Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/8/2017
03:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Aflac CISO: Insurance Sector Ramps Up Cyber Defenses

Aflac CISO Tim Callahan discusses ongoing initiatives to stay secure as hackers ramp up attacks on financial services.

The insurance industry has traditionally lagged behind the technology curve, but companies in the sector are ramping up their security practices amid a rapid rise in cybercrime.

Threat actors are increasingly looking to financial services as a direct source of monetary gain. Insurers initially weren't among their primary targets but have become frequent victims as other financial companies adopt stronger security measures.

"In the last couple of years, the criminals have turned their attention more to insurance companies," says Aflac CISO Tim Callahan. "As the banks have tightened up their security and there's less opportunity there, they have found insurance companies, especially healthcare, have a lot of data."

Now insurers are building their strengths as many of them, especially smaller businesses, are frequently hit with cybercrime. Hackers use a variety of tactics to swindle insurance victims.

Phishing is a popular means of gaining administrative credentials to establish a foothold in the insurer's environment. These attacks often target executives so criminals can spark a dialogue and collect their information. Once they secure credentials, they pose as the executive and initiate wire transfers outside the organization, using business email compromise or business email account spoofing.

"Privileged user accounts are more vulnerable," says Callahan. "That's what the criminals want."

Insurers have had to adopt new technologies and strategies to fight these threats, says Callahan. He has spearheaded several initiatives at Aflac to protect employee and user data from attack.

Aflac has implemented a more rigorous employee awareness program that goes beyond annual security training. The continuous education model requires ongoing exercises in phishing; for example, employees receive fake phishing emails and are reminded to be more careful if they fall for the scam.

Callahan has a strong focus on improving authentication; specifically, implementing multifactor authentication for any kind of remote access. He has increased emphasis on identity access management, from both employee and client standpoints, and begun a privileged access training program to protect vulnerable executive accounts.

He says measuring metrics helps keep the team updated on progress in the efforts. "We've seen differences, and we know we're being a lot more effective," he notes. They're heading in the right direction -- but there is more to be done, he notes.

In addition to these initiatives, there are a few major long-term projects to strengthen Aflac's security posture. Callahan explains the company is in the early stages of a new client authentication platform, for example, which he anticipates will wrap up by mid-2018.

He's also overseeing projects focused on vulnerability management, information governance, and data protection. The latter two initiatives overlap to ensure a fully protective environment for Aflac's information and will be fully complete by 2019, he expects.

"We're starting to be able to identify where information is and classify it almost through an automated process, and identify pieces of information that should not be on the shared drive, but in a more secure environment," Callahan says.

One of the top challenges was securing a strong threat intelligence program and sharing information with other businesses. More insurers are collaborating in the Financial Services Information Sharing and Analysis Center (FS-ISAC). "Historically, insurance companies haven't really done that, but it's certainly changing," he explains, noting that membership has risen.

C-Suite Buy-In

For companies looking to improve their security posture, Callahan advises involving the executive team early in the process.

"Our whole C-suite is behind this, and they've given support, which has filtered down to everyone in the projects," he says. "There is not a single executive who doesn't know what we're doing or why we're doing it. That, to me, is probably the biggest factor in our success."

Securing this support involves transparency. Callahan says he had to explain to the board that these projects would be expensive and take a few years to complete. The open communication resulted in some pushback, he admits, but ultimately led to greater understanding overall.

Before you get started on new technologies, however, you have to go back to basics, he says. Define your security strategy and tie it back to the business, and assess the framework and see where the gaps exist.

"Some companies go for the technology first and implement fancy tech, but in the meantime, if you haven't taken care of the basics, you'll still have holes," Callahan says. "When you get to the hard stuff, you'll lose support."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5572
PUBLISHED: 2020-05-29
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
CVE-2020-5573
PUBLISHED: 2020-05-29
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.
CVE-2020-13693
PUBLISHED: 2020-05-29
An unauthenticated privilege-escalation issue exists in the bbPress plugin before 2.6.5 for WordPress when New User Registration is enabled.
CVE-2020-13173
PUBLISHED: 2020-05-28
Initialization of the pcoip_credential_provider in Teradici PCoIP Standard Agent for Windows and PCoIP Graphics Agent for Windows versions 19.11.1 and earlier creates an insecure named pipe, which allows an attacker to intercept sensitive information or possibly elevate privileges via pre-installing...
CVE-2019-6342
PUBLISHED: 2020-05-28
An access bypass vulnerability exists when the experimental Workspaces module in Drupal 8 core is enabled. This can be mitigated by disabling the Workspaces module. It does not affect any release other than Drupal 8.7.4.