global income.”

Changing E.U. rules aren’t the only thing that could affect your business. Internet jurisdictions and organizational operations are increasingly becoming cross-border. This global patchwork of Internet rules and regulations is why only 24% of cyber and enterprise risk professionals are fully aware of the possible consequences of a data breach or security exploit in countries outside their home base of operations.

Why getting the basics right is critical

As the Internet of Things continues to grow, the number and range of potential targets for cyber attack is only going to increase. While eliminating all cyber risk may be impossible, getting the basics right is becoming more important than ever.

Bryant says, “Given the large scope and impact of the various changes in data protection law—coupled with the drastic increase in fines—becoming educated on how to protect our data is more business-critical now than ever before.”

Cyber Risk: Are You the Weak Link?

In 2012, a young scam artist based in Asia posing as a private investigator simply purchased the personal information for more than 200 million users directly from credit reporting giant Experian and then posted it for sale online. The only reason we know about the incident is that the U.S. Secret Service caught it.  Experian didn’t.

Cyber criminals know that the weakest link in most computer networks is the people using it. Verizon’s highly respected Data Breach Investigations Report has repeatedly noted that most attacks start with employees. Attackers use “social engineering” to trick their victims into allowing unauthorized system access, data theft and even specialized stealthy attacks used to quietly steal massive amounts of sensitive data over time. These attacks frequently exploit our natural tendency to want to help others. They can be in person, electronic or over the telephone, and there are a variety of ways they can be used to take advantage of you:

“Phishing” attacks are designed to steal your personal, financial or log-in information through an email, text message (referred to as “smishing”) or even an automated phone call (“vishing”). The attacks often appear to come from well-known and trusted companies like banks, airlines or industry groups and contain attachments or links to websites that look legitimate but are really there to steal account log-in information or host malware ready to attack the recipient’s computer as soon as he clicks on any of the links. These emails and messages can also be used to lure victims into contact with scam artists posing as potential clients or officials offering to release substantial funds if only the target would be so kind as to hand over detailed personal information or a sum up front.

A spear phishing email is a personalized version of a phishing attack looking for the weak link in an otherwise strong network. It will be aimed at a specific target (rather than a general phishing email intended to ensnare whoever falls for it) and typically includes personal or professional information to make the recipient trust the sender. These details can come from online sources like LinkedIn, Facebook and other social networks and contain information available via business-related websites, as well as particulars obtained directly from coworkers via social engineering.

Spear phishing emails often appear to come from a familiar source like a friend, family member, colleague or a business you deal with regularly. This is because of a process known as “spoofing,” in which the actual sender hides his identity, and the “from” field in the email shows the fake sender’s name, not the real one.

The data breach at Forbes earlier this year began with an early morning spear phishing attack against a senior executive.

Whaling is an attack that deliberately goes after senior executives, partners and other high-profile targets within a business. The idea behind this approach is that these targets are “big fish” who have wide access within the network yet may not take the precautions needed to keep their own accounts secure.

Pretexting is effectively in-person phishing to gain information or access to a restricted area. The term “pretexting” refers to the setup used to convince the target that there is a justifiable reason (or pretext) to divulge the information or access the person is after. These attacks can take a wide variety of forms, often revolving around someone (or a team) creating a distraction or masquerading as someone who could have legitimate access to the system they’re targeting. It could be someone who claims to be from “corporate,” a fake contractor, fake IT personnel or something as random as a “fire inspector” allegedly checking the office for imagined safety hazards while an assistant/accomplice surreptitiously places devices to monitor or siphon sensitive data from the victim network.

Another in-person bit of trickery is “tailgating.” That’s when someone who claims to have forgotten their company ID, etc. asks you to hold the door behind you, allowing him into a restricted area. The same term is also sometimes used to describe someone asking to briefly borrow your phone, tablet or laptop to check something quickly and actually downloading malware instead.

Live social engineering attacks can also come by phone, such as fake “technical support” calls offering to fix imaginary problems with your computer if you will just allow the caller to briefly take control of it remotely.

Baiting is a type of attack in which a piece of portable electronic storage media like a CD-ROM, laptop or USB stick drive is left at or close to the target’s workplace to tempt the curious victim into seeing what’s on it. These will often include an official-looking logo or markings to make them especially tempting. How curious would you be to look at something labeled “Senior Executive Compensation – 2014” (with your company’s logo on it)? Of course, once the card, laptop or stick drive is connected, it will quietly download malware onto the network.

And, yes, this initial intrusion into the network will likely be traceable back to you.

What can you do to avoid being the weakest link? The one thing these attacks all have in common is that they rely on you to go along with the story they’re selling. The single best thing you can do whenever you receive an unsolicited electronic message or call from a business or someone you don’t know personally is to assume that it’s fake. Never click on links, open attachments, call phone numbers or use any other method of contact contained in any unsolicited emails, texts or calls. If you think the email, etc. could be legitimate, contact the alleged sender via phone or their official website.

If an email that appears to be from someone you know seems out of character, unexpected or strange in any way, give the sender a call to see if it really came from her.

When someone asks you to help her access something – or someplace – restricted, ask yourself why she needs your help. Also, it never hurts to take a moment to check out the story you’re given. A quick phone call (not using a number she gives you) can derail a social engineering attack before it starts.

Tempting though it may be, opening that conveniently abandoned stick drive, etc.  yourself is a bad idea. Take it to your company security or IT personnel.

Speaking of which, an IT department can (and should) take steps to help protect a network from electronic intruders, including the installation of network security software, but don’t forget that the first line of defense against a social engineering attack is you.