Cyberattacks are on the rise in the United States, and certain industries are more susceptible than others. The financial services sector, in particular, are 300 times more likely to fall victim to cyberattacks than other industries. Within this sector, banks get the most attention from cybercriminals, but insurance companies have also suffered major cyberattacks.
In February 2015, hackers attacked major health insurance provider Anthem and compromised 78.8 million company records. The breach exposed personally identifiable information (PII) such as names, contact details, medical IDs, and Social Security numbers. According to investigators, the perpetrators sent phishing emails to Anthem employees and tricked them into downloading Trojan malware that steals passwords and other sensitive information.
More recently, State Farm reported a data breach that was a result of unauthorised access using stolen login credentials. Even smaller insurance firms have fallen victim to social engineering and malware-based attacks. So what makes the insurance industry such a popular target?
A wealth of sensitive information
Cybercriminals are always looking for organisations that harbor massive amounts of data, and insurance companies fit the bill. Insurers have access to their clients’ medical records and financial information, which are extremely valuable on the black market. Medical insurance records, for instance, sell for up to $1,000 and yield even more profit when used for fraudulent insurance claims and purchasing prescription drugs for resale.
Meanwhile, access to a person’s address, financial information, Social Security number, and employment details give hackers plenty of options. They can use the information to commit identity theft and make fraudulent purchases until their victim’s account has been emptied out. They can even infiltrate email accounts and defraud more people.
Increased susceptibility to attacks
However, it’s not just the massive collection of sensitive data that makes insurance companies attractive targets. As insurance companies adopt cloud and mobile technologies, they inadvertently leave business networks vulnerable. At the same time, hackers are constantly developing elaborate malware and denial-of-service attacks designed to compromise insurance systems and render them inoperable.
Also, insurance often lags behind other financial services organisations when it comes to cybersecurity. Banks, for instance, are highly fortified, utilizing state-of-the-art security and encryption systems to defend against sophisticated, financially motivated cyberattacks. By contrast, many insurance companies may lack the resources to invest in bleeding-edge security measures. And as banks become more impenetrable, attackers will naturally shift their focus to less secure targets like insurance companies.
What’s more, security training is often an afterthought for most organisations. This means employees are more likely to make data management errors, set weak passwords, and interact with dangerous emails. Such a lax approach to cybersecurity enables hackers to easily circumvent security systems and steal data.
What should insurance companies do?
Data breaches have lasting effects on insurance companies. They can lose thousands of dollars fixing the issue, but there are also extra costs associated with regulatory fines and losing customer trust.
The best way to avoid these risks is to take a multilayered approach to cybersecurity. For starters, companies must install cutting-edge encryption software, firewalls, intrusion prevention systems, anti-malware, and software updates. These prevent hackers from exploiting system vulnerabilities and gaining access to sensitive data.
According to the National Association of Insurance Commissioners (NAIC), companies must set access restrictions and enable multifactor authentication to be compliant. The former prevents unauthorised users from gaining access to sensitive data while the latter adds another method of identity verification on top of passwords like a fingerprint scan or a one-time authentication code sent via SMS.
Organisations must also consider the human element of cybersecurity. This involves educating employees on the latest threats, spotting the telltale signs of a phishing attack (e.g., suspicious links and attachments), and setting unique 12-character-long passwords. For optimal results, organisations should implement ongoing security training and testing to prepare employees for real-world attacks.
There’s a lot that goes into cybersecurity, but insurance companies don’t have to do everything by themselves. INFINIT Consulting provides cutting-edge risk management and cybersecurity solutions that dramatically reduce the chances of a breach. If you run an insurance company in California, schedule a meeting with us today and we’ll formulate a cyber defense strategy to keep your assets safe.