Remote working has enabled the operational resilience of insurers while offering employees safety and greater flexibility in how they go about their job. But this comes with new cyber security threats.
Insurance firms are at a crossroads as they assess their workplace strategies. The shift to remote working has been broadly successful and firms are now considering medium and long-term approaches that would offer their people more flexibility in choosing
wherever to work at home, in the office, or in a cafe. The exact approach will be different for each firm, but one thing that will be common for all will be getting to grips with how the cybersecurity landscape and their risk profile is evolving.
The past few months have witnessed substantial changes in how — and what — information is accessed and processed remotely. Cybercriminals are aware of these changes and have been looking to exploit new opportunities and vulnerabilities they create. The “value”
to cybercriminals varies widely and can be the assets someone has access to, the span of control, influence and knowledge they may have or simply as a way of gaining access to other areas within the business, particularly if they hold access or assets outside
of their usual working environment.
Under normal circumstances, firms deploy a variety of controls to prevent, detect and mitigate the impact of cyberattacks. But as users move outside of their normal business environments, their focus on security controls can relax and the risk of attack can
increase. Equally, many firms might have decided temporarily to relax security policies to sustain productivity; improve capacity for their remote access infrastructure; and allow data to be processed in new and temporary locations. Unsurprisingly, the number
of
cyberattacks against home workers has more than tripled since lockdown began.
Office-based roles in the insurance industry including contact centres, claims analysts and underwriters pose an increased cybersecurity risk, especially if processes or controls have been temporarily relaxed to enable remote working. We’ve monitored criminals
trying to take advantage of temporary processes and exploit contact centre agents by attempting to trick the agent into doing their bidding.
Although firms may be relaxing their policies, regulators are certainly not. Insurance firms are still bound by the same requirements, such as the EU’s General Data Protection Regulation, as if they were operating “business as usual”. This can be particularly
challenging for areas such as contact centres who handle volumes of sensitive consumer data and are not used to working remotely.
When adapting to working remotely, the security controls on user devices, connectivity and visibility of security posture have an important part to play. This includes not only desktop/laptop devices and mobile phones, but printers as well. In some cases, employees
are now prevented from printing sensitive documents at home while documents shredders should be used to dispose of company materials when no longer required.
Education and awareness as to the risks are just as important, especially for employees undertaking activities previously not performed remotely, for example, processing insurance claims.
One observation is that employees often feel safer and more relaxed in their own homes which can alter their risk appetite and concentration in terms of clicking on links or validating connections and emails. They may also be tempted to use their personal devices,
which are not protected by the company’s cybersecurity measures, to perform tasks. A recent
survey found that 77% of employees were not worried about cybersecurity while working from home – a worrying statistic for insurers.
Potentially overlooked, supporting roles such as executive assistants often have delegated access and authority. They can represent as high a risk as their executive when working remotely. The key is not to take a “blanket approach” across the organisations
but to dig deeper into analysing the specifics around individual roles and their risk profile.
While some may be more obvious than others, any role can be exposed to a greater level of threats while working remotely. As the insurance industry decides on its future operating model, this is an excellent time to reassess, react and reset strategies and
assumptions on cybersecurity along with the threats employees now face.