TOP CYBER THREATS FACING INDEPENDENT INSURANCE AGENCIES
While threats have become more sophisticated, so have the tools for fighting back
By Jason Gobbel
A guy walks into a bar, orders a bourbon on the rocks, turns to his buddy and says, “Did you hear about the agency CFO who just wired $49,000 to some crook in Croatia?”
Sounds like the start of a good joke, but it’s no joke. I am the guy telling the story, and it’s true. It’s an example of “CEO Fraud,” whereby a criminal impersonates an agency principal via email, convincing the finance department that the wire request is legitimate. It’s a frighteningly common scenario.
In the past year, I have scoured industry news to understand how agencies and other businesses are getting hacked. I’ve found stories of:
- An IT service provider whose remote management system was compromised, allowing a nefarious individual to simultaneously encrypt all the computers at dozens of agencies with ransomware
- An office manager who was responding to an “HR Survey” and gave her log-in credentials to a hacker, resulting in the encryption of every server and workstation in the building
- An insurance carrier representative whose compromised credentials were used to send malware to every contact in his mailbox
I review these incidents because I’m looking for lessons learned to make sure we have done everything we can to keep our systems and those of our clients secure. It requires a high level of diligence, because today’s hacking is fundamentally different from what we’ve seen in the past. What used to be a simple nuisance has now become a sophisticated business strategy, driven by a complex supply chain. Being a great hacker is no longer a requirement to make a fortune. Services are available that will build the hacking tools, distribute them to targets, and even collect money on the hacker’s behalf.
The threats we’re seeing today generally fall into three categories:
Credential compromise. “Credential compromise” is the term used to describe a scenario where your username and password are stolen or exposed. The average employee manages over 190 sets of credentials, and 61% of those employees use the same password for multiple log-ins. As a result, 81% of all data breaches can be traced back to compromised credentials. By far, this is the largest threat to your business.
Employees need to know how to spot threats, and what to do if they’re unsure of the authenticity of a message. A good security awareness program is one that educates, tracks, and tests your employees.
Sometimes, credentials are compromised as a result of websites or services, such as Experian or MyFitnessPal, having their databases hacked. More often, however, people are tricked into giving their usernames and passwords to hackers through fake phone calls or emails.
This process of trickery, known as Phishing, usually arrives in the form of an email that looks legitimate. The message appears to have come from a trusted source, urging you to click on a link to address a time-sensitive issue. The link directs you to a copycat site that captures your credentials.
Ransomware. Ransomware is malicious software that’s designed to encrypt your data and charge you for the method to regain access. For hackers, it’s no longer about encrypting just your personal documents. Modern ransomware packages are designed to encrypt entire networks at one time. These ransomware packages are designed to appear unique, so that conventional antivirus software will not detect or prevent them from spreading. To ensure payment, these ransomware packages often target system backups before beginning their encryption processes.
Because hackers are so far-reaching and destructive, they now are charging astronomical amounts to regain access to compromised networks. The average ransomware payment has skyrocketed to over $80,000, which is double the average from three months earlier.
One reason for this surge in payments is that ransomware is evolving. The new emerging threat is known as extortionware. Extortionware follows the same process as ransomware but doesn’t stop with encryption. If you fail to pay the ransom, your data will be decrypted and posted on the Internet. This new risk encourages you to pay, even if you have a way to recover the data from backup.
Vendors and partners. The cloud has really supercharged agencies and other businesses. Accessing data from anywhere in the world has never been easier. Tools for IT automation have never been more powerful. Unfortunately, the hackers know this all too well. Why focus on one target, when you can focus on thousands?
As adoption of cloud services reaches critical mass, it’s becoming common place that these tools have a presence in your business. By now, most business professionals have either shared or received a file via Microsoft OneDrive. Most people have made a purchase on Amazon.
Because of this familiarity, hackers can use these tools against us. One of the most common strategies for the modern hacker is to impersonate communication from one of these services, to steal your credentials or trick you into installing ransomware.
In recent months, hackers have begun focusing on the management tools used by IT and managed service providers. Compromising one of these tools can provide a hacker with instant and total access to hundreds of client networks.
Fighting back
Here’s some good news: While threats have become more sophisticated, so have the tools for fighting back. Technology and tools for preventing data breaches are more powerful and cost effective than ever. Features that once were reserved for the largest of enterprises are now making their way down to the small business market.
