Regardless of the goals of your company or organization, being successful
depends on keeping assets secure. As a cyber-security expert, I make sure that
digital assets are being kept safe from cyber-security threats and that this
risk is managed in a cost-effective and efficient way.
Even though organizations often employ information technology (IT)
specialists to help facilitate these kinds of procedures, security is often
neglected in favor of convenience. And as I always say, when convenience is
held as a priority, security diminishes. In this article, I will present a
number of potential security vulnerabilities and attacks that companies might
face in addition to providing advice on how to address these threats. Insurance
providers are particularly impacted by these risks since, as the digital store
of confidential information grows, companies are held more and more liable when
breaches occur.
Assessing Risk
Along with attacks on servers and your company's network, it should be
recognized that a large part of vulnerability is entirely human. That is,
instead of targeting technology directly, a hacker or cyber-criminal will
develop a strategy that seeks to compromise human weaknesses and points of
access. This is commonly referred to in the digital forensic community as a
spear phishing attack or, more specifically, chief executive officer (CEO)
fraud. Insurance companies themselves are at great risk for this kind of attack
given the amount of proprietary information they store about their clients.
Having gathered a store of private, or semi-private, information, a threat
actor composes an email. This email strongly resembles a company-issued
communication with a similar design and heading. The sender will appear to be
the company's CEO or another individual in charge of financial decisions.
However, the email will typically make a very particular request; namely, that
an employee initiates a wire transfer, sending a large sum of money. Without
wanting to appear incompetent or confused by the request, many employees
fulfill the request without double-checking in-person or even calling to
verify. These kinds of attacks can cost companies millions of dollars since
many attackers target the same business once an initial request proves to be
successful.
When making these assessments, it is important to consider an
organization's digital scope. This includes online presence, the amount of
digitally stored information, the sensitivity of this information, the size of
the organization, and any indications of a particular organization's
commitment to security best practices. In accord with the last mentioned
factor, it is also critical to look at the quality of a company or
organization's IT staff. Frequently, IT members compromise safety and
security for the sake of convenience. Though this approach may be beneficial in
the short term, it can cause long-term problems and incur significant losses to
an organization. It is important that organizations and companies make security
and the safekeeping of data the priority, rather than a secondary
consideration.
Extensive costs, reputational damage, and lost business hours accompany
large-scale data breaches. With the increasing amount of digital data comes the
reality that losses are greater, and the consequences can be fatal, especially
since secure-keeping of data is largely considered a basic necessity.
Cyber-Security
Insurance providers should recognize the scope of information that is now
digitally stored. Health information, financial data, Social Security numbers,
and other identifying info is all contained on our digital devices. Client data
is valuable for a number of reasons, and for attackers, this value can
potentially translate into millions of dollars if an attack is executed
properly. As previously demonstrated, attacks can result from a number of
various vulnerabilities, both technological and human. A company with the best
security infrastructure can still be compromised if their employees are not
educated and a “culture of security” is not established. Many organizations
fail to recognize this critical element of a strong security posture and end up
suffering losses. Insurance providers should take this into account when
assessing client risk and constructing policies.
It is important to recognize that unlike other kinds of risk, cyber-threats
are even more difficult to quantify. For example, as previously stated, a
company may still be greatly at risk even if a strong technological
infrastructure is in place. It is critical to analyze every point of potential
vulnerability to assess overall security posture and risk of cyber-attack. And
this can be quite a large task given the craftiness of the modern hacker.
To start, look at the written cyber-security practices of an organization.
Having an established set of guidelines in managing cyber-risk is an important
foundational step, and it bodes well for an organization's security stance
if a set protocol is in place. Then, try to determine how closely these rules
are abided by within the organization. It's one thing to have a set of
rules and regulations and a completely different thing to actually incorporate
that into daily operations. Look at employees to see what, if any, security
measures are undertaken. A preliminary question that should be answered is what
are the practices surrounding the use of private devices to store company
information? Are passwords strong and regularly updated? Are employees able to
recognize email phishing attacks? These kinds of questions can help begin a
cyber-security risk assessment.
Having looked to the written guidelines and how they are incorporated into
the company's culture, the technological infrastructure and its degree of
security should be examined. Updated software and hardware is essential in
maintaining acceptable levels of risk. But recognize that even the best systems
can be compromised, and there is no such thing as perfect security.
Conclusion
It should be recommended to all businesses and organizations with any degree
of digital usage to train employees in cyber-security and best practices. It is
also important that digital liability is recognized and proper protocols are
taken to protect against breaches. Having conducted a number of cyber-security
assessments and tests, I know that sometimes all it takes is one overlooked
point of access for a hacker to attack. Insurance professionals should
recognize this alarming fact when assessing the cyber-security risks of an
organization. Consulting with digital security firms is also beneficial, as
security postures are multifaceted and complex.