After the cyberattack on Medibank Private last month, other insurers are likely rethinking their cyber protections. Australian security technology firm, Sekuro, works with insurance companies to improve their cyber security.
Insurance Business spoke to Nick Flude (pictured above), Sekuro’s chief marketing officer, to find out more about the challenges of providing cyber security for an insurance company.
“When operating with large volumes of highly sensitive data the stakes are high and business viability for health insurance providers is contingent on compliance with official security standards of regulatory bodies,” said Flude, referring to the personal data stored by insurance companies.
Read next: Medibank digs into recent cyberattack
“A critical aspect of Sekuro’s engagement with insurance firms is the responsibility to ensure all recommendations or security solutions provided enable adherence to strict guidelines and regulations,” he said.
Flude said compliance was “front of mind” at all times. Another key aspect to consider, he said, is insurers' need to simultaneously manage several centres, hubs, offices and online networks.
“It is critical to ensure the security solutions advised are agile and comprehensive to address all facets of the business,” he said.
One focus of the defence that Sekuro sets up is penetration testing.
“A penetration test is essentially where a team of good hackers use their knowledge of computer systems and software engineering to identify, locate and exploit any potential vulnerabilities in a website or smartphone app,” said Flude.
He said insurance companies considering their cyber defence system need to ensure it covers people, processes, and technology.
“It must be embedded across all aspects of a business,” said Flude.
His firm, he said, formulates its cyber security advice around eight pillars: people, identities, endpoints, networks, infrastructure, applications, data and analytics.
“By ensuring every pillar adheres to the security framework, organisations will effectively mitigate gaps across the business and minimise chances of falling victim to outside cyber threats,” he said.
Flude said recent cyberattacks have shown that it’s not necessarily one single point of failure that leads to attackers gaining traction. Rather, he said, successful attacks can result from a perfect storm of shared or stolen usernames or passwords and then customer databases being connected to online systems without proper user authentication. Flude said in these recent cases there was also limited visibility of data flowing outside the organisation to remote sites or systems.
“For these reasons, having a strong organisation-wide security posture has never been more important to enabling business resiliency and viability,” said Flude. “As we’ve seen, cyber breaches can happen to any organisation and businesses need to proactively embed security measures widely to prepare for when attacks occur.”
He said it is no longer feasible to disregard cyberattacks as just a possibility.
“It is unfortunately impossible to stop every attack, so we work with our clients to understand their entire technology architecture and then identify and map their high value assets that would be likely initial targets for cyberattacks,” he said.
Flude said with that knowledge they can understand how to treat each individual asset and review its security perimeter, working backwards from the higher value to the lower value assets.
“This helps set expectations of what the organisation values and also where the initial focus and investment needs to be made,” he said.
Read next: Experts weigh in on Medibank breach
Flude said it is clear that cyber criminals are targeting industries that have sensitive personal information, like insurance companies.
“Insurance providers can take a proactive stance and implement strong preventative measures to maintain an optimal level of security at all times,” he said.
These measures, he said, include conducting regular tests to ensure every aspect of the business is thoroughly checked for any potential risk in real time.
“It is about taking a zero-trust stance where no system or user is trusted until proven otherwise,” he said. “This means always being on high alert and assuming an attacker could be inside systems at any time.”
Flude said by having a strict process in place to determine if a user, application or system should be granted permission to carry out an action, insurance businesses can mitigate the chances of a data breach. They’ll also be ready, he said, for the worst-case scenario.