The insurance industry has traditionally lagged behind the technology curve, but companies in the sector are ramping up their security practices amid a rapid rise in cybercrime.
Threat actors are increasingly looking to financial services as a direct source of monetary gain. Insurers initially weren't among their primary targets but have become frequent victims as other financial companies adopt stronger security measures.
"In the last couple of years, the criminals have turned their attention more to insurance companies," says Aflac CISO Tim Callahan. "As the banks have tightened up their security and there's less opportunity there, they have found insurance companies, especially healthcare, have a lot of data."
Now insurers are building their strengths as many of them, especially smaller businesses, are frequently hit with cybercrime. Hackers use a variety of tactics to swindle insurance victims.
Phishing is a popular means of gaining administrative credentials to establish a foothold in the insurer's environment. These attacks often target executives so criminals can spark a dialogue and collect their information. Once they secure credentials, they pose as the executive and initiate wire transfers outside the organization, using business email compromise or business email account spoofing.
"Privileged user accounts are more vulnerable," says Callahan. "That's what the criminals want."
Insurers have had to adopt new technologies and strategies to fight these threats, says Callahan. He has spearheaded several initiatives at Aflac to protect employee and user data from attack.
Aflac has implemented a more rigorous employee awareness program that goes beyond annual security training. The continuous education model requires ongoing exercises in phishing; for example, employees receive fake phishing emails and are reminded to be more careful if they fall for the scam.
Callahan has a strong focus on improving authentication; specifically, implementing multifactor authentication for any kind of remote access. He has increased emphasis on identity access management, from both employee and client standpoints, and begun a privileged access training program to protect vulnerable executive accounts.
He says measuring metrics helps keep the team updated on progress in the efforts. "We've seen differences, and we know we're being a lot more effective," he notes. They're heading in the right direction -- but there is more to be done, he notes.
In addition to these initiatives, there are a few major long-term projects to strengthen Aflac's security posture. Callahan explains the company is in the early stages of a new client authentication platform, for example, which he anticipates will wrap up by mid-2018.
He's also overseeing projects focused on vulnerability management, information governance, and data protection. The latter two initiatives overlap to ensure a fully protective environment for Aflac's information and will be fully complete by 2019, he expects.
"We're starting to be able to identify where information is and classify it almost through an automated process, and identify pieces of information that should not be on the shared drive, but in a more secure environment," Callahan says.
One of the top challenges was securing a strong threat intelligence program and sharing information with other businesses. More insurers are collaborating in the Financial Services Information Sharing and Analysis Center (FS-ISAC). "Historically, insurance companies haven't really done that, but it's certainly changing," he explains, noting that membership has risen.
For companies looking to improve their security posture, Callahan advises involving the executive team early in the process.
"Our whole C-suite is behind this, and they've given support, which has filtered down to everyone in the projects," he says. "There is not a single executive who doesn't know what we're doing or why we're doing it. That, to me, is probably the biggest factor in our success."
Securing this support involves transparency. Callahan says he had to explain to the board that these projects would be expensive and take a few years to complete. The open communication resulted in some pushback, he admits, but ultimately led to greater understanding overall.
Before you get started on new technologies, however, you have to go back to basics, he says. Define your security strategy and tie it back to the business, and assess the framework and see where the gaps exist.
"Some companies go for the technology first and implement fancy tech, but in the meantime, if you haven't taken care of the basics, you'll still have holes," Callahan says. "When you get to the hard stuff, you'll lose support."