Our latest findings on State of Cyber Resilience shows that cyberattacks on insurers have more than doubled (from 240 to 519 attacks, on average), illustrating the current cyber climate for insurers: It’s volatile. This number is more than twice as much as the cross-industry cyber resilience leaders in the survey and over three times more than their banking peers.
When it comes to insurance and cybercrime, it’s clear that the ‘bad guys’ are paying attention.
Our State of Cyber Resilience for insurance report presents both good and bad news amid the volatility, and reinforces our concern that, in 2018, insurers’ cybersecurity efforts were often ‘buying time’ against threats that now are rising.
The good news
Breaches against insurers are down 42 percent since our last survey. Our survey finds some of the ‘nuisance’ attacks, those resulting when cyber attackers commoditise their attack toolsets, are less effective as insurers have learned to fend these off via increasing password complexity requirements and two-factor authentication strategies.
Insurers have had some successes in strengthening their cyber resilience. Many have improved their ability to fend off this ‘nuisance’ variety. They’ve also gotten better at insisting upon more complex passwords and two-factor user authentication on things like web-mail.
These tactics are effective at stopping a great number of attacks. Another catalyst for change is the growth in the number of insurers entering the cyber insurance market.
By doing so, they are raising their knowledge and awareness of what it takes to be cyber secure, and that’s causing them to improve their own internal capabilities.
Indirect attacks on the rise
A closer look at the sources of cyberattacks among ‘State of Cyber Resilience’ respondents reveals that 40 percent of insurance firms’ security breaches are now indirect – meaning, via a third party connected to the company’s network – as threat actors target the weak links in the supply chain or business ecosystem.
These exposures can take an explicit form like the injection of malicious code into a vendor’s site, downloaded open-source libraries or a vendor’s mis-configured server. They can also use access to a third party as a means to attack the insurer.
Organisations should look beyond their four walls to protect their business ecosystems and supply chains. On average, according to our survey, cybersecurity programmes actively protect only about 55 percent of an insurer’s organisation. That is an issue when 40 percent of breaches come via this route.
Indirect attacks are particularly difficult to control as companies are increasingly relying on a remote workforce.
It is challenging to monitor such a workforce, especially one located across multiple companies – to check that everyone is compliant with encrypting Wi-Fi, changing passwords regularly, running the required monitoring software and staying vigilant about phishing attacks and other threats.
Internal organisational boundaries and roles also play a part in delaying companies’ maturity in stopping indirect attacks.
In some cases, detecting and stopping indirect breaches at a subsidiary are not clearly within anyone’s particular jurisdiction, so performance goals and metrics may not be in place.
It can be tempting to pin a breach on a subsidiary’s security exposure, but in the long run, that doesn’t really help the parent company extricate itself quickly from the effects of a breach, whatever its origin.
Choosing the right technologies
Increasingly sophisticated technologies are available in the cybersecurity area, and insurance cybersecurity leaders know which of them are best positioned to help reach a broader level of cybersecurity effectiveness.
Our cyber resilience survey found that two technologies in particular are especially important to leaders: Security Orchestration Automation and Response (SOAR), and Artificial Intelligence (AI) – machine learning, natural language processing, etc.
The use of these technologies helps to explain how cyber resilience leaders detect attacks faster and recover sooner.
SOAR allows very rapid response to common incidents such as malware on a user’s computer. These types of routine issues can overwhelm security teams, leaving them with no time to search for and respond to the real adversaries.
AI can take companies beyond today’s cybersecurity emphasis that is primarily on detection and remediation. Such a reactive approach is generally less effective at combating the volume and relentlessness of today’s threats.
AI and machine learning offer new possibilities. When combined with the cloud, AI can help scale cyber defence efforts through smart automation and continuous learning that drive self-healing systems – automatic correction of cloud security assets to meet security policies.
The learning process also helps to spot vulnerabilities. Security professionals can then augment the machine learning and algorithm process with human checks and verifications that reduce the risk of false positives.
Immediate actions and takeaways
Certainly, the biggest warning flag raised in this latest edition of the ‘State of Cyber Resilience’ report is the growing threats from indirect attacks, those made through vulnerabilities in the defences of vendors, partners or subsidiaries.
The answer to this problem is fairly easy to explain, though much harder to implement and manage over the long term. It is to put in place the policies, governance and enforcement such that any third party connected to your network requires the same security standards that you do.
Otherwise you’ve got to treat them completely at arm’s length. If you do not follow this policy, your network is only as secure as the least secure entity connected to you, and all of your security spending might be going to waste.
When we turn to the issue of subsidiaries, we see the problem in stark relief. Companies may presume that they are treating those entities as a separate company, but in fact electronic trust is most likely fully established between them.
Emails from subsidiaries, for example, are usually not marked ‘external’. That means that a security compromise at the subsidiary gives an attacker a perfect platform to send phishing emails to the parent company. Soon, the parent’s network is compromised, as well.
Given finite security resources, there is value in a data-driven, business-focused approach to securing the enterprise ecosystem. This may mean using threat intelligence reports to risk-prioritise which vendors are in need of better security solutions.
A managed security services approach can help an organisation keep vendors or subsidiaries at arms-length, where they are not connected to the parent company’s’ systems, including its security apparatus.
This approach can help tackle issues at a larger scale and with a wider scope, without burdening the corporate security department.
By collaborating more broadly with others with the common goal of securing the enterprise and its ecosystem, organisations can help themselves while also helping smaller vendors, allies and partners to beat cybercrime.