Insurance firms should brace themselves for mobile attacks

null

The rise in both data breaches and general security events has lead to new opportunities, as well as new problems, for the insurance industry. On the one hand, it has meant that more risk managers want insurers to cover against cyber attacks. And while there are opportunities to move into new markets, it also means more pressure on security leaders within insurance firms to ensure that their own cyber risk is addressed.

Insurance companies hold large amounts of personal, confidential and classified data, making them prime targets for hackers. Hackers are wise to the fact that mobile devices are being widely deployed by the insurance industry and represent the weak link in company defenses. Mobility exposes new surface area that is vulnerable to attack; it is essential that mobile be folded into the corporate IT security strategy. 

To better understand the state of mobile security and its impact on the insurance industry, Wandera researchers analyzed a subset of data from the mobile estates of 25 leading insurance firms, collectively comprising more than 10,000 iOS, Android and Windows 10 mobile devices. Six months of anonymized mobile activity was analyzed, surfacing insights that reveal the mobile security posture of the typical insurance firm.  

Insurance firms process an incredible amount of sensitive data, from personally identifiable information on employees and customers to financial data and actuarial models that drive their business.  As a result, attackers have been relentlessly targeting employees with a wide range of mobile phishing attacks. These are designed to extract company secrets through the use of sophisticated distribution channels (including SMS, WhatsApp and Skype), as well as thousands of expertly created phishing domains that emulate the appearance of well known and popular services such as Office 365 and DropBox. Many of these attacks are even able to defeat two factor authentication efforts such as containerization do little to prevent the loss of sensitive data. 

Over the course of a single year, more than one third of employees (36.2%) at the average insurance firm fell victim to at least one mobile phishing attack - most employees did not even know it happened. 

Phishing has become the number one mobile threat. It’s worth considering that iOS continues to offer little room for attackers to exploit with regard to installing malware, and Android has dramatically improved its safeguards against network threats (e.g. man-in-the-middle attacks). Phishing provides an avenue for criminals to target victims with clever campaigns that extract data without the need to compromise the OS or install any applications on the device. 

The analysis found that just 2.4% of employees at insurance firms downloaded malware onto a mobile device. Although malware can be extremely dangerous, it appears as though security efforts and education mean that the vast majority of users are able to prevent malware from reaching their devices. However, even though the number of infected devices remains low, this should be a serious concern to insurance firms as they seek to prevent any and all risks of data loss.

It is a well documented mantra that may have strayed into cliché territory, but by far the greatest form of defence against cyber attacks is to reduce your risk exposure in the first place. Taking measures to limit the opportunities for criminals to target your corporate or BYOD devices is certain to reduce the likelihood of attack.

These measures include implementing an acceptable usage policy. A large volume of cyber attacks originate through adult sites and apps; a category many insurance firms block on corporate-owned networks but not for smartphones on 4G connections or public Wi-Fi hotspots. The same is true of gambling content and other high-risk sites. The average insurance firm employee accesses inappropriate content 140 times a year and high-risk content 18 times a year on their mobile device. 

By limiting access to risky content on mobile devices in the first place, the subsequent exposure to threats is reduced dramatically. The average insurance firm employee accesses inappropriate material more than once per month on work-assigned devices, with some users far exceeding that amount. 

Another risk factor that admins must be aware of is apps that are downloaded from third-party app stores or other unapproved download sources. These apps are not necessarily illegal by default, but will not have undergone the robust approval process required by the official Apple or Google app repositories. Mobility leaders are advised to remove the option for sideloading apps on work devices, thus eliminating a major source of malware in the organization. On average, each work-assigned device at an insurance firm will have at least one sideloaded app installed per year. 

Other risks for insurance firms to consider include the unrestricted use of applications and mobile sites that transmit data insecurely. These “leaky” services fail to protect sensitive data as it is transmitted between the device and the Internet . The average insurance firm employee accesses websites or apps that are leaking data 3 times a month on their mobile device. 

It’s worth noting that this data is at greater risk should the attacker be using the same network connection as the target - or otherwise control the network that the device is connected to, via a rogue hotspot for example. So while the data may be safe inside the four walls of the insurance firm’s office, the moment the employee makes use of a public Wi-Fi connection, the risk of data loss becomes far greater, thanks to the threat of man-in-the-middle attacks by cyber criminals. Worryingly, around 12% of the networks that users connect to are unprotected from such attacks, and the average device in an insurance firm connects to a vulnerable network every two weeks

Employees seem to understand that work laptops are for work purposes and will therefore have restrictions and security controls that will somewhat interfere with their freedom of access. But when it comes to mobile devices, there is a different attitude and set of expectations. Mobile devices are inherently personal and when employees carry them outside the office there is no real physical reminder that a device is a corporate tool and should be treated that way and used with caution. 

The insurance industry has long been a target for hackers. There is clearly a pressing need to implement data protection solutions and ensure that companies have a robust mobile security strategy in place, especially in light of recent privacy regulations, such as Europe’s GDPR. Understanding where your company’s weak points are is the first step to making sure you are equipped to deal with the latest threats.  

Michael Covington, VP of Product at Wandera 

Image Credit: Nito / Shutterstock