Don’t Click that Bait: Ransomware, Data Security and the New Frontiers of Fraud

We are all familiar with the stereotype: the socially awkward loner in his dorm room, bathed in the glow of his laptop, intent on viral vandalism.

The hacker has become a Hollywood symbol, but the reality is more complex, darker, and infinitely more dangerous. Today’s hacker is just as likely to be part of a criminal syndicate or state-sponsored organization – and increasingly sophisticated and ruthless.

Consider the “ransomware” attack. Hackers use spam, fake drivers, or infected email attachments to gain access to a single computer or network of computers. These various techniques have one aim: to install malicious software. This software then encrypts data, locking files and other information away. The hackers “ransom” access, promising to unlock computer systems by providing the encryption key – but only in exchange for payment through a difficult-to-trace source, such as the digital currency Bitcoin or a prepaid credit card number. Cooperation may or may not be successful; like any ransom scheme, hackers can always renege and demand more.

Still, globally, 40% of companies ensnared by this scheme pay the ransom¹. With that success rate, it is no surprise that ransomware attacks are on the rise. Highly publicized cases include Norfolk General Hospital in Ontario, in which individual records were ransomed for $500 per record. The Colorado-based allergy clinic PHI saw almost 7,000 U.S. patient names, test results, and Social Security numbers held for ransom. Even law enforcement is not immune: in 2015, a sheriff’s office and police department in Maine lost access to their computers, which were ransomed for $300 per machine. Other victims include some of the world’s largest corporations, such as Anthem.^2,3

Between 2005 and 2014, only 16 families of ransomware were identified; in 2015, 27 families of new ransomware were discovered; and in the first quarter of 2016 alone, 15 additional families emerged. The U.S. government reported 321 breaches during the first few months of the year⁴. This proliferation is predictable. A ransomware attack is often a source of quick, easy money. The International Business Times reported Russian organized cyber-criminals can earn up to $90,000 per month with one malware release that has minimal penetration and responsiveness⁵.

The threat is increasing in scale and complexity. In the past, many cyber-attacks were random. Economically motivated hackers launched the same form of assault against multiple targets. Security software detected these patterns and could more effectively protect against them.

Today, a form of “reconnaissance” is gaining in popularity. Hackers use malicious software to spy on servers and report vulnerabilities. This inside knowledge allows criminals to create custom code for an assault against a single target. Programmed to look for simple patterns, many types of security software are far less adept at recognizing or protecting against such a bespoke attack.

Many companies are focused on shoring up IT defenses. Still, the greatest security threat is human: about 90% of all security breaches happen because of human error⁶. Many criminals gain entry to secure networks because employees ignore software updates and security patches, download fake business applications from ‘free’ stores, respond to direct messages via Twitter and Facebook, or fall prey to ‘social engineering’ scams that trick people with credible-sounding requests to disregard normal security procedures. The scariest part? Statistically, most of us are already infected – we just don’t know it yet!

How do insurance companies in particular fight this future? In the short term, insurers have much to gain by working smarter – not harder – at information security. Three simple steps can make a significant difference:

1. ASSIGN a dedicated expert or team to security and privacy awareness.
2. INVOLVE security and privacy representatives in product development processes from the very beginning to ensure the right balance is achieved between protecting customer data and company assets and enabling innovation.
3. TRAIN anyone with access to information technology – and keep training them. Educate employees on the many types of fraud that are being initiated both electronically and over the phone. Continuous security awareness training is also an absolute must.

Longer term, advances in artificial intelligence and machine learning will make it easier for automated systems to spot the complex language patterns in email, text, or social media that may signal a scam. When scammers do make it through safeguards, savvy use of big data could enable insurers to flag anomalous activity taking place within networks and spot an intrusion earlier. Over time, innovations like blockchain or the distributed ledger, promise the transparency that could make many of the techniques fraudsters use obsolete.

Technology has opened the door to new and more pervasive forms of fraud, and technology could ultimately help us predict and prevent it.

For now, insurers’ best line of defense is also our best asset: well-prepared people.