Cybersecurity is a growing concern for all businesses. As insurers increasingly turn to data-driven solutions to improve the sales process, this only heightens the urgency for implementing effective safety protocols. At RGA, we work continuously at all levels of the organization and in all global locations to maintain the highest level of cybersecurity, and we collaborate with our partners to help elevate practices across the industry.
As part of our lead-up to the 10th annual RGA Fraud Conference, which will take place virtually on August 15-18, I sat down for a brief Q&A with Tim Reboulet, Principal Consultant at SpearTip, a leading cybersecurity firm. I met Tim while he was in the Secret Service and I was at the FBI and know him to be a respected member of the cybersecurity community. Tim provided several very practical steps that all companies both big and small can take right now to protect their systems and data from online threats.
How would you describe the current cybersecurity environment?
The current threat landscape is as treacherous as it has ever been given the war breaking out in Ukraine amid what was already an ongoing increase of state-sponsored threat actors. Other trends, such as increases in remote working and use of digital currencies, are also creating new attack opportunities. Meanwhile, as ransomware capabilities advance, a general lack of adequate preparedness persists among individuals, governments, and businesses.
Let’s start with business email compromise (BEC) attacks. What are they and how can companies work to prevent them?
BEC attacks employ social engineering tactics to trick unsuspecting employees. BECs are akin to the Nigerian letter-writing schemes of the 1990s and often use subject lines containing words such as request payment, transfer, and urgent. BECs can evade traditional security solutions because the scams do not have any malicious links or attachments. In addition, some cyber insurance may not cover BECs as they are classified as common theft or user error. The best way to combat BEC attacks comes down to one essential and ongoing process: educating and training employees.
Some examples of BECs include:
- The bogus invoice scheme: Attackers pretend to be suppliers requesting fund transfers for payments to an account owned by the attackers.
- CEO Fraud: Attackers act as company CEO or any executive and send an email to employees, requesting that they send money to an illicit bank account.
- Account compromise: An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts.
- Attorney impersonation: Attackers pretend to be a lawyer or someone from a law firm in charge of vital and confidential matters.
- Data theft: Employees with access to personal data are targeted to obtain personally identifiable information (PII) and protected health information (PHI), which can be sold on the dark web or used as extortion.
Same question for ransomware: What is it and what steps can businesses take to prevent falling victim to it?
Ransomware gets onto your computer and encrypts your data or locks your operating system. As soon as ransomware gets a hold of a “digital hostage,” such as a file, it demands ransom for its release. Ransomware infections can occur in various ways – insecure websites, software downloads, spam email, and more.
Several factors may make your business a target of ransomware: outdated computer, outdated software, unpatched operating systems, improper back up, and a lack of a true cybersecurity solution. A business can do some simple things to prevent being victimized by a ransomware attack:
- Avoid clicking on links in spam messages or on unknown websites. Clicking on malicious links can start the process of downloading ransomware to your operating system.
- If you receive a call, text message, or email from an untrusted source requesting PII, do not reply. Threat actors collect data prior to a ransomware attack, which they use to tailor phishing messages.
- Avoid opening any malicious email attachments. Pay close attention to the sender, and be sure the email address is correct.
- Regularly update your operating system with the latest security patches; it makes it more difficult for a threat actor to exploit any vulnerabilities.
- Rely on trustworthy and verified sites for downloads. Make sure the browser address bar of the page you are visiting uses “https” instead of “http.” A shield lock or symbol in the address bar can also indicate the web page is secure. Be wary of downloading anything on your phone unless it’s from the Google Play Store or the Apple App Store.
- When using public Wi-Fi, be sure to utilize a VPN. Additionally, disable remote desktop protocol (RDP) on your computer if you are not utilizing it.
How should a business go about developing an overall cybersecurity plan?
It is important to identify your business’ most valuable digital assets and determine where your cybersecurity measures need to be improved. The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is a tool that can help with this. The NIST CSF includes guidance on self-assessments, planning guidelines, and other updates in response to advancements in security threats. NIST CSF Five Functions represent crucial steps in a business’s approach to risk management.
- Identify – outline cybersecurity risks that threaten all company assets, including personnel, and data.
- Protect – establish systems to defend critical assets.
- Detect – identify events that could threaten data security.
- Respond – act to neutralize threats as they arise, according to predetermined solutions.
- Recover – plan a course of action to restore functionality in the event of a catastrophic incident.
What are some things every employee can do to keep their company protected from cyber threats?
The human element represents the most significant risk to networks and systems, which makes employees the most important line of defense. Any employee could be the weak link that creates an opening for a cyber-attack. Cybersecurity must therefore be a priority for everyone in the company – from the board of directors to the latest new hire. It is vital to constantly educate, inform, and train a workforce on good cyber hygiene. This can involve internal and external penetration testing, tabletop exercises, and phishing campaigns, among other activities.
Other important steps to take include making sure to update software and hardware as new versions become available, regularly backing up data to ensure operations can continue in the event of a ransomware attack, and using multifactor authentication throughout business and personal accounts to add that extra layer of security.
What is the single most important thing every person can do to avoid a cyber-attack?
Remain vigilant – always. The moment you let down your guard is the moment for which threat actors are waiting. That means following all protocols, no matter how seemingly mundane and painstaking, and actively engaging in cybersecurity training. You don’t want your personal devices hacked, and you don’t want to be the weak link an attacker uses to infiltrate your company’s systems. The threat is real, but so are the proven steps to defend yourself.
Learn more about how to prevent cyber-fraud and other types of insurance fraud at the 10th annual RGA Fraud Conference, August 15-18, 2022. This virtual event will feature leading experts from across the country. Register today.
About the Authors
Craig Byrkit is the RGA Global Vice President responsible for information security and data protection. Prior to RGA, Craig built and led a large financial institution’s Information Systems Threat, Vulnerability, Cyber Risk and Privacy areas, encompassing network security, vulnerability management, cyber risk, governance, privacy and incident response. He successfully served with the Federal Bureau of Investigation, which included the development of the St. Louis FBI Cyber Task Force. He currently leads the Chief Information Security Officer (CISO) board in St. Louis, is a Board member for St. Louis University Computer Information Systems programs and is one of the founding members and adjunct professor for Washington University Master's Cyber Security Management Program.
Timothy Reboulet has over 20 years of international and domestic law enforcement experience. As a Senior Special Agent with the United States Secret Service, Tim has served on the Presidential Details of President George W. Bush and President Barack Obama and more recently focused on federal cyber security risk detection and mitigation. Tim’s cyber background includes leading the USSS Electronic Crimes Task Force inclusive of government and corporate participants and assignments to Europol (European Cyber Crime Center —EC3) and Critical Systems Protection division. Tim directs Advisory Services at SpearTip, a leading cybersecurity firm, where he assists organizations with both pre- and post-breach scenarios.