Computer security expert explains why hackers target insurance companies

Insurance companies are generally more vulnerable to malicious e-mails than banks, while a slight majority of computer security staff members surveyed do not fully disclose information technology vulnerabilities even to executives at their own firms, an IT security expert suggested Wednesday.

Kevvie Fowler, partner, advisory services at KPMG Canada, said in a presentation that insurance companies face different threats than banks, even though both industries provide financial services.

“In insurance, over 4% of email that you receive … contain malicious links,” he said, citing research conducted by security software vendor Proofpoint Inc.

“In contrast, if you look at technology companies, it is just over 1%. There is actually a greater number of threats that you are faced with in your inbox in contrast to people just like yourselves in other industries.”

Fowler, who has worked in cyber security for 17 years, made his comments during a luncheon presentation held by the Property Casualty Underwriters Club.

He added banks do “a better job of filtering these threats upstream, so they aren’t making it to the end users’ mailbox.”

Cyber attacks, he said, can be grouped to four categories of “bad actors.” The broad categories are petty criminals, “hacktivists” or terrorists, organized criminals and state-sponsored attackers.

“Bad guys know banks spend a lot of money on security,” he said. “They will focus on an industry that hasn’t made those security investments.”

Fowler noted that KPMG conducted a survey of the top 1,000 organizations in Canada (as rated by Report on Business), asking senior executives questions about cyber security.

“Thirty-nine per cent of C-suite executives in Canada actually think they will be the target of a cyber attack,” he said, noting six in 10 “don’t think they will be a target whatsoever when it comes to cyber security.” 

But in other studies, the same questions have been posed to management and staff and “you get a very very different picture.”

Sixty-three per cent of respondents (other than C-suite executives) in a survey anticipated their organization will be attacked “within the next 6 months,” Fowler noted.

“Sixty-four per cent of them don’t even communicate security risks to executives,” Fowler said. “Digging deeper into that, why wouldn’t you communicate risk to executives internally? The common answer is, Number 1 they think it’s too complex to be understood by executives, and Number 2 they don’t want it to be seen as an indicator that they are not doing their jobs correctly.”

Fowler suggested some organized crime groups start botnets, but they rent those out to other miscreants willing to pay $5 an hour.

“Some of your computers in this room are being used right now for a botnet that is being rented out for $5.”