Threat Intelligence
5/8/2017
03:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Aflac CISO: Insurance Sector Ramps Up Cyber Defenses

Aflac CISO Tim Callahan discusses ongoing initiatives to stay secure as hackers ramp up attacks on financial services.

The insurance industry has traditionally lagged behind the technology curve, but companies in the sector are ramping up their security practices amid a rapid rise in cybercrime.

Threat actors are increasingly looking to financial services as a direct source of monetary gain. Insurers initially weren't among their primary targets but have become frequent victims as other financial companies adopt stronger security measures.

"In the last couple of years, the criminals have turned their attention more to insurance companies," says Aflac CISO Tim Callahan. "As the banks have tightened up their security and there's less opportunity there, they have found insurance companies, especially healthcare, have a lot of data."

Now insurers are building their strengths as many of them, especially smaller businesses, are frequently hit with cybercrime. Hackers use a variety of tactics to swindle insurance victims.

Phishing is a popular means of gaining administrative credentials to establish a foothold in the insurer's environment. These attacks often target executives so criminals can spark a dialogue and collect their information. Once they secure credentials, they pose as the executive and initiate wire transfers outside the organization, using business email compromise or business email account spoofing.

"Privileged user accounts are more vulnerable," says Callahan. "That's what the criminals want."

Insurers have had to adopt new technologies and strategies to fight these threats, says Callahan. He has spearheaded several initiatives at Aflac to protect employee and user data from attack.

Aflac has implemented a more rigorous employee awareness program that goes beyond annual security training. The continuous education model requires ongoing exercises in phishing; for example, employees receive fake phishing emails and are reminded to be more careful if they fall for the scam.

Callahan has a strong focus on improving authentication; specifically, implementing multifactor authentication for any kind of remote access. He has increased emphasis on identity access management, from both employee and client standpoints, and begun a privileged access training program to protect vulnerable executive accounts.

He says measuring metrics helps keep the team updated on progress in the efforts. "We've seen differences, and we know we're being a lot more effective," he notes. They're heading in the right direction -- but there is more to be done, he notes.

In addition to these initiatives, there are a few major long-term projects to strengthen Aflac's security posture. Callahan explains the company is in the early stages of a new client authentication platform, for example, which he anticipates will wrap up by mid-2018.

He's also overseeing projects focused on vulnerability management, information governance, and data protection. The latter two initiatives overlap to ensure a fully protective environment for Aflac's information and will be fully complete by 2019, he expects.

"We're starting to be able to identify where information is and classify it almost through an automated process, and identify pieces of information that should not be on the shared drive, but in a more secure environment," Callahan says.

One of the top challenges was securing a strong threat intelligence program and sharing information with other businesses. More insurers are collaborating in the Financial Services Information Sharing and Analysis Center (FS-ISAC). "Historically, insurance companies haven't really done that, but it's certainly changing," he explains, noting that membership has risen.

C-Suite Buy-In

For companies looking to improve their security posture, Callahan advises involving the executive team early in the process.

"Our whole C-suite is behind this, and they've given support, which has filtered down to everyone in the projects," he says. "There is not a single executive who doesn't know what we're doing or why we're doing it. That, to me, is probably the biggest factor in our success."

Securing this support involves transparency. Callahan says he had to explain to the board that these projects would be expensive and take a few years to complete. The open communication resulted in some pushback, he admits, but ultimately led to greater understanding overall.

Before you get started on new technologies, however, you have to go back to basics, he says. Define your security strategy and tie it back to the business, and assess the framework and see where the gaps exist.

"Some companies go for the technology first and implement fancy tech, but in the meantime, if you haven't taken care of the basics, you'll still have holes," Callahan says. "When you get to the hard stuff, you'll lose support."

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.