Key findings from Verizon DBIR Report for the Insurance Industry

What the Verizon 2017 DBIR Means for You

Every year, Verizon publishes a new version of its Data Breach Investigations Report (DBIR). For its tenth year running, this report provides analysis on trends surrounding hacking and other data breaches during the past year.Many executives and information security professionals try to base their threat management strategy on popular or media conceptions of what data security threats exist. But the annual DBIR is a realistic portrait of the industry, which provides experts with real analyses of real problems. Read on to learn more about the biggest threats this year's DBIR identified for financial and insurance companies, and what they mean for your business.The Most Common Types of AttackDBIR notes several common types of attack and/or data breach attemps against insurance industry. Three of these constitute 88% of all attacks:

• Denial of service attacks. Hackers attempt to attack companies' systems with a flood of traffic. While this seldom results in data breach, it can seriously disrupt your company's operations, so make sure your company has firewalls and other defense mechanisms in place.
• Web application attacks. These attacks exploit flaws already present in applications on your company's website. Make sure your apps are well-tested, and make sure they're updated to avoid exploitation.
• Payment card skimming. These are the quintessential credit card scam: a machine is compromised such that when a card is swiped, it relays the card's information elsewhere. If your company is a financial institution, educate your cardholders and partnering companies about the potential for these breaches, and how to avoid them.

Breaches From WithinOne of the most prominent types of data breach the DBIR identified were what they described as "privilege misuse." Happily, privilege misuse breaches are easy to prevent.In a privilege misuse breach, employees of financial institutions and insurers used their access to computer systems to illicitly transfer money or steal customers' identifying information. Employees were more likely to steal personal information than money, perhaps because they knew transferring money would tip off their superiors.

Preventing Data Breaches

So how can your company prevent these common types of data breaches? Verizon recommends the following tactics:

• Monitoring. Many financial institutions and insurers already monitor employees' activity with cameras and monitoring software. If you don't, it's time to start. No one should access sensitive information without cause.
• Limiting employee access. Limiting access to sensitive information will make sure employees can't access it in the first place. Your company's software should allow you to set up different access tiers for different types of employees, which will prevent employees from viewing non-essential information. (If they do somehow need it, they can request access from someone else in the company.) When an employee leaves the company, disable their account immediately.
• Institute dual- or multi-factor authentication. These systems are typically opt-in, and force customers to confirm access with a code sent to another device they register (such as a phone or a tablet). This way, if someone tries to access an account without authorization, they'll be unable to proceed unless they have access to the other device. (This system also serves as a notification when an account's been breached.) Be aware, though, that a truly dedicated hacker will surmount this obstacle by simply gaining access to the device (say, via theft or social engineering).

The 2017 DBIR report serves as a stepping-off point for greater understanding of the very real security threats that affect your business. When you familiarize yourself with it, you'll have a better understanding of the tactics hackers use, as well as which threats are most relevant to your company and its industry. Armed with the DBIR report, you're better able to approach others within your company about security liabilities, and you'll find it easier to gain support for real, impactful information security initiatives within your company.