There has been a lot of talk about how insurance companies are increasingly falling victim to outside cyber attacks, but the risk of insider threats can be just as scary and perhaps a little more difficult to prevent, according to guests on this episode of The Insuring Cyber Podcast.
Insider threats are cyber attacks that come from within a company. They can happen when former or current employees, or even third-party contractors that work with the company, make inadvertent errors, discover vulnerabilities or intentionally steal data.
“It’s the concept of employees posing a threat to the corporation that they work for in the form of stealing intellectual property, or potentially even doing damage, eliminating information that’s important to the corporation, or sharing things like employee or customer data with the outside world or potentially a bad actor,” said Chris Lehman, CEO of cybersecurity company SafeGuard Cyber.
Because insurance companies typically possess not only their own company’s financial and employee data but also sensitive personal or financial customer information, they are particularly susceptible to this type of threat, according to Philip Stein, partner and litigation practice group leader at law firm Bilzin Sumberg.
“This is a big issue for companies in all industries right now,” he said. “And I think it is a particularly significant concern for companies in the insurance industry.”
Lehman said the most common form of insider threat is intellectual property theft.
“That could be intellectual property in the form of [research and development] that has been worked on for many years and literally millions and/or billions of dollars have been invested by a corporation to develop this intellectual property, or it could be theft of customer information or employee information,” he said.
This can often come in the form of “exit crime,” or a scenario in which an employee leaves a company and takes advantage of the intellectual property they’ve had access to while employed.
“Exit crime is something that companies are talking more and more about,” Lehman said. “It kind of goes hand in hand as being driven by The Great Resignation.”
Indeed, The Great Resignation, as it’s been called, is a reportedly escalating trend of employees willingly leaving their jobs. Experts say it’s one factor to consider when discussing the risk of insider threats. Another factor is the remote work environment, partially driven by the pandemic.
“The increased reliance on technology in the insurance industry, of course, yields a lot of new efficiencies for insurance companies,” Stein said. “But the downside is the greatly enhanced exposure of sensitive information through what are often vulnerabilities in one or more of those technologies. We don’t live in a world anymore in which thieves or bad actors have to be inside a company’s physical facilities and have to walk away undetected with physical copies of sensitive data in order to cause harm to their employer.” (Article continues below)
What makes this a particularly challenging problem, according to Lehman, is that insiders already have permission to access the information and systems in question, which can make it hard for security teams to figure out when information is being accessed for normal versus nefarious reasons.
“That’s very, very hard to sort through,” he said.
However, Daniel Soo, principal at Deloitte, said insider threats most often don’t result from nefarious activity.
“Probably a large portion of what happens,” he said, “is that people just do things unintentionally.”
This leads to another tricky crossroads for security teams — trying to decide when an incident is the result of negligence and when it’s the result of malicious activity.
“That’s the trick in this. You have to be able to both allow appropriate conduct of business and allow people to do what they need to do as part of their job. You need to be able to identify situations where people just did things unintentionally, and then there are those other situations where there may be a bad actor outside of your company who’s pretending to be inside,” he said. “There’s your true malicious insider who’s really doing something kind of nefarious. So, being able to identify those things is not an easy thing to do.”
While emphasizing that there isn’t a single solution that can reduce the risk entirely, Stein suggested that organizations adopt a layered approach that encompasses a range of security protocols in order to prevent insider threats. This includes conducting regular risk assessments, providing security awareness training to employees, and closely managing the accounts and privileges of all employees and contractors.
Lehman added that it’s also important to monitor all communication channels, especially in an increasingly digital working environment.
“So many enterprises just flat out aren’t monitoring these new ways that employees communicate. Because they’re not monitoring them, they don’t have visibility, and as a result of that, they don’t know if nefarious behavior or actions are being taken,” he said. “So, my No. 1 piece of advice is to make sure that you’re securing and monitoring all the ways that your employees are communicating.”
Soo said that he sees light at the end of the tunnel as tools to fight threats are improving and awareness around these threats is growing as well.
“I think with those pieces there, we could probably start to manage that risk a bit better,” he said. “I think it will continue to be a risk, and I think once you start to get those risk indicators, you can start to act on them.”
However, Lehman offered a word of caution that the switch to remote or hybrid working is likely not going to change, and companies, including insurers, will need to stay on top of this evolution.
“We live in an increasingly digital world. That’s not going to change. We live in a world where, increasingly, our employees are working remotely. I don’t see that ever going away,” he said. “It’s a really complex problem, candidly, but organizations can solve it. It’s a solvable problem, but it always comes back to start with protecting and monitoring where your employees communicate. If you do that, you’ll take a huge step forward in terms of improving the corporation’s security posture.”
To hear what else Lehman, Stein and Soo had to say, check out the rest of this episode and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.