As insurance companies come under cyber attack, Nigel Thorpe, technical director at SecureAge Technologies, suggests that it’s time to beat the ransomware criminals at their own game.
In May 2021, UK-based One Call became the latest insurance firm to be targeted by ransomware criminals. It is suspected that the attack was carried out by the DarkSide gang, responsible for a string of high-profile ransomware attacks around the world. Earlier in the year, CNA Financial Corp., among the largest insurance companies in the US, was reported to have paid $40 million to regain control of its network after a ransomware attack.
The irony of this increase in attacks on insurance firms is that the introduction of cyber insurance policies is in part blamed for fuelling the growth in ransomware attacks, as the criminals know that the insurers will pay up. However, this may be changing and AXA has become the first major insurer to stop writing cyber insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
The problem is that insurance companies are all about information, to make accurate decisions about risk, using data from multiple sources. This concentration of data on people and businesses makes insurance companies a key target for cybercriminals and the financial fall out from a cyber-attack along with the reputational damage and loss of trust can be devastating.
Data security is therefore critical to the success and continued existence of every insurance company, which must deal with accidental data loss, deliberate insider theft as well as data exfiltration by external cybercriminals.
Time for a change
The traditional approach to preventing a cyber attack is to stop the malicious threat actors getting in, using multiple layers of defence. But history tells us that it’s impossible to prevent every determined and skilled hacker, particularly when humans are involved as initial attack targets. Most ransomware starts with a phish and you can do all the cyber training for staff that’s available but chances are that some employee, at some point, will click on a malicious link that launches an attack.
So, it’s time to think differently and play the cybercriminals at their own game. We must rethink the traditional ‘castle and moat’ methods of protection and adopt a data-centric approach where security is built into data itself. If all data is encrypted before a ransomware attack takes place, it is useless to the cybercriminal. They can’t decrypt the data and they can’t demand a ransom for data that is already encrypted.
But this strategy only works if all data is encrypted – not only at rest but also in transit and in use, on site, on a remote device or in the cloud. Full disk encryption will protect data when it is at rest on a powered-off hard disk or USB stick, which is great if you lose your laptop but is of absolutely no use in protecting data against unauthorised access or theft from a running system.
Then there are the data security silos, where sensitive information stored in specific locations is all encrypted. The problem here is that staff need to run reports, analyse data, make presentations and work on quotes and proposals, all extracting data from applications and data silos. And with many more people working from home on corporate or personal laptops, sensitive data is often downloaded and saved in local storage.
All or nothing
What is needed is universal file-level encryption where security and authentication is built right into each file for all data, all of the time. The problem is that traditionally, encryption has been perceived as complex and costly to deploy and detrimental to performance and productivity. That’s why another accepted norm when it comes to encryption is to encrypt only the ‘most important’ or ‘sensitive’ data.
When it comes to unstructured data – such as intellectual property, merger and acquisition plans, letters, emails and evidential data – this has to take into account risk and business impact analysis and regulatory requirements. Manual classification is impractical for most organisations but automation means that search patterns and rules must be developed, so that it is highly likely that a proportion of sensitive data will be misclassified. In addition, often the user is allowed to override the assigned classification.
However, it is easy to argue that all data is sensitive. Cybercriminals increasingly patch together seemingly random pieces of data to create sophisticated phishing attacks or to construct digital profiles to use for identity theft. The common approach of high security only for the most important data is flawed simply because people are involved. If there were no disadvantages to implementing the highest levels of security for all data, why wouldn’t you do this?
Data encryption has been with us for decades, and modern encryption technology is available, delivering strong and persistent encryption which can be implemented without impacting users, applications or business processes. It’s tried and trusted technology and should be used to protect all data – not just that which is classified as the most important.
By actively choosing to encrypt all data – whether it is stored, in transit or in use – we are finally designing security into the only thing which has value – the data itself. In effect it’s reverse ransomware – criminals no longer have the ability to threaten an organisation by shutting down systems or publishing data, so the ransom leverage is null and void. While this may reduce the demand for cyber insurance policies, it is a small price to pay for the insurance industry to avoid making their own ransomware headlines.