In this piece, Mark Rayner, Head of Financial Services Consulting at BAE Systems offers some useful advice for those in the insurance industry, and the wider workplace, on the tricky matter of data breaches and cyber attacks. Sometimes it isn’t enough to build an email firewall – you have to check that nobody is building a Trojan horse on their lunch hour.
It’s easy to think that the major threats to your business are purely external – competitors, cyber criminals unforeseen events, civil disruptions and so on. These are genuine risks that any organisation – insurers or otherwise – should be aware of. However, it also pays to look closer to home.
The damage caused by insiders can be catastrophic – and by one measure, the number of insider attacks outnumbers those from third parties. In 2017, an employee at a leading private healthcare provider removed personal information relating to 547,000 customers. This was far from an isolated incident – the Information Security Forum has estimated that insiders are responsible for 54% of data breaches. But it’s not just data at risk. One staffer at a well-known automotive and energy company in Palo Alto who reportedly felt overlooked for a promotion made unauthorised changes to his employers Manufacturing Operating System.
Although we should be pleased such attacks came to light, it is clear that the insider threat has taken firmer root on the business landscape. But it doesn’t have to be this way.
An intelligence-led approach
There are many reasons why insurers are facing a proliferation of insider threats. Although external attackers typically have to penetrate a complex set of defences, there is little to stop internal attackers from turning their plans into reality. There is also increasing awareness of the value of corporate assets and an abundance of digital tools to help convert them into cash – USB sticks, Bluetooth file transfer and smart personal devices all spring to mind.
The internal threat comes in many guises: the disgruntled office worker, the blackmail victim in Accounts, the spy, the well-meaning innocent, or the small supplier with trusted access to your network. This makes the Insider one of the hardest suspects to anticipate and defend against.
However, organisations should by no means sit back and meekly await the inevitable. On the contrary, we think it’s time to be proactive and adopt an intelligence-led approach, focused on three major workstreams:
Insurers need to understand what they are protecting, from whom and in which scenarios. The key element here is to focus on the critical assets and highly privileged users. Identifying those individuals and groups who can access or influence an organisation’s critical assets is a good starting point. Of equal importance is highlighting those areas that have the greatest feasibility for an attacker – start with what is most vulnerable and work back from there.
- Policy and governance
Insurers need to be clear on what they are willing and able to do to protect against insiders. Due to the sensitivity, this is best tackled with a dedicated Insider Threat Management function with support from a broad range of stakeholders such as HR, Security, Legal, Risk, IT and Procurement for third parties. It also requires ongoing communications and awareness with employees.
Insurers need to put technical and intelligence capabilities in place to deliver the necessary security. Traditional log sources, such as network access, data loss prevention and building access records, as well as non-technical sources such as employee performance records can be used to develop a set of risk indicators.
Crucially, insurers also need to ensure they have robust playbooks and response processes in place to triage and investigate alerts.
Winning over the sceptics
However valid this approach may be, expect opposition from colleagues looking outward for threats and opportunities. Do they really need to re-focus their attention on internal issues? Well, yes – not least because, aside from the criminal damage such attacks do, there can also be a huge reputational impact.
Employees are likely to be somewhat upset by any notion they are no longer trusted. But complaints about management failing to demonstrate trust can be rebutted by reinforcing the need to protect critical assets from accidental as well as malicious attacks.
IT and Security teams are also likely to raise their concerns by pointing to the fact that they already monitor network use. Yes, they do, but understanding critical assets, high risk users and key processes will help improve detection and reduce false positives – helping them in the long run.
Finally, internal auditors may cite the fact that the company already complies with all the relevant regulation. I’m sure it does, but here you can make the case for a risk-led approach, enabling the business to make informed decisions on where and when to invest its precious resources.
Insuring the insurers
Such ideas are clearly suggestions that can be tailored to the individual challenges facing each insurer, large or small. But their adoption can make all the difference between preventing a catastrophic internal attack and achieving secure internal data and systems.
There’s no time to waste.
This article was produced in association with BAE Systems