In this period of significant disruption cyber criminals are testing organisations’ resilience like never before. We have seen a rise in cybercrime since the Covid-19 pandemic started to impact on our lives - be it directed at individuals with people’s financial concerns being leveraged or directed at corporations. The global (re)insurance industry need to continually evaluate their cyber defences, including strategic partners and suppliers, to ensure new vulnerabilities are quickly mitigated and to avoid significant losses and brand damage caused by these increasingly aggressive threat-actors.
Even prior to Covid-19 cyber-threats have become more conspicuous in recent years; they are increasingly considered to be a top global risk for the UK (re)insurance sector and the economy as a whole. There is increasing frequency and sophistication of cyber-attacks, including phishing, ransomware, fraudulent sites and applications. Also with accelerating digital transformation programmes and the amplified use of big data and cloud computing, (re)insurers are progressively more susceptible to cyber-threats. All UK insurers regardless of size, complexity, or lines of business, collect, store and share with various third-parties substantial amounts of private and confidential policyholder information.
Information obtained from insurers through cybercrime may be used for financial gain through extortion, identity theft, misappropriation of intellectual property, or other criminal activities. Inadvertent or intentional exposure of private data can potentially result in severe and lasting harm for the affected policyholders, as well as reputational damage to insurer sector participants. Similarly, malicious cyber-attacks against an insurer’s critical systems may impede its ability to conduct business.
Many organisations here in the UK are now requiring their staff to work from home which can further increase the risk, as enterprise network security safeguards are not always available to home-users. Some users may be forced to use their personal systems at home which may not have the same level of protection that end-points at work have. This is an area where CGI’s cyber experts around the globe have volunteered their time offering advice to fight off menacing cyber activity. What I have learned, indeed prompted the writing of this blog, is that the primary solutions were human ones so hopefully we can help raise awareness of these security threats to everyone across our industry.
I asked around for other expert opinions for this blog. We work closely with insurance industry organisation, ACORD, and their President and CEO, Bill Pieroni, told me that “our ability to deal with unseen threats is being sorely tested in the current 2020 global pandemic. Perhaps part of the turmoil that we are currently experiencing is due to the invisible nature of the underlying agent or cause. It is not without some irony that we use the word ‘virus’ to describe the dangers that threaten our digital lives through agents of cyber-crime. Just as we are now being asked to pay close attention to our own hygiene, this blog highlights some of the actions that we can all take to protect our information and digital assets - based on some real experience that they have observed in our own insurance sector.”
Richard Holmes, Head of our UK Cyber team informed me that “all security centres in government and industry are reporting a significant spike in malicious activities which to exploit the current Coronavirus pandemic (COVID-19), feeding off people’s fears and uncertainties.”
Many of these activities are taking the form of phishing attacks designed to look like official but with malicious intent sites. Malicious emails and text messages can use spoofed (faked) addresses to appear to come from legitimate and trustworthy sources. Clicking on these links or an attachment can quickly infect unwary users with malware such as Worms, Trojans, Rootkits, Keyloggers, Ransomware and so on. The threat actor’s attempt to exploit the current pandemic is consistent with the general tactic of adapting social engineering ‘lures’ to exploit major flashpoints along with major events (e.g. holidays, the Olympics).
Regardless of the circumstances you and your organisations currently work under, we must all be especially vigilant right now for malicious attacks. Unless you are an experienced cybersecurity analyst, there are no fool proof methods for normal users to detect all attacks. However hopefully these tips will help us all and our staff;
- Unexpected or unsolicited emails - be wary of any emails you receive on this subject that you were not expecting - even from friends (whose email address may have been captured from social media and spoofed), or supposedly authoritative agencies
- Emails stressing urgency - especially those announcing new pandemic details and asking you to click on a link, or provide personal details to subscribe to announcements
- Uses odd or unfamiliar greetings - such as “Dear Sir/Madam”
- Uses odd email addresses - those that are out of place (or misspelled) for the agency portrayed
- Spelling or grammar errors - be suspicious of text phrased in an odd way
- Contains attachments - as a rule, do not open attachments if you were not expecting them. If in doubt and the sender is a friend or colleague, check with them first to verify before opening it
- Embedded links - be wary of them. You can hover your mouse over the link to see if the ‘advertised’ address matches the link provided, but the safest option is to navigate independently to the official website of the agency quoted and not use the link in the email. Even if you do click on a malicious link, do not feel reassured if you receive a notice such as “404 error - website not found.” You may still have been compromised.
Lots to think about! In a rapidly changing, highly connected insurance ecosystem CGI is already helping to both ensure complex platforms are built security-first and to allow for innovative cyber-insurance proposition development. If you would like to discuss this topic further please contact me on firstname.lastname@example.org.