In the United States, the average cost of a data security breach increased to $5.85 million this year from $5.4 million in 2013, according to “2014 Cost of Data Breach Study: Global Analysis,” conducted by the Poneman Institute and sponsored by IBM. While the organization’s bottom line obviously suffers, breaches inevitably lead to diminishing trust and reputational damage, especially for those in the financial services, health care and pharmaceuticals industries, which lead all others in terms of the resulting customer churn and the cost of damages.
Insurers are at risk, as they conduct more business electronically, move core applications to the cloud and offer customers and agents self-service access to data and systems. As more of that sensitive, personally identifiable financial and health information is transmitted, it potentially becomes more vulnerable to theft and vandalism.
While insurers have not been victim to a high-profile cyber-crime recently, retailer Target has offered many an object lesson on what not to do. Target lost 40 million payment card numbers plus 70 million other pieces of customer data through compromised point-of-sale systems late last year and a seemingly lackadaisical response, illuminating the risks companies face and the magnitude of the backlash from customers, regulators and shareholders when they fail to protect systems and customer data.
“There have been plenty of instances where a CIO is no longer with the company after a breach,” says Chris Burroughs, VP of IT architecture and program management for Allianz Global Assistance, a travel and event insurer. “But what happened to the Target CEO gets people’s attention,” she adds, referring to the resignation of chairman Gregg Steinhafel, who had been the company for 35 years and CEO since 2008. “The CEO puts a lot of trust in his CIO and his IT staff, so we are getting more recognition.”
Insurers of different types and sizes, including several that would speak only on background, made it clear that the security threats insurers face, and the solutions they are undertaking, are only partially technological. Rather, insurers largely are trying to keep pace with technological change, limit their vulnerabilities, create an IT culture that is attentive and responsive to threats, educate end users, and align business and IT through more risk-based conversations.
1. EVER-MORE SOPHISTICATED ATTACKS
Hackers are doing more than keeping pace with the rate of technological change. Just as insurers are increasing the sophistication of their online offerings, cyber-criminals are increasing the sophistication of their attacks and adapting their strategies to penetrate them.
“I am astounded with the rate of change,” says Joseph Topale, VP of infrastructure and chief information security officer for OneBeacon, a specialty insurer with $1.09 billion in net written premium that sells through independent agents. “The number of new technologies that they’re attacking is a fascinating piece of this,” and for insurers, the challenge is to exceed hackers’ levels of innovation given insurers’ finite resources, he adds. “I’m not a technology business, so I can’t possibly be inventing stuff. My innovation is centered around how to deploy applications in a cost-effective manner.”
The nature of the attackers also is changing. “They’re the nation-state attackers, they’re professional organized criminals,” says Mike Everley, second VP of IT at Ameritas Life Insurance. “They deploy not only just technology, they develop processes for attacking. And they educate people. They run boot camps for hackers. They’re approaching it as a business, using a business model. And it’s through people, processes and technology that their effectiveness is growing and making it harder to defend against.”
While large-scale data breaches routinely make the news and motivate corporations to harden their technological defenses, cyber-criminals continue to adapt.
“There’s more innovation, unfortunately, on the part of the bad guys than there is on the part of the good guys,” says Greg Bangs, VP and worldwide product manager for crime, kidnap/ransom/extortion and workplace violence expense insurance for Chubb, a global P&C insurer.
Bangs offers advancements in malicious software applications, commonly known as malware, as an example. “CryptoLocker is amazing because, frankly, the concept is so simple,” Bangs says. Typically the CryptoLocker virus arrives by email as an attachment and hides itself as a PDF file. If users open the file, the malware encrypts files on the computer using RSA public key cryptography, with the private key stored only on the malware’s control servers. Then the cyber-criminal demands payment, typically within 72 hours, Bangs explains. “The amount is usually small enough that it’s manageable; they figure most people are just going to pay rather than go through the headache of trying to deal with this.”
While the scale of CryptoLocker is relatively small, Bangs says his company has seen attacks in which attackers have stolen personally identifiable information from medical organizations, companies that process pharmaceutical scripts or financial institutions, and demanded ransoms in the millions of dollars. “The board of directors, who have a fiduciary duty to protect this in- formation and their clients’ information, could end up getting sued. Not only would they have a loss in terms of the ransom amount and all the expenses, but they’d have those reputational and legal issues as well.”
