Proactive prevention lowers data breach, ransomware risk
This is no longer just an IT issue; it is a corporate challenge requiring C-suite-level asset-protection strategy.
Data breaches and ransomware attacks have become a regular occurrence and pose a significant threat to the insurance industry.
Taking proactive measures to cut off the data supply that fuels these attacks can greatly reduce the risk of becoming the next victim.
In 2023, ransomware gangs increased the number of victims worldwide by an alarming 55.5% over the previous year, despite greater awareness of the risk and servers hardened to resist infiltration. So this is no longer an IT issue; it is a corporate challenge requiring C-suite-level conversation with an eye toward asset protection and risk management.
What puts your systems at risk in 2024 is typically not unpatched software, hardware vulnerabilities or password attacks. It’s the Instagram post by one of your claims adjusters about his recent vacation to Acapulco.
Ransomware attacks have evolved, with phishing emails now being the primary delivery method. These emails are designed to appear authentic to the recipient, enticing them to click on a link that delivers the ransomware payload.
It’s important to note, however, that the tactics that were effective in the past are no longer prevalent, as hackers have adapted to the changing times.
Regardless of the recipient, not many would be taken in by an email that immediately looks suspicious:
But what about an email like this one?
Consider this scenario: An email that, at first glance, appears to be from a friend. The casual greeting, the inclusion of a real photo and other personal details all can be easily accessed by hackers through various internet sources. This might convince the recipient of its authenticity, even if the sender’s email address is different.
One financial organization decided to test the impact of these phishing attacks and found that emails like this one routinely averaged a 4% click-through rate, with half of those who clicked also downloading a malicious payload. That means four of every 100 employees at your company are potential phishing victims. For companies with 500, 1000 or more employees, it’s a sobering thought.
And so the link is clicked, and nothing good follows. Ransomware is delivered; the email no company likes to send to policyholders about the exposure of their account information is disseminated. Your company is in the news for all the wrong reasons. And now it’s just a matter of time before the class-action lawsuit.
It’s easier than you might think for hackers to collect the content that makes these phishing emails convincing. Companies have always collected information to improve sales. The internet and our willingness to trade privacy for online convenience have significantly eased this process.
But in recent years, organizations are not collecting information just to sell more products. They are collecting information on our opinions and behavior — where we go every day and what we do, what makes us happy and what makes us angry — and leveraging that data to generate an emotional response, not to mention more views and clicks.
This data, combined with the types of personal and demographic data already in wide circulation and the incorporation of artificial intelligence, allows hackers to compile an even more comprehensive profile on anyone.
Phishing prevention strategy
Hackers are smart, but they also are lazy. That’s why their phishing focus will always be on situations in which the most comprehensive profiles can be compiled. If personal content on enough personnel at one insurance organization is inaccessible, they will turn their attention elsewhere.
Providing employees with a corporate account that monitors and removes the types of personal information that drive attacks can cost just a few dollars per employee per year. Some data privacy providers offer attractive licensing options for large organizations as well as preventative solutions. They may, for instance, provide tools such as a VPN and VoIP numbers to replace authentic information (i.e., phone numbers, online search, and browsing history) with content that cannot be traced back to an individual user.
Training and education also is essential. While every insurance organization likely provides some guidance on recognizing the typical signatures of phishing emails and texts, a refresher may be necessary on the enhanced capabilities of AI-generated emails and how vigilance is more important than ever. Anything that looks even slightly suspicious should be questioned.
Increasing awareness of the challenge — with both your personnel and your vendors — and reducing access to personal identifying information can prevent AI-enhanced phishing attacks from claiming their next victim. Forward-thinking companies should explore these preventative measures.
Ron Zayas (ron.z@360civic.com) is an online privacy expert, speaker, author and CEO of IronWall360, an Incogni company. IronWall360 provides online privacy protection to both the public and private sectors.
See also: