The new way of working life, with many insurance sector workers now adopting a hybrid mix of remote and office working longer term, brings different benefits for different groups. For employees it can mean a better work-life balance without the grind and expense of commuting, whilst businesses reap the rewards from lower infrastructure costs and, often, a happier workforce.
But it also benefits fraudsters and criminals, creating new tech-related opportunities to defraud, scam, steal and hijack sensitive personal and commercial data. Simon Viney, Cyber Security Financial Services Sector Lead for BAE Systems Applied Intelligence, looks at the risks opened up by hybrid working, and how to counter them.
Changing work practices and behaviours amongst insurers, brokers, and companies supplying the sector, can make businesses and their data more vulnerable to criminal activity. BAE’s latest State of Anti-Money Laundering report, which analyses responses from more than 450 financial risk management and compliance professionals, highlights a clear increase in the risk of ransomware or email attacks as companies disperse their employees away from offices.
Around 70% of those in insurance say that they have seen an increase in home workers being targeted for data breaches and other scams, with criminal activity online increasing by nearly a third since the start of the pandemic. Key risks are opened up when people working from home use personal laptops and smartphones, which may not have all of the security measures required by their company for workstations in the office, or if they allow someone else to use their work device, making it easier for hackers to strike. And it’s not just the insurance companies themselves that need to guard against these vulnerabilities – claims and legal businesses that support them are seeing the same shift to remote working, and vehicle recovery and repair workers are out on the road using public WiFi. All of them handle and process customer data.
There’s a particular vulnerability around telemedicine and virtual medical visits as more and more claims are investigated virtually and settled online, with some form of video call as part of the process. The potential for ransoms being demanded for leaked or downloaded medical consultations is real, especially given the sensitivity of this data – insurers need to be aware of this risk and create a mitigation plan to minimise it.
GDPR has done a lot to raise awareness and make people understand and be more alert to the risks, but there is plenty of evidence that this is not enough.
As scams become more sophisticated and criminals constantly evolve their tactics to stay one step ahead, it can be difficult for employees to spot them. And being away from an office environment where there are constant reminders and team interactions can mean they lose sight of security concerns and don’t have a colleague next to them to act as a quick “sanity check” when they do have a slight suspicion that something like an email or call may be from a hacker.
So it’s crucial for employers to instigate a robust and regularly updated remote working policy, providing clear instructions and working practices, backed up by effective training, designed to keep data safe and help staff recognise potential risks.
Key security measures need to include:
· Checking that technical security measures and controls are up to the job – many solutions were rolled out under pressure at the beginning of the pandemic crisis.
· Monitoring devices and users so that any security issues are identified and corrected as quickly as possible.
· Check for weaknesses in the supply chain and make sure they’re addressed – security effectiveness of service providers, suppliers and sales partners is just as important as a company’s own.
· Don’t forget the basics – securing home WiFi, making sure passwords are strong, using multi-factor authentication wherever possible, and providing quick access to support for anyone who detects or suspects a problem.
And of course, be ready if the worst does happen – have the capability and capacity to respond to and recover from cyber attacks, ransomware attacks etc. effectively so that the IT infrastructure is back up and running as soon as possible and any data theft is appropriately dealt with.