Cyber Smarts: Defence Alone Is Not Enough to Prevent Attacks

In the week that U.S. authorities acknowledged a data breach affecting the Department of Justice and Department of Homeland Security - but downplayed its severity – it just goes to show that even the most security conscious organisations are lacking in cyber smarts. A hacker, or hacking group, published via Twitter what they said were records of 9,000 DHS employees.

Successful Cyber criminals are smart: you don’t tend to hear about the unsuccessful ones of which there are bound to be many. There is no praise intended in that comment, however it is necessary to respect the drive and ability of the successful hacker. From the moment the first servers were connected to the World Wide Web some individuals would be drawn to breaking it.

As we explain in this article, however, the insurance community needs to become more adept at challenging the reliability and integrity of some of its own employees and customers and the causes of the discomfort that hackers are leveraging if we wish to protect customers and organisations as a whole.

There are many methods of attack but whatever the hacker’s motivation they will find smart ways to do damage, extort money, or just show off their “talents”. In turn, the success of the modern-day hacker has kicked off a suitably complex Cyber security industry to counter their efforts.  To put some context to the extent of the challenge, it is expected that security spend in 2015 is estimated to be around $75 billion globally and rising to $170 billion in 2020.

What is not clear is the ratios of that spend in terms of defence or recovery. Unfortunately, most organisations, including underwriters and insurance brokers, continue to regard defence alone as the best policy for a robust security framework and invariably an IT driven function with ever increasing spend dedicated to building higher and higher defensive walls.  

Those eye watering security spend figures will have brought home to insurers and other financial services companies the cyber challenge they face when news emerged that HSBC was hit by a distributed denial of service cyber hack on the 29 January. The attack caused its personal banking website and mobile application to shut down on a day that coincided with tax deadlines and payday for many customers.

Cyber Essentials “Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks” (www.cyberessentials.org).

The fact that the government has worked with industries to provide guidelines is significant. The Cyber Essentials Scheme is gathering wide support, with its 10 point, two stage approach of driving awareness, then testing independently follows a recognised path.  

The British Government and Price Waterhouse Cooper recently published “Cyber Security Breaches Survey Results 2015” (www.gov.uk) under the banner of the HM government's Cyber Essentials scheme. The report is simply presented and the audience can filter by organisational size, region and sector. A standout statistic is that of all metrics it is an organisation’s own staff that are responsible for 43% of the worst security incidents reported.

That is to say, almost half of the worst incidents were self-inflicted. It sounds harsh but it is important to point out that responsibility cannot only be laid on those individuals. It ultimately finds its way back to the board.  It is commonly recognised that social engineering is one of the biggest threats posed by the hacker. The prevailing view is that sophisticated groups are combining their intellect to devise the most complex methods of hacking your network, when in fact it can be as simple as sending an email to an uninformed user.

We see the impact on insurance in cases like the recent example where Chubb unit Federal Insurance Company was taken to court by a client after it refused to pay a $480,000 loss on a cyber insurance policy. It is reported that the client AF Global, sought $1mn from the defendant after a hacker posing as its CEO convinced its head accountant to transfer $480,000 of funds to a Chinese bank in May 2014. 

The cyber hazard is not merely confined to the threat of lawsuits, however. Insurers themselves are increasingly under direct threat. According to PwC:  "The chief concern is the security of the ever growing volumes of data that insurers hold in cloud-based storage systems. For many, major breaches are inevitable; the question is how much damage they will cause.

"Insurers are prime targets to be victimised given the richness of data - credit card information, medical information, and other underwriting information. It's not a matter of if but when it will happen," reported a director of risk management at one Canada-based non-life insurance company, quoted in the PwC document.

Unfortunately, multiple incidents are common and lessons are not being learned.  Other significant statistics attribute successful attacks by outsiders impersonating customers. This is social engineering – like the insurance CEO example mentioned above - tapping into an uncomfortable topic. Nobody likes to challenge the reliability and integrity of their customers and the hacker is leveraging that discomfort. However it is the very customers that we are uncomfortable challenging that we are trying to protect.

Formalising process and procedure through a Risk Based approach can address these issues. The approach requires informed delegation, and therefore ownership at the highest level within the organisation.  Part of a resilient approach that addresses the key Cyber security standards and in its simplest form adheres to the Cyber Essentials framework - scalable through globally recognised systems - is the standard ISO 27001.

There are three pillars of a successful cyber risk mitigation strategy.

First, Intelligence: educate the board, the user community and vendors. You need to know the information assets, key systems, services, processes and procedures and the threat landscape.

Then Compliance; protect your data, measure and manage risk.

Third, Continuity: build a structured incident response plan, prioritise recovery and build a continual improvement program.

Cyber Essentials is a good entry level security framework and will suit the pocket and ability of most smaller organisations. It has weaknesses compared to the likes of ISO27001, e.g. control around vendor management. However by blending controls from more established standards where Cyber Essentials is weak it is possible to lay down a good level Cyber assurance with relative ease. 

This article was first published in Insurance Day on 19th February 2016. www.insuranceday.com