How to guard against an insurance data breach and keep your cyberspace secure
Regardless of the size of your company, you run the risk of a cyber attack, which grows with the number of employees you have, particularly now since some employees are still working from home. In an Oct. 2022 Renolon article, it’s reported that on average, 47.63 percent of small businesses are hit by cyber attacks. Granted, an insurance data breach in a smaller firm happens less frequently than those against major companies or insurers – but those hackers will try to use you to move higher up the food chain, into still larger companies or carriers.
Hackers know that few small businesses put a huge priority on processes to prevent and manage cyber attacks. Verizon's 2021 Data Breach Investigations Report states the number of small businesses that have experienced a cyber attack has increased steadily over the last few years. Some reasons contributing to the rise compared to larger companies are smaller businesses often have fewer security defenses in place and hackers find easier access to data.
Insurers and their clients store more consumer data than ever, making them an attractive target for insurance data breaches. As hackers become more sophisticated and insiders become bolder, they need to safeguard data that belongs to them and their clients.
The C-suite can close their eyes to the problem, hoping to fly under cyber thieves’ radars because they’re so small; many companies will be successful – for a while. Plus, smaller companies just don’t have the IT budget for robust cyber security. However, “When it comes to security breaches, there are two kinds of companies: those that know they’ve been hacked and those that haven’t yet discovered they’ve been hacked,” said one security expert.
Not only can they wreak havoc inside your company’s systems and with your client data, but what if you become the door to a larger breach? Try explaining that to the head of IT Security when they find out you, unknowingly, passed along malware causing their data breach, due to your lack of in-house security.
Security analyses also show that once you’ve been the target of an insurance data breach, you have an even greater likelihood of a breach occurring again and again, barring any robust protection you engage.
According to a QuickBooks commissioned survey, “More than one in five small businesses (23 percent) describe cybersecurity as one of the biggest threats they currently face.” The survey reflects the following list of small business exposure to cybersecurity breaches:
- Malware 18%
- Phishing 17%
- Data breach 16%
- Website hack 15%
- Denial of service 12%
- Ransomware 10%
In this post we’ll focus on phishing and ransomware.
Posted: No phishing, spear-phishing or whaling
Certain types of attacks–social engineering attacks, like phishing, for example–are much more commonly aimed at small businesses, according to this article in StrongDM.
First, a few definitions. You know what phishing is: tricking unknowing victims into providing usernames, passwords, credit card details, etc. by sending an email with a link to a phony website that looks like the real thing – but isn’t. It’s like fishing with a net: no one in particular is targeted, but the scammer figures he’ll catch one or two. Spear phishing is a little more sophisticated in that the scammer knows a little more about you, and the email looks quite a bit more authentic. These emails can target all your employees, for instance. Then there’s going after the big fish: whaling, which targets executives, using their name, email address, phone number and company name, luring them to a phony website to gain backdoor entry into their systems. When headlines focus on Russia, China and North Korea vying for major company secrets, and the tens of millions of credit card details and other personal data exposed in breaches, it’s easy to believe that a targeted attack only happens to the big guys. However, no business is too small or too obscure to become a target, and it’s tough to know when cyber attackers have your organization in their sights. Insurance agencies store more consumer data than ever, making them an attractive target for cyber attacks.
Social engineering mimics you
Another phishing scheme used by hackers is social engineering. Think of it as a con game: The con man studies his victim, getting to know her, and then persuades her to do something that she wouldn’t otherwise do, because the victim thinks she’s protecting herself.
It could be anything from being tricked into thinking your computer has been infected with malware (a computer virus) or you’ve accidentally downloaded illegal content – then the con man offers you a solution to instantly fix the bogus problem. But the “fix” actually downloads the malware so hackers can gain access. The three phishing schemes above fall under this loose category, as does something as simple as the hacker in the form of a potential client leaving a USB thumb drive where you’re sure to find it. You load it onto your computer so that you can figure out who it belongs to, and voila! You’ve installed malware.
Ransomware holds your agency hostage in an insurance data breach
Ransomware is malware that prevents users from accessing files and data on their computer and threatens permanent encryption or deletion of that data if a specified ransom amount isn’t paid, and according to a ransomware report by Coveware, 82 percent of ransomware attacks target small businesses.
Hackers don’t particularly want to destroy or permanently encrypt the data – they just want quick cash. Historically, the ransom demand has been a relatively small amount, to make payment the easier choice: just pay the nuisance sum and get data access restored quickly. When one of your employees unknowingly clicks on a file or attachment that contains a ransomware virus, it will enter your system and hold it hostage.
Ways to minimize or eliminate your ransomware risk are with solid and efficient backup procedures and data restoration plans. With a robust backup system in place, even if your company’s data is encrypted by hackers, that same data is recoverable from your own backup systems.
The recent BakerHostetler Data Security Incident Report states, “Ransomware remained the most prevalent and impactful type of data security incident. Investments in security enhancements and business continuity practices are making companies more resilient and less likely to choose to pay, driving down the average ransom payment amount.”
In our next post we’ll talk more about how you can beef up security and train employees to spot these schemes before they infect your system, to protect your company from an insurance data breach.
What Percentage of Small Businesses are Hit By All Cyber Attacks [2022 Update] (renolon.com)
2021 SMB Data Breach Statistics | Verizon
Small Business Insights: Inflation now the No.1 concern for small businesses - QuickBooks (intuit.com)
35 Alarming Small Business Cybersecurity Statistics for 2023 | StrongDM
Ransomware Quarterly Reports (coveware.com)
BakerHostetler Launches 2022 Data Security Incident Response Report - Resilience and Perseverance | BakerHostetler (bakerlaw.com)