Hackers believe insurance companies are ’highly desirable’ phishing targets because of the data these firms hold, says lead security awareness advocate

A colleague has sent you an email and invited you to view a document. You click on the supplied link to open what appears to be a Microsoft Word document – sound familiar?

Phishing, the cybercrime where hackers utilise technology to send fraudulent messages and trick individuals into revealing sensitive information, is now the most common threat vector among UK businesses - with the global insurance industry ranking as the business sector most vulnerable to these types of attacks.

The National Cyber Security Centre defined a phishing attack as when a fraudster attempts to trick users into doing the wrong thing – such as clicking a bad link. Attackers can then install malware, like ransomware or sabotage systems, or steal sensitive data or money, for example.

According to the Cyber security breaches survey 2022, which was updated by the UK government’s Department for Digital, Culture, Media and Sport last month (July 2022), of the 39% of UK businesses that had identified a cyber attack,  83% of these were described as phishing attempts.

In comparison, only 21% of British businesses identified a more sophisticated attack, such as denial of service.

Meanwhile, the Phishing by industry benchmarking report - 2022 edition, published by software company KnowBe4 in June 2022, found that insurance professionals were among the most likely to be duped by phishing threats.

When looking at large organisations with more than 1,000 employees, KnowBe4 scored insurance firms a phish-prone percentage (PPP) of 52.3%.

The energy and utilities sector, which had the report’s highest PPP in 2021, recorded a score of 50.9% for 2022.

KnowBe4 calculated organisations’ susceptibility to phishing by conducting simulated phishing attacks – globally, it reviewed 30,000 organisations across 19 industries.

Javvad Malik, KnowBe4

Javvad Malik 

Speaking exclusively to Insurance Times, KnowBe4’s lead security awareness advocate, Javvad Malik, said: “Of course, no industry, business or individual likes to be singled out, but by raising the issue, we can effectively make change - immediately and in the long term - to ensure overall security behaviours, attitudes and culture are being improved”.

Malik added that insurance firms are a “natural target” for cyber criminals due to the sector owning a “substantial amount of information that impacts products, policies, services and pricing”.

This is “all highly desirable because of the value on the dark web and other underground hacker forums”, he explained.

‘A much deeper issue’

For the insurance industry to make a “change” and improve its resilience to phishing, Malik explained that organisations “must avoid the common mistake many businesses [make] when trying to tackle cyber security threats – investing heavily in the latest, and supposedly, greatest technology”.

He continued: “While technology shouldn’t be disregarded, the core issue is the psychological and mental habits of the workforce.

“Solely investing in technology is just a reactionary and shallow response that will not address organisations’ security culture. It’s a much deeper issue.”

To improve cyber security, KnowBe4 suggested that security and risk managment programmes in insurance firms must include:

  1. A clearly defined and communicated mandate.
  2. A strong alignment with organisational security policies.
  3. An active connection to overall security culture. 
  4. The full support of executives.

Malik said: “Ultimately, the desired goal is to build humans as the last line of defence for your organisation by way of creating a culture of security – this requires employees to understand their responsibilities individually and collectively, [alongside] knowing the required actions to effectively tackle social engineering threats.

“To achieve this, a combination of phishing simulation and training with behavioural reinforcement will create [a] strong security culture [that] will enable employees to make smarter security decisions every day.” 

Malik additionally emphasised the importance of role models within a company, noting that c-suite and senior management staff should “all be active participants” in “driving security awareness training”. 

He added: ”By having them be the torch bearers and creating what should be ‘normal’ practice within the workspace, the security behaviour will naturally change.

”From here, you can then discover ‘security champions’ who are other participants from within the company who can help shape the overall security culture.”