Insurers should take care with connected devices
Bryce Austin has first-hand experience of what happens to a business and its employees during a cybersecurity crisis: he was a senior group manager at Target in the months leading up to the company's 2013 data breach, which exposed 40 million customer debit and credit card accounts.
Now a cybersecurity authority, author and speaker, Austin looked to educate insurers on ways to stop attackers from gaining direct and complete access to every single policyholder in their books of business, in a June 5 presentation to the IASA Chief Information/Technology Officer Roundtable event.
Austin had worked at Target for eight months, building out 22 different inventory systems that would scale to process online orders for pickup at each Target store, all in anticipation of Black Thursday, 2013. After the breach was reported, he explained that the KrebsOnSecurity website was the first to chronicle that investigators had zeroed in on the source of the breach: a small heating and air conditioning firm in Pennsylvania that worked with Target and had suffered its own breach via malware delivered embedded in an email.
In that intrusion, the thieves managed to steal the VPN credentials that the firm’s technicians used to remotely connect to Target’s network, notes the website. By the time Black Thursday rolled around, there was no red flags or evidence that hackers were pushing malicious software down to all of the cash registers at more than 1,800 stores nationwide. Needless to say, six weeks after the breach, everything Austin had worked on stopped, and he along with several other members of the team were downsized.
“Here’s why this matters to insurers,” Austin said. “You are very focused on securing your VPNs, but what are you doing to secure the many networks being used to transmit Internet of Things data?” Austin noted the popularity of IoT data, especially to property and casualty insurers using it to offer discounts for networked safety features in the home, etc., and the advantages of real-time information from billions of sensors informing actuaries and underwriters.
“Seven in 10 of the 600 auto, home, life and commercial insurance professionals surveyed by LexisNexis say gathering of IoT data is important to their organizations’ strategy, but only 21 percent of respondents say their companies have an IoT strategy,” he said.
Austin reminded the insurers in the audience that IoT devices are actually computers with their own operating systems; hooked to sensors they can control systems, and when hooked to the Internet they are capable of transmitting and receiving data. Most IoT devices do not have authentication or proactive detection of cyber-attack activities.
“Your IoT strategy needs to take into consideration the fact that these devices are vulnerable to a similar attack that Target experienced,” he says.
Austin suggested insurers establish separate IoT networks, conduct penetration testing, internal vulnerability scans, cyber audits, set up operating system and IoT patching, with a special eye on antiquated systems no longer able to be patched, and make an awareness questionnaire mandatory for all employees. From the outside, insurers must hold IoT vendors accountable (this is especially critical in healthcare, where privacy laws are fully enforced).
“The sensors fueling our IoT world are growing exponentially, and insurers have a great opportunity to use them for improved risk management,” Austin said. “You just don’t want to represent the example of an industry that couldn’t get it right.”