Issue:  2012-07-23

The Creeping Risk of Mobile and Personal Devices in Insurance

No doubt you've heard about the 'consumerization of IT' or the Bring Your Own Device (BYOD) trend. BYOD is nothing new in the insurance industry – for many years, independent agents and brokers have used their own computers to access insurance

company applications and run their businesses. But you may not be aware of the creeping cybersecurity risks from personal devices – a risk that affects independent agents, policy holders and insurance companies alike.

Growing Risk of Malware

Cybercriminals have been busy crafting new malware that targets user’s login credentials and financial information. The objective of many malware programs is to steal accounts and passwords to sensitive accounts. According to the Aite Group, 2011 saw 25 million new unique strains of malware, and that number is expected to reach 87 million new variants by the end of 2015. Even platforms once considered immune, such as the Mac, are now targets of malware.

It's getting harder to avoid the growing number of malware Trojans, or various strains of malware. Once it was enough to be vigilant about never opening suspicious emails. Today, malware threats come in many forms:

Shared devices: Children use a home or parents business computer at ever-younger ages, and may unknowingly download malware that silently infects the computer. Topical event searches: Cybercriminals use SEO techniques to make sure their sites are ranked highly for breaking events (such as Whitney Houston's death), and then infect those sites with drive-by downloads, which compromise well-known websites by distributing malware Trojans automatically.

Hidden URLs: Shortened URLs, common on sites like Twitter, make it difficult to determine exactly where a link will take you.

Image searches: Cybercriminals embed drive-by downloads in popular images, then make sure those images show up in image searches.

Syndicated ads: With multiple levels of ad syndication, an attacker can implant a malware-infested ad on an otherwise trusted site, without the site ever seeing or vetting the ad.

All of these can easily infect the typical agent's computer, smartphone, iPad, or other devices.

In 2011, ThreatMetrix found that on a typical day, between 4-7% of the transactions reaching customers come from compromised devices.

Percentage of transactions from compromised devices, 10 days in November 2011. The company profiles nearly 1 billion devices on a monthly basis.

The Rise in Mobility

Agents and customers are connecting to insurance applications through more channels and devices than ever before. For instance, we use iPads to work remotely at the local Starbucks, or to check email on a mobile device on your way home from work. Customers use mobile insurance apps to file and view claims or track investment-linked insurance policies. People may switch between devices many times during each day. As much as we love our mobile devices, we're not always careful about what types of software we download to them, or how secure the Wi-Fi networks are where we use them. The increase in devices means a corresponding increase in risk.

Looking again at the ThreatMetrix network data, we found the number of transactions from mobile devices doubling in less than a year:

Cybercriminals are Looking for Identities and Money

Criminals are turning their focus to identity theft and exploits for financial gain – and insurance systems have a wealth of identity and financial information. Cybercriminals will target systems containing financial information with identity takeover – using stolen credentials to gain access to applications. These attackers can often cover their tracks well, making it difficult to discover their presence until the damage is done. They may even hide cookies and disguise device characteristics to look like a legitimate agent or customer. Passwords are not a strong enough defense.

Some insurance companies give agents tokens or other multi-factor authentication methods to secure their logins. While multi- factor authentication is good at determining that someone is who they claim to be, an infected device can still intercept and exploit an authenticated session. A man-in-the-browser (MitB) malware attack can get around multi-factor authentication. Insurance agencies need layered, integrated defenses to get an accurate picture of who is connecting to applications, and whether their devices are infected with malware or disguising as a criminal.

Mitigate the risks with policies and technologies

It's time for the insurance industry to implement a new security policy around the BYOD trend. In this case, it's your own risk that you're insuring, by putting policies and technologies around application access.

Only through a combination of training, education, behavior and technology can you reduce the risk of the unmanaged devices reaching insurance applications.

Here are a few guidelines for creating BYOD defenses in the insurance industry: 1. Analyze the entry points Create a general profile of the applications and access points used by unmanaged devices, whether they belong to customers or agents:

• Who is accessing applications remotely from their own devices? For example, you can require agents and brokers to take certain measures, but imposing access criteria on customers is more difficult.

• What devices are they using to access critical applications and data? Can you identify those devices as 'good' and free from malware?

• Which business applications are open to remote access, and what sensitive or regulated data resides in those applications?

You can't 'lock down' sensitive applications, but you can apply layers of defenses around them.

2. Establish guidelines for agents' and brokers' devices

With independent agents, you can put some controls around the devices that the agents use to connect to internal applications, including:

• Use of anti-virus software

• Anti-malware scanning

• Maintaining up-to-date OS patches, or operating systems

• Passwords policies (complexity, strength, change)

• Multi-factor authentication However, education and policies are only a small part of your defenses, as even well-intentioned users can easily pick up malware, and their devices’ measures for preventing cyber-attacks will be implicated.

3. Trust but verify It's not enough to train agents and brokers about best practices – you need to automate policy enforcement as well. For example, there are ways to add client-side verification of the security status of an agent's computer before allowing them access to your applications. And by looking for malware in the real-time connection from any device, you can prevent customers with infected devices from compromising the privacy of their own insurance information.

4. Look for imposters So far we've been talking about legitimate agents and customers accessing your applications with devices that may have malware. The other essential challenge is protecting applications and customer data from malicious or fraudulent users impersonating legitimate agents and customers. For this, you need device identification technologies that can spot devices disguising their real locations, turning off cookies, and/or hiding behind proxies. These technologies can also spot devices used by many email addresses, or devices known to belong to bots or criminals.

5. Re-assess the risk regularly. You should continuously track the compromised devices reaching your network or the trends in threats, and take appropriate actions through technology and/or agent education.

The technologies to do this are readily available today, and are already widely deployed in the financial services industry.

They include:

Device identification. These technologies can find anomalies like disguised location, IP address or device types. They can also spot known compromised devices. Global threat intelligence: The only way to stay on top of the changing threat environment is to connect with a network of sites sharing information about corrupted devices, malicious users and new exploits.

Malware identification. Web session profiling software can detect compromised devices and potential Trojans, such as malicious JavaScript that steals login credentials. Client-side protection. Give agents tools to identify and lock down malware on their systems, ensuring safe transactions or sessions with your business systems.

Assessing and mitigating risk is at the heart of the insurance business – it's time to put risk mitigation in practice for the applications driving the insurance business. Doing so, you can create a healthy balance of security and convenience that supports your business objectives while protecting agents, policyholders and your core business from fraud and crime.