Securing insurance's new attack surface with crowdsourced cybersecurity [Q&A]
All industries have been affected by the COVID-19 pandemic and the need to shift to new ways of working. This change has also led to an expanded attack surface for cyber criminals.
The insurance sector has been particularly hit in the past year and we spoke to Ashish Gupta, CEO of crowdsourced security company Bugcrowd to find out how businesses have been affected and how they're responding to the challenge.
BN: How has the COVID-19 pandemic pushed insurance organizations to accelerate digital transformation initiatives?
AG: The COVID-19 pandemic has caused disruption throughout the insurance industry and pushed many organizations to prioritize digital transformation initiatives. This comes after companies were forced to shift to remote work virtually overnight at the beginning of the pandemic. In a conversation with a customer from the insurance industry last April, they shared that in one month their executive team had fast-tracked tens of thousands of IT and security initiatives related to enabling remote work that had previously been stuck in queue for years. Healthcare insurance organizations were hit particularly hard and experienced a surge in business operations due to an increase in medical appointments. This largely stems from the advent of widespread telehealth use for COVID-19 screenings and tests on top of the usual annual check-ups and other non-COVID related visits.
As a result of the pandemic, insurance organizations got agile and adopted new technologies to help streamline various processes such as workflow management tools, online portals and more. While these measures have enhanced their virtual customer experience, it also resulted in an expanded attack surface, leaving insurance companies vulnerable.
BN: What are the main cybersecurity challenges and threats insurance organizations currently face?
AG: The pandemic has put a global spotlight on the wealth of sensitive data insurance organizations possess -- such as the top nine insurance organizations' 122,000 globally-connected internet assets. Widespread adoption of new tech initiatives brought on by COVID-19 has led to an increase in data within insurance companies. However, security defenses have not scaled alongside the influx of information, inevitably opening up an expanded attack surface for cyber adversaries. In fact, recent research from Bugcrowd revealed there are now approximately 122,000 globally-connected internet assets from just the top nine US insurance organizations alone.
As remote work operations continue, insurance organizations are now tasked with protecting multiple entry points from adversaries on the hunt to exploit them. In addition, with COVID-19 vaccines continuing to roll out and phishing attempts containing fake insurance forms to sign-up for the vaccine continuing to target vulnerable populations -- e.g. the elderly -- insurance companies are in dire need of up-leveling their cybersecurity measures to protect customer data on all fronts. Additionally, the looming threat of ransomware continues to increase, which can be debilitating for insurance companies without a proper cybersecurity regimen in place.
BN: How is crowdsourced cybersecurity a viable solution to these challenges?
AG: As the health insurance industry continues to play an instrumental role in distributing the COVID-19 vaccine and providing access to basic healthcare amid the pandemic, organizations should look to strengthen their current security measures with crowdsourced cybersecurity. This approach allows institutions to leverage the on-demand talent of external security researchers, or ethical hackers, to help identify and disclose vulnerabilities before they are discovered and exploited by adversaries. This, in turn, gives insurance organizations additional security testing to stay ahead of cybercriminals and proactively address vulnerabilities before they lead to a breach.
It's important to note that crowdsourced cybersecurity does not replace an organization's internal security team team, but rather acts as a security force multiplier -- delivering on-demand security talent, tools, and partners to augment internal resources, prioritize and remedy hardest-to-find security vulnerabilities, and maximize the impact of their existing security investments.
BN: What role can crowdsourced cybersecurity play within an insurance organization, beyond the pandemic-induced challenges?
AG: A crowdsourced cybersecurity strategy has benefits that go well beyond the current COVID-19 environment. Organizations can leverage bug bounty or vulnerability disclosure programs (VDPs) to ensure their assets are being continuously tested for vulnerabilities -- and that identified vulnerabilities are being securely and proactively disclosed to their security teams.
Crowdsourced cybersecurity can also offer on-demand penetration testing, or pen testing, to detect vulnerabilities within an insurance organization’s programs and test for vulnerabilities 24/7. Taking a crowdsourced approach to pen testing also reduces pen test launch time by 2,160 hours on average, with some pen test solutions being able to launch in less than 72 hours -- as opposed to the traditional industry standard of three months, just to schedule the actual pen test itself.
By harnessing 'the crowd' of ethical hackers, insurance organizations can remain agile as they continue to find new ways to better support customers during the pandemic and beyond. Crowdsourced cybersecurity also provides added assurance for customers, as they’ll know that their data is being kept secure with this added layer of security. Consequently, this will play an instrumental role in both increasing customer trust and customer retention rates.
BN: Speaking more broadly, how can crowdsourced cybersecurity help address cybersecurity challenges in other industries?
AG: Security is an infinite game, with both unknowns and knowns. Players and rules of the game are constantly changing, unlike finite games -- such as soccer -- here the teams are known, rules are set and the goal is to get to an outcome within an allotted time. In security, it is important to perpetuate the game in order to stay ahead of adversaries. Therefore, there’s always room for improvement when it comes to an organization’s cybersecurity posture, and every industry can benefit from crowdsourced cybersecurity, including:
- Healthcare organizations, such as clinics or hospitals, which are leveraging crowdsourced cybersecurity to maintain patient privacy and strong security as telehealth becomes a new standard, as well as secure data from medical devices and digital health monitoring apps. By harnessing the power of the crowd, healthcare organizations can operate without having to worry about compromising either internal or patient data, while still prioritizing providing quality patient care.
- Financial services organizations (e.g. banks and financial institutions) are also using crowdsourced cybersecurity to protect their data, as they hold some of the largest collections of sensitive, private and valuable information in the world. However, this has become even more pressing as the pandemic has put a target on the backs of financial services organizations due to digital transformation initiatives accelerating at a faster rate than most verticals to accommodate bank branch closures and other business process changes. Through pen testing, bug bounty programs and VDPs, financial services organizations are able to avoid becoming adversaries' latest victim.
- Enterprise startups are leading the digital transformation as a means of survival during the pandemic and often cannot afford to suffer a breach in their early stages. However, the rapid deployment of innovative technologies often leads to cyberattacks. External security researchers provide additional resources and specialized expertise that may not be present in early stage companies -- allowing internal teams to focus on security strategy, rather than testing for vulnerabilities.