Q: Perhaps a dumb question ... but how does one know if there is/has been a data breach? You read all the time that there was a breach and it was not found/recognized for months or even years. What are warning signs that agencies/licensees should look for. Clearly there are the obvious signs, such as a notification/email suggesting, “you may wonder why you can’t access your system any more.” But other than that, what should employees be looking for?
A: First, I want to say this is quite the opposite of a dumb question. It’s a great question and one that others can benefit from asking about their own environments!
The following response gets into some depth, so I hope it’s not TOO much more than you’ve asked for. I confirmed much of it with an ACT member, Rigid Bits.
This is a challenge: Hackers do as much as possible to stay hidden until the time is right. So, it’s really an advanced game of cat and mouse — and in many cases, the mouse (ie: hacker) is probably much more skilled than the cat.
First, having good ‘NextGen’ (next generation) anti-virus software would be a great place to start. Traditional AV will look for signature based threats, think of it of looking for the DNA of a known threat. NextGen AV looks more at behavior, so it gives an added advantage when it comes to really sneaky attacks or new, unrecognized threats. Typically, you can find this with most of the popular AV solutions out there, but looking for ones that provide more of an Endpoint Detection and Response (EDR) solution will be most effective.
Depending on budget and level of risk, it may be appropriate to look at more advanced ways to look at security alerts through tools like a SIEM (Pronounced like “sim” – Security Information and Event Management) or a SOC (like “sock” – Security Operation Center). The SIEM can have tons of alerts, which as you mention could contain a lot of false alarms, so it can be difficult to manage things like that without appropriate experience or bandwidth. The SOC helps because that gives you security personnel that can monitor the SIEM and EDR solutions 24/7 to make sure alerts are all reviewed and sometimes can help with immediate actions that may be necessary to isolate or stop an attack.
Aside from using technology like this, looking at system performance or being diligent about watching for oddities in your processes or systems can also help. Help staff learn more about how attacks may happen, through security awareness training, so they know if something fishy is happening that requires more attention. For example, if someone gets a phishing email around a specific financial transaction that was only discussed in email, it may be necessary to look at the users involved in that communication to see if there was a Business Email Compromise.
Being proactive about incident response may also make a difference. Make sure systems are configured to log activity. This may give you the clues needed to confirm if suspicious activity is more than just that and if a malicious attacker is involved.
Having a thought-out Incident Response Plan will help you be more efficient in identifying and containing attacks — which are two key factors that can directly impact the cost of a breach if one has happened. Your plan should include collecting appropriate evidence as well as ways to isolate the attack — all things you may be able to work on while a claim is getting started.
Going through proactive cybersecurity exercises like a Risk Assessment or to even simulate what a hack would look like through a Penetration Test would be a big help in identifying the most common ways an attack may occur. This would give you some ideas about where to put the most focus but would also help you identify where to put in extra risk mitigating efforts where it could be more effective in stopping the attack in the first place.
In short, the best you can do is make sure staff are aware of what is odd behavior and that they know to report it so an investigation can be done. Combine that with a good AV or EDR solution, or even going above that to implement a SIEM or SOC solution. But, at bare minimum, turn on logging where you can and have an Incident Response Plan.
Ron Berg, Executive Director – Agents Council for Technology and Ryan Smith of ACT member Rigid Bits
Independent Insurance Agents & Brokers of America, Inc.
ron.berg@iiaba.net | (651) 433-5727 | www.independentagent.com/ACT
Independent Insurance Agents of Virginia