Threat Intelligence

5/8/2017
03:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Aflac CISO: Insurance Sector Ramps Up Cyber Defenses

Aflac CISO Tim Callahan discusses ongoing initiatives to stay secure as hackers ramp up attacks on financial services.

The insurance industry has traditionally lagged behind the technology curve, but companies in the sector are ramping up their security practices amid a rapid rise in cybercrime.

Threat actors are increasingly looking to financial services as a direct source of monetary gain. Insurers initially weren't among their primary targets but have become frequent victims as other financial companies adopt stronger security measures.

"In the last couple of years, the criminals have turned their attention more to insurance companies," says Aflac CISO Tim Callahan. "As the banks have tightened up their security and there's less opportunity there, they have found insurance companies, especially healthcare, have a lot of data."

Now insurers are building their strengths as many of them, especially smaller businesses, are frequently hit with cybercrime. Hackers use a variety of tactics to swindle insurance victims.

Phishing is a popular means of gaining administrative credentials to establish a foothold in the insurer's environment. These attacks often target executives so criminals can spark a dialogue and collect their information. Once they secure credentials, they pose as the executive and initiate wire transfers outside the organization, using business email compromise or business email account spoofing.

"Privileged user accounts are more vulnerable," says Callahan. "That's what the criminals want."

Insurers have had to adopt new technologies and strategies to fight these threats, says Callahan. He has spearheaded several initiatives at Aflac to protect employee and user data from attack.

Aflac has implemented a more rigorous employee awareness program that goes beyond annual security training. The continuous education model requires ongoing exercises in phishing; for example, employees receive fake phishing emails and are reminded to be more careful if they fall for the scam.

Callahan has a strong focus on improving authentication; specifically, implementing multifactor authentication for any kind of remote access. He has increased emphasis on identity access management, from both employee and client standpoints, and begun a privileged access training program to protect vulnerable executive accounts.

He says measuring metrics helps keep the team updated on progress in the efforts. "We've seen differences, and we know we're being a lot more effective," he notes. They're heading in the right direction -- but there is more to be done, he notes.

In addition to these initiatives, there are a few major long-term projects to strengthen Aflac's security posture. Callahan explains the company is in the early stages of a new client authentication platform, for example, which he anticipates will wrap up by mid-2018.

He's also overseeing projects focused on vulnerability management, information governance, and data protection. The latter two initiatives overlap to ensure a fully protective environment for Aflac's information and will be fully complete by 2019, he expects.

"We're starting to be able to identify where information is and classify it almost through an automated process, and identify pieces of information that should not be on the shared drive, but in a more secure environment," Callahan says.

One of the top challenges was securing a strong threat intelligence program and sharing information with other businesses. More insurers are collaborating in the Financial Services Information Sharing and Analysis Center (FS-ISAC). "Historically, insurance companies haven't really done that, but it's certainly changing," he explains, noting that membership has risen.

C-Suite Buy-In

For companies looking to improve their security posture, Callahan advises involving the executive team early in the process.

"Our whole C-suite is behind this, and they've given support, which has filtered down to everyone in the projects," he says. "There is not a single executive who doesn't know what we're doing or why we're doing it. That, to me, is probably the biggest factor in our success."

Securing this support involves transparency. Callahan says he had to explain to the board that these projects would be expensive and take a few years to complete. The open communication resulted in some pushback, he admits, but ultimately led to greater understanding overall.

Before you get started on new technologies, however, you have to go back to basics, he says. Define your security strategy and tie it back to the business, and assess the framework and see where the gaps exist.

"Some companies go for the technology first and implement fancy tech, but in the meantime, if you haven't taken care of the basics, you'll still have holes," Callahan says. "When you get to the hard stuff, you'll lose support."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.