After the WannaCry ransomware attack that affected about 200,000 computers worldwide, there is little doubt that the number one greatest concern in today’s business world is cyber security. The possibility of information breaches is more real today than it has ever been and it is no wonder everyone is a lot more cautious. Top among the sectors that are hastily trying to figure out how to deal with the reality of this threat is the insurance industry.
Why hackers are targeting insurers
Insurance industry watchers are predicting that the information breaches that have rocked the sector in recent years will only increase in the months and years to come. According to these analysts, hackers are increasingly targeting insurance companies with the aim of stealing customer information that they can use for insurance fraud. Interestingly, hackers have identified the insurance industry as one which handles extremely sensitive information that has yet to put in place few measures to effectively safeguard itself and its customers from cyber-attacks.
For hackers, the best companies to attack are those with the most consumer data, and insurance companies fit the bill. It’s an uphill task for any insurance company to consistently and successfully protect its customers from hackers who only need to be lucky once. In an environment where the ransomware attacks have increased exponentially, no insurance company would want to find its information breached and its customers’ medical and credit information stolen.
Big data and a growing cybersecurity threat
Nevertheless, the truth is that it is not possible, even for the most prolific insurance companies, to guarantee that their systems will never be breached. Consequently, the best the companies can do is put in place measures to keep the damage at the least possible, in the event of a data breach. As big data becomes an everyday reality, businesses have an obligation to do everything in their power to protect their customers’ information.
Security testing of cloud, web and mobile applications
While some attacks are impossible to predict, it is noteworthy that some insurance companies are reprehensible following their failure to test their cloud, web and mobile applications for security. According to a survey that IDG conducted, over 2/3rds of all cloud, mobile and web applications are not tested for vulnerabilities that hackers could exploit. This is despite the widely-known fact that these applications are a hacker’s first stop in his attempt to attack.
Given what is at stake if a hacker is successful in hacking an insurance company, these organizations cannot be excused for failing to secure their systems because doing so is time consuming and expensive. Simply put, any insurance company unwilling to invest in securing its systems as well as learning the best ways to protect itself and its consumers should seriously consider closing down.
A devastating number of attacks
One other huge challenge to insurance companies today is the number of attacks hackers are directing at them at any one time. The sheer vastness of these attacks can be overwhelming even for the most sophisticated insurers. Accordingly, insurers have to continuously be leery of everything that has the slightest hint of a vulnerability, because a single attack could wreak havoc on their business and the consumers who have entrusted their personal information to them.
The following are four cases of cyber-attacks insurers ought to adequately be prepared for today:
- Theft of personally identifiable information (PII) of the company’s customers
- Theft of confidential banking information of company employees such as bank account numbers, user accounts, credit card numbers, social security numbers and passwords.
- Preying on the insurer’s noncompliance with Payment Card Industry Data Security Standard (PCI DSS).
- Targeting customer databases of health insurance companies with the aim of propagating health insurance fraud, a menace that costs the healthcare industry $80 billion annually, according to estimates by the Federal Bureau of Investigations (FBI).
The Anthem Healthcare attack
When Anthem Healthcare was attacked in 2014, shockwaves vibrated across the entire insurance sector as other insurers entered a frantic mode in an attempt to stay safe from what they saw as an imminent threat hanging over their heads. Anthem Healthcare is credited for being honest with its customers after this attack. The company sent out alerts to its customers informing them of the possibility that their information may have been breached. Additionally, the insurer informed the media, 8 days from the time it first noticed suspicious activity in its systems.
Granted, it is not always possible to prevent an attack, but the proactive way in which Anthem Healthcare handled its data breach was hailed as feasible approach to information breaches that other companies should learn from. As soon as the company discovered the information breach, it wasted no time in addressing the vulnerability the hackers had exploited. Furthermore, the insurer contacted the FBI regarding the attack and hired Mandiant, a cybersecurity firm to assess the level of damage.
Mandiant released a report after its evaluation, highlighting the insurer’s weaknesses in cybersecurity. It mentioned the need for insurance companies to closely monitor the data flow taking place in their IT systems, components and applications. Another area of weakness the cybersecurity firm highlighted is with regard to privileges of system access that the insurer gives to its employees. The security firm advised Anthem Healthcare to address the weaknesses pointed out in its detailed report at every level throughout the company.
State-of-the-art risk management and IT security technologies
The best way to stay safe from information breaches are increasingly becoming expensive, is to put in place state-of-the-art risk management and IT security technologies as well as relentlessly stress-testing, updating and enforcing security protocols.
While becoming cyberattack-proof is an unattainable mirage, the impossibility of the endeavor should not discourage insurers from doing everything in their power to stay safe in the cyber space. By implementing a comprehensive risk management and IT security system, insurance companies can immensely reduce the probability of a successful information breach. Moreover, insurers should create awareness among its customers and staff. This is a significant step in damage control in the event that hackers manage to penetrate the company systems despite all the security measures in place.