Prevention is critical to managing escalating threats, and Bangs recommends a combination of tried-and-true practices, such as automatic backups, virus protection and user training. Software restriction policies, which can block unauthorized executable files from running in specific parts of a computer, also are effective, he says. “Make sure the board is aware of these issues and what to do in case something happens. Ideally there’s a team set up — somebody from legal, corporate security, IT, maybe a CEO or COO — to discuss the issue and what to do about it.”
2. WEAK PERIMETER DEFENSES
The proliferation of cloud-based applications, tablets, phones and self-service portals offers cyber-criminals many new ways to get through insurers’ defenses, and the multitude of operating systems, releases, hardware and app types creates an additional layer of complexity to establishing effective defenses.
Insurers can’t rely on playing defense, Everley says. The question then becomes, if something or someone breaches the defenses, whether that breach can be detected and eradicated. “The way you go about it is similar to managing internal controls, assuming you had good internal controls and processes,” he says. “If you’re a company that just put a hard perimeter around your network and then didn’t pay much attention to it, you’ll have a lot of catching up to do to create good controls and processes for the actual data.”
Everley uses the analogy of a street corner shell game to explain internal data controls. “The guy moves the pea around under the shell, and you’ve got to guess which shell the pea is under. The pea is the data. My job is to follow the data. We can move it around, we can wrap it, we can call it whatever you want. Then it doesn’t matter if you put it on this server, that server or on the cloud. We deploy different mechanisms and tools, but we think about it the same way.”
The move toward cloud computing for enterprise applications, however, can leave companies especially vulnerable to attack, Topale says. “There are a ton of cloud security experts out there, and they say secure cloud is by definition an oxymoron,” he adds.
The issue is shared tenancy, which differentiates cloud from a private hosted-computing infrastructure. “Those are service-oriented architectures with very strict contractual obligations by the operators,” Topale says. “That’s a way different attack surface than if I’m hosting my email system in the cloud, for example.”
A particular vulnerability to shared tenancy cloud- based systems is the distributed denial-of-service (DDOS) attack. “I have two data-center vendors, and both of them in the last 12 months have sent alerts out to us that they were under denial-of-service attacks,” Burroughs says. Allianz’s site wasn’t attacked, but access to the company’s data slowed as Allianz suffered “collateral damage,” she says. “[The attack] was filling up these shared Internet pipes coming into the data center,” she explains. “Even if insurers are not being attacked, they need to be careful about who else is on that Internet pipe with them.”
3. POOR USE OF SECURITY RESOURCES
Changing the security culture, through education and communication, is critical to cyber-security. Burroughs says she has worked at other companies where the relationships between applications developers, infrastructure and security were not supportive. “The most difficult part is establishing relationships so they don’t think of the security team as holding up their project,” she says. And even having the most advanced security technologies doesn’t mean that they are being deployed effectively. At Target, for example, security systems reportedly were installed but not monitored, and personnel were slow to react to the many alerts that were triggered.
“You need web-application firewalls and network firewalls, but it’s about the rhythm and the discipline more than it is the tools,” Burroughs says. “Every company is doing the same things, but we have processes in place. On a daily basis, we review the log files. On a weekly basis, we do the anti-virus. We have checklists. And my security team has to fill out tickets to say that they’ve done those things. We have accountability. It’s about the discipline and using the outputs of all of those tools to tell you where the vulnerabilities are. And, where you have gaps, making sure you do something about them.”
Culture extends into planning and application development as well. Allianz Assistance, which offers travel insurance online, now has additional concerns related to taking credit card information online. Because of Payment Card Industry (PCI) standards, developers at Allianz Assistance are required to attend Open Web Application Security Project (OWASP) training and then demonstrate that they have internalized that training, Burroughs says. Deadlines for developers are frequently tight, and as a result security sometimes is mistakenly treated as an afterthought.
“You have to change your culture so developers realize the impact of writing insecure code,” Burroughs says. “We’re doing code reviews with the developers and talking about security and disaster recovery on the front end versus bolting it all on the back end.”
The weakest links are the end users, Burroughs says, who will share passwords and post them on their monitors when the culture permits. “Finding a way to engage the user community to be part of the solution, it’s a full-time job. People think it’s an IT-only problem, but it’s not. It’s the entire company.”
4. CARELESS END-USERS
OneBeacon recently retained a penetration testing company to explore the company’s cyber-vulnerabilities, with a focus on employee awareness. “It was a big shock to some people,” Topale says. “They were surprised that they gave away information, to the point where I had to tell them their own passwords before they believed that they actually had given them away.”
For the test, the penetration testing company was given the office phone numbers of OneBeacon employees and briefed on the insurer’s internal nomenclature. The testing company then devised a plausible scenario, ?called each employee and frequently was able to talk the employee into giving up passwords and other potentially sensitive information. “We call our help desk Enterprise Support, so the script used Enterprise Support,’ and that got people’s guard lowered. [Employees] didn’t ask questions, they didn’t even look in their caller IDs, they didn’t look at anything.”
Topale says what was most revelatory was the push- back he got from the users, most of whom denied having given up their credentials. ”Most didn’t know,” he says. “We had to literally describe the situation where they had been called by a supposed IT person and were tricked into testing some new system and had given up their ID and password.”
Of even greater concern to the company was that in a real-life scenario, those compromised credentials would have remained valid for a period of time. “That was the kicker,” Topale says. “The new thing is the bad guys are trying to come in under the radar. If they have valid credentials, they want to be very light touch with those things.” Many newer malware programs are not designed to delete files, Topale explains, but rather to sit quietly in the background and capture approved credentials, and then move horizontally through the organization, collecting and transmitting information until they are detected and removed.
OneBeacon has since increased internal education efforts on how to respond to such inquiries and created a security steering committee comprised of top-level managers, and it continues to conduct increasingly sophisticated penetration tests.
Five years ago, a penetration test consisted of professionals trying to hack into a website, Topale says. Today, a comprehensive test could include a variety of internal, external and physical tests for vulnerabilities, also called “indicators of compromise,” he adds. For example, a test could exercise applications looking for vulnerabilities in the code. Or testers could use valid credentials and behave as if they were committing an inside job, or had stolen the credentials. Physical testing might entail sending someone disguised as a service or delivery person to enter a physical location.
“It’s never-ending,” Topale adds. “A new type of threat emerges, and you have to shift resources and move in another direction.”
5. A GAP IN IT/BUSINESS ALIGNMENT
Since 2009, when Ameritas Life Insurance formed a dedicated security unit, the company has shifted its security focus from governance to a risk-based security model, Everley explains. At the time, Everley says the perception among the business users was that firewalls and anti-malware applications were just waiting for an attack. In actuality, the company is under near-constant attack, he says, deflecting tens of thousands of spam and malware-laden emails per day.
“The likelihood is approaching 100 percent that something is going to get through,” Everley says. “But when you’re explaining it to the business, they don’t care about the ones and zeros. They want to know what’s the risk.” To explain the risks, and develop and mobilize security talent at Ameritas, Everley last year put together a security focus forum comprised of representatives from various departments. “We get together every other week for an hour. I’ve come to understand that we have some opportunities to improve. Then I translate that into business plans and conversations with the executive team at Ameritas.”
Executives from the various business units discuss security matters from a business perspective every other month, he says. “We talk about real threats that have happened. I share metrics that show escalations. We’re getting more attacks all the time, and I talk about where some of the gaps are and the opportunities to improve. When we have the conversations about money, they’re supportive. Nobody smiles and applauds, but neither do they argue.”
Rather than deliver a lecture, Everley says IT should be able to offer a cogent description of the technology and financial risks and the resources required to ad- dress them. “It always comes down to money,” he says. “I’m not going to capitalize on their fear, but certainly the time is ripe to have the harder conversations.”
But the business also has to own responsibility for cyber-security, Everley says. “The business owns the data, so they own the responsibility for its care. And if they’re outsourcing, they should ask all kinds of questions about how the provider is protecting it. Just because it’s not an internal IT department doesn’t absolve them of asking the same questions.”
Insurers’ Top 5 CyberThreats
1. Ever-More Sophisticated Attacks. The frequency and sophistication of cyber-attacks are increasing.
2. Weak Perimeter Defenses. The increasing availability of systems and data through mobile devices, customer self-service portals and shared services increases the number of “attack surfaces” insurers have to protect.
3. Poor Use of Security Resources. Most businesses use essentially the same tools to protect networks, systems and data, but tools are not solutions if they are not used effectively.
4.Careless End-Users. Even well-intentioned end users are careless.
5. A Gap in IT/Business Alignment. Communicating with business partners in terms of risk management and mitigation is a must.
