By Daniel Wood
Some major insurers regard cyberattacks as their fastest growing security threat. The astronomical rise in premiums supports that view: up 60% on last year according to the broking giant, Marsh.
“The most attacked industry is still financial services and based on our experience here in the country, second only to banking is the insurance industry,” said James Richmond (pictured) who leads the FSI division for Akamai Technologies in Australia and New Zealand.
Akamai, the global tech firm headquartered in Boston, believes artificial intelligence can save the industry from this systemic threat.
The company, whose name means ‘clever’ in Hawaiian, is one of the world’s biggest cloud delivery and cyber security platforms, or content delivery networks (CDN).
“When you think about it, it really is an arms race. So, the smarter the attackers get, the smarter the defenders need to be, and the defenders want to be one or two steps ahead of the attackers at all times,” said Richmond.
Read next: AIG explains its Cyber Risk Handbook
Akamai monitors and tracks the behaviour of malicious bots as they interact with its customers’ websites and uses what it calls Akamai Cloud Security Intelligence (CSI), a data processing engine, to analyse threats.
“What we see here at Akamai and other parts of the industry is building in automation, machine learning, artificial intelligence, and hey, third party artificial intelligence, to make sure our capabilities are that one step ahead,” said Richmond.
He said that’s important when combatting bot traffic because these cyber threats use the same sorts of tools to launch attacks.
“Any attacker, really, can use those fundamental tools to launch attacks at an insurance company from in country, from offshore, from both, which is sometimes very difficult to control, from inside your own network and for those attacks to pivot as the defensive mechanisms kick in,” he said.
He added it’s now very common for cyber criminals to change their attack pattern while their attack is in progress.
“So they might be trying to kick down your front door but trying to jump in the side window at the same time. As soon as you close the door and the window, now they’re looking for windows upstairs and everywhere else. All looking to disrupt your business, steal or both, hold you for ransom, all these things, it’s awful!” said Richmond.
Today’s cyberattacks can be as simple as automating a network of bots to look up a website.
“So, they have 100,000 machines all putting in one web address and pressing go at once and if the architecture isn’t ready for that, that will cause some serious operational issues. The website might fail, or it might strangle other things,” said Richmond.
Attackers are also using smarter bots that can leverage stolen information. These smarter bots steal credentials while a user logs in and then use this information elsewhere.
“If LinkedIn gets hacked, and they get hacked a lot, then attackers can use their bot network to pretend they’re me, for example, and throw my username and password at an insurance company website and log in as me. There’s all the details of my wife and children, there’s my medical history, there’s my credit card number,” said Richmond.
The more authentication criteria the bots accumulate, the more ways they can potentially cause damage.
“They can go and try and log in in other places or pretend they’re me and launder money and do all sorts of horrible things,” he explained.
He believes the best cyber defences for the insurance industry should be based on machine learning and automation combined with global experience fighting similar threats.
“That can only put you in the best place possible to stand in front of your customers and reassure them that everything’s going to be OK,” he said.
Richmond said, compared to some other sectors, the insurance industry’s natural risk averse culture and its regulatory obligations are positive starting points for a competent cyber defence.
He said the government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020 introduced into Parliament in December last year, global privacy obligations and regulatory responsibilities under the Australian Prudential Regulation Authority (APRA) are all pushing the insurance industry towards more cyber security.
“These three drivers are pulling the insurance industry into a much more mature and rigorous security posture,” said Richmond.
However, he said, the big challenge for the industry is its legacy technology and slow rate of new technology uptake.
“Because the insurance industry is conservative - it wasn’t the first industry to throw itself at the cloud, it wasn’t the industry to open up like the guys in banking or commerce did - the industry is a follower of less traditional architectural strategy,” he noted.
Richmond said that can make insurance industry companies easy targets for cyberattacks. The industry’s bid to protect itself, he said, should incorporate a defence system based on what’s called a zero trust model.
“We can’t all be sitting in the castle anymore just accessing our desktop PC,” he said. “So what the zero trust idea means is that no matter where you are, or whatever device you are using, however you are choosing to connect, the authentication is done one to one.”
Richmond said the pandemic inspired era of remote working, when employees are using different devices on a range of networks, at the office, at home and elsewhere, is pushing the insurance industry towards this style of protection.
“So no-one’s a castle anymore. You need to protect your externally facing websites and apps now, as much as you are your internally facing apps. It’s a fascinating evolution of security in big enterprise, particularly in the insurance industry,” he said.
Akamai has considerable cyber security pedigree. The co-founder and current CEO, Dr Tom Leighton is regarded as one of the world’s preeminent authorities on algorithms for network applications and cybersecurity. The Massachusetts Institute of Technology (MIT) professor was the company’s chief scientist before becoming CEO.
Co-founder, Daniel Lewin, also an MIT alumnus, was regarded as a maths genius. Tragically, he died at the age of 31 in the September 11, 2001, attacks.