The insurance industry is under digital siege. A rising number of cyber threats target European insurance companies, some of which endured downtime due to the severity of the attack. We've seen an uptick in supply-chain attacks, but the number one cyberattack remains Ransomware. Fortunately, AG Insurance has been spared from major cyber breaches. Here's how we did that.
Patrick Sergysels
Head of Data Management &
Chief Information Security Officer
In this article
Cyber criminals have raised the stakes
Traditionally, they would get a hold of sensitive information, encrypt it and demand ransom from their target to release it. In recent years, however, bad actors applied double pain attacks, i.e. they added a second possible consequence called exfiltration. Instead of merely encrypting the organisation's data, attackers threaten to release the info into the public domain, making the organisation liable for GDPR infringements.
Same attack vectors with a twist
Across the finance industry,cyber criminals commonly use credential stuffing, man-in-the-middle and MFA fatigue attacks. However, phishing still leads the pack, preferred for its cost-efficiency and effectiveness.
Nowadays, anyone can hire a phishing-as-a-service provider. These providers help anyone execute the most hard-hitting phishing campaigns possible. With a low entry cost and little technical ability required, they've effectively democratised cybercrime. The upside is significant: last year online nearly 40 million EUR was stolen as result of phishing.
Phishing exploits the weakest link in an organisation's cyber security posture: humans. No matter the delivery methods, these attacks succeed because they either catch the user off guard due to their lack of awareness or uncareful usage of credentials like passwords and usernames.
Cybersecurity is not an afterthought at AG
Despite these threats and possible consequences, many organisations fail to prioritize cybersecurity, frustrating many C(I)SOs in the process. Non-cybersecurity managers often consider cybersecurity a cost rather than an asset, resulting in meagre budgets, lack of resources and having to play catch-up when new risk-prone business projects are developed.
That's where AG stands out. Because of our industry's sensitive nature and significance on Belgium's economy – we manage 65+ billion EUR under assets—we've been prioritising cybersecurity for years. And it shows in different ways. Our department has been blessed with colleagues who are aware of the possible implications and willingly adopt new, more stringent security measures. This awareness translates into our company's procedures.
Information security as a policy is integrated into our company's risk framework. With the initiation of a new business project, it's standard practice for us to become integral members of the development team, alongside our business and risk counterparts. The entire team collaborates closely to analyse risk and define security measures. This discussion loop allows us to leave our mark and develop project-specific security measures that add to the value of a project.
The measures AG Insurance takes
Raising awareness is our number one priority. Given that 8% of Belgians don’t even know phishing, we make a concerted effort to inform our users about its existence, its many forms and its consequences. Recently, we launched an anti-phishing campaign to warn users about the dangers and the signs of phishing. Additionally, we've developed a random testing scheme for our colleagues. We regularly send these to assess our colleagues' ability to recognise and deal with phishing emails appropriately. The fact that our colleagues requested frequent testing is a testament to our awareness efforts.
To complement these, we've deployed a series of technical measures. Our colleagues use up to 15 or more applications per day. Initially, they were required to create complex and unique passwords for each application, but few people actually do that. An attacker would only need to breach one of those applications to get access to all of them.
Instead, we've implemented a single sign-on mechanism, allowing users to access their applications easily. As we're steadily rolling out cloud-based applications in our organisation, we'll develop SSO for cloud environments.
Furthermore, we introduced 2FA. Initially, our colleagues' password was coupled with a PIN code as a second factor on laptops, and an authenticator app on mobile devices, which improved our security posture. Nevertheless, it didn't prevent the phishing of passwords. So, instead of shielding passwords from potential attackers, we took them out of the equation entirely. We're transitioning to a passwordless IAM setup that enables our colleagues to log into their devices with a biometric scan and a device-specific PIN code. By replacing a knowledge factor with an inherence factor, we've significantly reduced a phisher's attacking surface.
Conclusion
As cyber security experts we often play catch-up with potential cyber attackers. Fortunately, we can rely on AG's company-wide support and resources, and my colleagues' technical abilitiy and awareness to mitigate new attack vectors. We're developing new measures and technologies to stay one step ahead of lurking cybercriminals. Be sure to follow this blog for regular updates.
-