There are so many tools and strategies available now, it can be difficult to know where to begin. We’ve highlighted five cost-effective recommendations to get you started:
Perform a risk assessment. Before we act, it’s important to understand where we need to focus. Start by taking inventory of your employees, technology, vendors, and processes. You will need to understand how these items intersect, and what exposures are present as a result.
It’s important to follow a proven process, such as the NIST Cybersecurity Framework. Many agencies find it beneficial to engage a technology or security professional to assist in the gathering and interpretation of this data. This helps ensure that your risks are thoroughly understood, and your goals and objectives are in line with best practices and standards.
Password policies and management. With 81% of all data breaches being traced back to compromised credentials, having mechanisms for protecting those credentials will certainly rank high on your list of action items.
First, you need to ensure that your employees manage as few passwords as possible. Access to tools and websites should be given to employees only when their job requires it.
Second, you need to ensure that policies are in place so that employees do not reuse passwords. The best way to implement this policy is to adopt a password management solution, such as RoboForm, LastPass, or Dashlane. These password tools can generate unique passwords for every website and provide the employee an easy and secure way to manage these passwords.
Last, you need to implement multi-factor authentication wherever possible. At a very high level, multi-factor authentication, or MFA, is a process for using more than just a password to provide access. This additional log-on challenge can be a one-time code sent as a text message, a multi-digit code that changes every minute, or even a physical device that must be plugged in. While the process may vary, most modern services support some implementation of MFA to enhance security at no additional charge.
MFA is a critical defense against attempts to trick employees into giving up their log-on credentials and is particularly important on Internet-facing systems, such as Office 365, G Suite, Dropbox or a web-based customer management system.
Security awareness training. Some 71% of all targeted attacks come through email, which makes your employees your greatest risk and your first line of defense. Employees need to know how to spot threats, and what to do if they’re unsure of the authenticity of a message. A good security awareness program is one that educates, tracks, and tests your employees.
Education is typically delivered in the form of short, high-quality videos that focus on specific topics or hacker strategies. Employee participation should be tracked, to ensure that everyone is taking advantage of the learning opportunities. And last, the employees should be tested by delivering convincing, yet harmless, emails to their mailbox to see if they can use this new education to avoid the traps.
Dark Web scanning. The Dark Web is the part of the Internet that isn’t accessible using conventional means. This area of the Internet is home to sites and services used by nefarious groups to buy, sell, and trade illicit information. When log-on credentials are stolen, you can often find them here, available for purchase.
While there’s no way to remove information from the Dark Web, knowing that compromised log-ons are out there gives you the opportunity to change them before they can be used against you.
Much like credit monitoring, there are companies that scour the Dark Web in search of compromised data. These companies will then alert their clients to threats, so that credentials can be changed and systems secured.
Vet your vendors. Vendors and partners provide agencies with valuable services and solutions. But before granting them access to data and systems, it is critical to understand how they plan to protect that access.
Start by making a list of all non-employees who have access to your systems. This list will include your technology partners, such as your IT service provider, but should also include your landlord, accountant, and even your cleaning company.
Then, ask them a series of questions to get an understanding of how their access to your systems is protected. These questions will certainly vary depending on access, but you want to be sure to document what they have access to, how they secure that access, how they detect security incidents, and how they plan to recover from a security incident.
Last, you should verify their responses. Review their security policies and procedures, as well as their incident response plans. If you’re not comfortable with how they plan to protect your systems, don’t let them in!
A fight we can win
We can win this fight, if we all stick together and do our part. Technology partners for agencies need to provide guidance and solutions in helping you implement these five strategies. As agency leaders, you need to insist that your employees continue to educate themselves on the evolving threat landscape. You also must remain vigilant about following administrative procedures that are designed with security in mind.
By all doing our part, together we will be well on our way to protecting your business.
The author
As the chief solutions officer at Kite Technology Group, Jason Gobbel uses his unique blend of insurance and technology expertise to consult with independent agencies on topics of cloud adoption, security posture, and strategic IT planning. For more than 28 years, Kite Technology has been passionately helping agencies leverage technology to drive productivity, bolster security and maximize business performance and results. To learn more visit www.kitetechgroup.com.