Credential harvesting is ‘kindling for a fire’ says Chubb

One simple human error can lead to significant loss

Credential harvesting is ‘kindling for a fire’ says Chubb

Insurance News

By Bethan Moorcraft

One credulous click can shut an entire company down for months. Paralysis as a result of a phishing scam has become an unfortunate cyber reality that all businesses are starting to recognise is a real risk.

The global cyber risk landscape is developing rapidly, with hackers on the front foot with regards to malware innovation. A number of cyber incidents hit the headlines in the past year, including WannaCry, Petya/NotPetya, Equifax, and, most recently, the Intel microprocessor flaw.

All of these events could in theory have been caused by one simple human error – something that global insurer Chubb is fighting to highlight by transforming claims data into a valuable tool when expanding their cyber risk management and risk transfer services.

“At Chubb, we always look to evolve and adapt our cyber suite of products and risk management services based on our extensive claims database. We try to learn from our claims and use that knowledge to provide targeted and value-added services,” explained Matthew Prevost, Senior Vice President, Chubb. “After inventorying 10-years of Chubb cyber claims data in 2015, we found two key issues at the centre of a great deal of claims: employee training and password management.”

The ‘people problem’ in cyber security is not a new discussion point, but is one that few organisations provide real solutions for. However, insurers and brokers worldwide are well aware of the issues, with many offering free risk management portals, phishing training and educational apps.

Chubb has collaborated with a number of cyber security companies to offer its cyber policyholders various value-added pre- and post-breach services at no extra cost. The global insurer offers online educational modules through a company called Skillbridge, whereby company decision makers can log-in and assign cyber security courses to their employees.

The company is also tuned into the serious risks surrounding password management and the dangerous credential harvesting environment. This is the most common goal of phishing schemes and includes bad actors taking passwords, credentials, and re-set questions (all things introduced for security), collating them into databases and spreadsheets, and then using them to exploit individuals.

“Password hygiene is a problem around the world. There’s enough credentials in the hands of bad actors to cause some real damage to companies – it’s like kindling for a fire,” Prevost told Insurance Business. “Insurance carriers and brokers need to work together to ensure everyone recognises the problem and makes a concerted effort to fix it.”

Heightened media attention around large-scale cyber events has helped to raise awareness of the people problem in cyber. The WannaCry ransomware attack in May 2017 was a harsh reminder for many that employees are sometimes the weak link in a company’s cyber security. The damaging attack was effectively enabled by people falling for malicious phishing scams.

“At Chubb, we’ve collaborated with a password manager company called Dashlane, which ensures password sophistication and hygiene, and alerts clients of a cyber incident. We offer Dashlane Premier password management to every Chubb commercial cyber policyholder for up to 500 employees,” Prevost added.

“We also offer a risk management portal, which policyholders can review for advice on best practices, risk management templates, breach cost calculating and more, and recently introduced the Cyber Alert app, designed to give policyholders 24/7 incident reporting and response services at their fingertips. Chubb partners with our clients to ensure they have the education and tools at their disposal to survive and thrive in the evolving cyber risk landscape.”

Related stories:
Chubb announces quarterly results – hit by wildfire losses
Chubb makes two senior leadership changes

Keep up with the latest news and events

Join our mailing list, it’s free!