Modern Insurance Magazine Issue 65
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
INTERVIEWS<br />
that there aren’t some simple, basic approaches<br />
that businesses can adopt for a larger return.<br />
Firstly, if you don’t need to hold personal data,<br />
don’t hold it. So many organisations store<br />
data longer than they need to, and in doing<br />
so, they’re increasing their attack surface and<br />
exposure to nefarious cyber activity. Separating<br />
strings of information also helps to mitigate<br />
risk. Don’t keep full identity sets in one place<br />
and/or corporate intellectual property in one<br />
place.<br />
In the last three or four years, firms have<br />
also been offering cyber education to<br />
their workforce en masse, mainly through<br />
introducing password managers and simulated,<br />
fake phishing emails. If staff don’t identify<br />
the risks and open the email, they’re offered<br />
more courses and more training to prevent the<br />
same thing happening in the event of a real<br />
phishing attack. Companies are also taking<br />
this one step further through gamification,<br />
where they’re incentivising staff to be more<br />
online safety conscious by offering prizes to<br />
individuals who can identify fake, or even real<br />
phishing attempts. Developing a culture of<br />
protecting each other through education is<br />
really important. You have to look after your<br />
staff if you expect the same in return.<br />
Of course, preparation is key. How<br />
Q can firms prepare for the worst when<br />
it comes to cyber threat, and how can<br />
consumer response plans be put to the test?<br />
In the UK last year, I dealt with over 900<br />
A breach recoveries. Globally, it was more like<br />
6,000. I would say that of those firms, 90-95%<br />
did not have a consumer response plan in place.<br />
Many will have a Disaster Recovery (DR) plan<br />
and/or an IT Recovery plan that is mature and<br />
tested regularly, but in the event of a successful<br />
data breach, the majority of firms don’t know<br />
who has been affected or how those people will<br />
be contacted and notified.<br />
Many don’t know the intricacies of the contact<br />
information they have on file, and they’ve no<br />
plan in place for who should be prioritised<br />
in terms of how this communication will be<br />
staggered. They haven’t thought through the<br />
wording of the notification, or whether this<br />
needs to be translated into multiple languages.<br />
Are there a number of brands in the firm’s<br />
group and if so, how will this be tackled? Have<br />
a consumer recovery plan, and an employee<br />
recovery plan, and understand all of the<br />
different cohort groups that make up the<br />
personal information you hold. You might lose<br />
your payroll, which affects former employees<br />
as well as current. It’s all about understanding<br />
what data you’ve got. Then and only then can<br />
you put a consumer response plan together<br />
against the information you hold, and look<br />
at how you would communicate with these<br />
customers effectively in the event of a data<br />
breach.<br />
Once you’ve got a plan together, of course you<br />
need to test it. It may seem obvious, but very<br />
few people do this - which always surprises<br />
me given that a poorly executed plan has the<br />
potential to create the biggest reputational<br />
risk of all. This kind of strategy doesn’t need<br />
to consist of clever stuff. For instance, if you’re<br />
sending communications via post, do you have<br />
enough branded envelopes in stock? Going<br />
through a scenario in theory is all well and<br />
good, but you need to put this into practice by<br />
trying out a number of real-life simulations if<br />
you’re really going to iron out the creases. Get<br />
your teams together and ensure that everyone<br />
understands where their responsibilities<br />
lie. This increases the chances of a quicker,<br />
smoother recovery.<br />
In the event of a data breach, how can<br />
Q organisations do more to scale up their<br />
resources?<br />
Well, first of all, you’ve got to understand<br />
A what your tipping points are. What severity<br />
of attack are you dealing with? How much of<br />
the response can you manage in house without<br />
having to arrange overflow resources? Maybe<br />
you need to outsource them completely. You<br />
might be able to handle 10 calls, but can you<br />
handle 10,000? Experian are able to be quite<br />
reactive in this situation; for example, we will<br />
outsource support with suppliers that can<br />
distribute 400,000 emails per day in three days,<br />
or 2 million letters after five days. It’s all about<br />
finding that bespoke solution in accordance<br />
with business needs.<br />
The real question actually lies in how many<br />
people respond to the notification of data<br />
breach with further queries. From a customer<br />
perspective, there’s nothing worse than<br />
receiving bad news and not being able to get<br />
through to someone when you want to clarify<br />
information and understand next steps. Make<br />
a prediction as to what this return rate looks<br />
like for your company. It’s often not as bad as<br />
you might think; in these scenarios, we usually<br />
see a 1-2% response rate following mass<br />
notification of data breach. If you assess the<br />
situation and realise that outsourcing support<br />
would be the better option, you should select<br />
the right partners with the correct capabilities<br />
and factor this into your response plan from its<br />
inception.<br />
From your experience, what does the<br />
Q future cyber threat landscape look like?<br />
What can the industry do better?<br />
The landscape never sits still, and whilst<br />
A there have been some welcome wins for law<br />
enforcement recently (with Lockbit and BlackCat<br />
gangs being impacted), we’re still seeing a rise<br />
in attacks year-on-year.<br />
We believe that third-party data breaches will<br />
continue to make headlines. With increased<br />
data collection, storage and movement, there<br />
are plenty of partners further down the supply<br />
chain that could be targeted. Experian predicts<br />
attacks on systems four, five or six degrees<br />
away from the original source - especially<br />
as vendors outsource data and technology<br />
solutions, who outsource to other experts, and<br />
so on.<br />
Instead of making drastic moves and trying<br />
to reap instant reward (such as that seen<br />
with ransomware), bad actors may also start<br />
to manipulate or alter minute aspects of data<br />
in order to stay under the radar. This might<br />
be seen through adjusting a currency rate,<br />
for example, or even the coordinates for fleet<br />
transportation. These small actions can have a<br />
major impact in the grand scheme.<br />
Finally, like drug cartels, cybergangs are also<br />
forming sophisticated organisations around<br />
the world. Joining like-minded actors can be<br />
incredibly advantageous, with global networks<br />
helping each other out in order to advance<br />
common goals and interests. I think we’ll also<br />
see more hackers for trade, crews looking to<br />
expand their monopolies, and cyberwarfare<br />
alliances. The underlying message is this:<br />
companies must invest in sophisticated<br />
prevention and response methods if they are<br />
to adequately protect themselves from serious<br />
threat.<br />
Experian have recently released their 6 key<br />
predictions for the cyber landscape in 2024.<br />
To view the full report and find out more,<br />
visit their website.<br />
Jim Steven,<br />
Head of Crisis & Data Breach<br />
Response Services, Experian UK<br />
Jim Steven is Head of Crisis & Data<br />
Breach Response Services for Experian UK,<br />
building on the knowledge, experience and<br />
success of Experian’s global data breach<br />
resolution offering.<br />
The team work with businesses to<br />
help them manage and resource mass<br />
consumer crisis responses, including<br />
customer notification, contact centre<br />
and credit/identity monitoring services<br />
for customers/employees affected by a<br />
crisis event. They also support clients in<br />
preparing and practicing readiness plans<br />
for potential incidents, guaranteeing<br />
resource availability to mitigate the<br />
impact and speed of recovery.<br />
Prior to joining Experian, Jim worked<br />
for some of the world’s largest security<br />
companies, providing expertise in security<br />
risk management solutions, travel risk<br />
management, aviation security and<br />
corporate security.<br />
MODERN INSURANCE | 15