The overwhelming number of data breaches over the last few years has every private company and government agency desperately trying to guard its system against cyber criminals.
But unlike most other professions, the insurance industry is affected in two ways by the threat. Insurance companies themselves can be the target of a breach that would shut down their network, at least temporarily, or put the personal and private information of customers at risk.
At the same time, insurance companies that offer cybersecurity policies can be impacted by how well their customers protect their own systems.
How costly can these breaches be? The average is $4 million per breach, up from $3.8 million in 2015, according to a study from IBM and Ponemon Institute.
“That’s a staggering amount,” says Gary S. Miliefsky, CEO of SnoopWall, a company that specializes in cybersecurity.
“The good thing is that those in the insurance business are starting to realize just how serious the problem is and that, just like the businesses they insure, they face costs not only in terms of the breach itself, but also in terms of their firm’s reputation.”
Sometimes those breaches are ridiculously easy, Miliefsky says. A cyber criminal can gain access by sending a company an email with an attachment called a Remote Access Trojan, or RAT, that looks like a normal file. All it takes is for an unsuspecting employee to open that file and security is compromised.
“Certainly, hackers can be very clever and very skilled, but often all they need to be is patient,” Miliefsky says.
For better protection against those cyber criminals out to do harm, Miliefsky says insurance companies should:
• Train their staffs. Those employees sitting at their computers each day are a company’s first line of defense. If they click on an attachment or a link in the wrong email, they have essentially unlocked the front door. Employees should be made aware of the dangers and told what do about suspicious email.
• Routinely update their defenses. Outdated technology and outdated security software make a company’s computers vulnerable to attack. It’s important that insurance companies periodically review their IT operations to make sure what worked last year still provides the needed security.
• Enforce better password management policies. Employees often aren’t creative enough with their passwords, making it easier for cyber criminals to work their way in. In setting a password, employees should use any unique characters they can think of, such as a dollar sign ($) or an exclamation mark (!) or replace a letter “O” with a 0 (zero). Employees also should be directed to change their passwords often.
• Be prepared for the worst. It’s essential to have a backup and recovery plan in case data is lost or corrupted. That plan should be tested frequently.
“Because of their unique position, insurance companies also should make sure that their cybersecurity policy holders are taking these steps to protect themselves as well,” Miliefsky says. “This is definitely a situation where an ounce of cyber prevention is worth a pound of cure.”
