Cyber insurance is one of the fastest growing insurance lines in the world. It is a great product: it provides practical expert support as well as a financial safety net in case of disaster.
As an industry we are great at protecting others. But what about our own cyber security?
According to a recent UK government survey, 65% of companies in the finance industry experienced a cyber attack in 2018, yet only 25% had a specific cyber insurance policy in place to protect against such attacks. Insurance-specific data was not published so the Bewica team had a different look at cyber security in the insurance industry.
Over the last three months, we presented to hundreds of insurance professionals representing a total of 200 companies from seven cities across the UK, as part of the CII Professional Focus. At all of these conferences, we conducted live surveys, asking the attendees about their experiences and awareness of cyber attacks. In addition, we scored and analysed all attending companies with our automated cyber risk assessments.
Overall, the 200 companies represented at the events scored very similarly to the average in our company database at 5.5 versus an overall average in our database of 5.4. The best score was an impressive 1.4 (out of 10), the worst 7.9.
An overall score does not tell you much so we dived deeper into specific areas.
Phishing is the most common cyber attack on businesses and was thus our first focus. We asked the CII attendees whether they had received any suspicious or phishing-type emails into their company inbox in the last 12 months. 94% said yes. Let’s pause here: 94%. Surely this means 100% of businesses represented suffered at least one attack. Much more than the 65% above. And it certainly tallies with our own phishing experience. We’ve received a number of interesting emails over the last few months.
However, despite the vast threat that this clearly poses, our automated assessment found that only 2% of the attending insurance companies had robust technical phishing protection measures in place.
Mass phishing attacks - bulk phishing - are usually easy to spot. We seem to all have uncles in foreign countries wanting to give us millions… This could suggest the risk is limited but unfortunately that is not true: there is a trend towards fewer but more targeted and sophisticated attacks.
When you get an email from a client of yours, addressed at you, referencing a project you have worked on - you are much more likely to click on a link in that email. And the impact can be hugely damaging. Whether by downloading ransomware, or tricking employees into paying fake invoices, these attacks are not something any of us can ignore. Cyber theft insurance often asks clients to verify address and account changes with an independent source. Sound advice for all of us! And verification from an independent source also makes sense when there is anything else odd about an email. Definitely before clicking a link.
The second question we asked the attending insurance professionals was whether their company’s website allowed users to input information such as contact information or payment details. 69% said yes.
This means 69% of the attending companies could be at risk of a Cross Site Scripting attack (XSS). An XSS attack involves hackers injecting a piece of code into a website, allowing them to intercept any data that is entered into the website. Our automated scans found that over 94% had inadequate protections against these types of attacks.
Although XSS is far less common than phishing, the fact that nearly all of the companies we assessed had some technical vulnerability is worrying. Think of hackers stealing sensitive information during an online purchase process, whether related to their insurance risk profile or payment details.
XSS is easy to fix for any technical team. You may want to ask your IT whether they have respective controls in place.
Finally we asked attendees if they thought their login details were available on the dark web. Data stolen in breaches is often leaked online, on the dark web or even on Twitter. There are billions of leaked records, many with usernames and passwords. Have a look at HaveIBeenpwned.com to see if your email address has been in a breach.
Just under half (46%) of the attending insurance professionals believed that their login details were on the dark web. Although this was in-line with our expectations on a per person level based on our benchmarks from other industries, this means a high share of companies has details at risk. This was confirmed by our automated assessments which showed that nearly 84% of the represented companies had at least one employee whose credentials had been breached.
Leaked login details not only put individuals at risk but companies as a whole. User IDs are very often email addresses of which we tend to have only one or two. And we are all guilty of reusing passwords or using systems like adding ‘1,2,3’ at the end to update our passwords.
Where credentials appear in a breach and the exact same ones are reused on other platforms - think your Facebook passwords being the same as your Gmail password, or your LinkedIn password the same as your work email password - then hackers can easily access web-based systems like email and file folders. This means they can steal data, reset passwords, send emails from your account, manipulate systems and people and potentially steal money by accessing banking or accounting systems.
Two factor authentication, whilst not fail-proof, is a good protection measure and often available for free, for instance for email accounts. Password managers can also be a good option.
With all this cyber risk let’s not forget one thing though: to enjoy the benefits of the internet, to keep on using it to fuel the growth of our businesses.
It was dangerous to sail to other countries all those centuries ago. Insurance helped to spread the risk, giving ship-owners the confidence to set sail. Let’s keep that spirit in the cyber world where yet again insurance is the safety net, allowing all of us to prosper. But let’s also batten down the hatches prudently where we can.