In January of this year, the personal data of over 2 million Aflac life insurance and Zurich auto insurance policyholders ended up on the dark web. How? Because hackers used a contractor’s stolen credentials to break into a cloud server used for marketing purposes.
The information stolen included policyholder names, ages, genders, insurance data, coverage amounts and premiums–more than enough to create eerily realistic phishing emails or, worse, commit fraud.
Unfortunately, breaches like this aren’t uncommon. Research shows the insurance industry suffered the second-largest number of breaches in 2022.
Cloud apps: as secure as you make them
With data breaches on the rise in the insurance industry and cloud computing adoption also skyrocketing, could it be that the cloud is responsible for the rise in cybersecurity incidents?
The answer isn’t a simple yes or no.
You see, the cloud does pose security risks if an organization fails to use it correctly. This is because cloud platforms rely on a shared responsibility model, with responsibilities split between provider and customer depending on the type of deployment.
For all deployment types, the customer is responsible for securing:
- User identities and accounts
- Access management
The cloud provider, meanwhile, must secure and maintain the underlying infrastructure of the service. Honestly? They’re fantastic at doing this. Players like Microsoft, Google and Amazon invest millions into securing their cloud infrastructure, making it almost impenetrable to malicious actors.
Despite this, though, insurer data breaches are rising, indicating that something’s going awry.
Increased risk, inadequate protection
It looks like most insurers realize that the cloud poses potential security concerns. An EY survey of insurance players found that 59% of executives say data security is the most serious risk with embracing the cloud, closely followed by compliance and regulatory risks.
Although insurers know data security is an issue, they’re not slowing down cloud adoption. The same study found that most insurers aim to move at least 80% of their business to the cloud in the coming years.
It’s easy to see why insurers are moving full speed ahead with cloud transformation, thanks to benefits like enhanced collaboration, improved efficiency and lowered costs.
However, the rise in data breaches indicates that companies often prioritize innovation over security—something underscored by Forrester’s 2023 prediction that: “Carriers will curtail increases in their IT spending to reduce costs. The cuts will not be uniform, however. We’ll still see investments in areas likely to create efficiencies, such as smart automation and robotics.”
With efficiency and the customer experience a firm priority for insurers, security is falling to the wayside. There’s a few possible reasons for this, including:
- Companies don’t fully understand the cloud’s shared responsibility model
- A lack of budget and resources to implement cloud security controls
- Complexity, internal silos and third-party relationships undermine security efforts
Let’s explore each of these in more detail.
The cloud’s shared responsibility model
Gartner predicts that 99% of all cloud security failures will result from user error by 2025. User error can mean a multitude of things. For insurers, the top risks are:
- Misconfigurations: These occur when administrators or users fail to correctly configure the cloud service, leaving data and applications exposed to the public. Almost half of companies have dealt with security incidents due to misconfigurations.
- Leaked credentials: Poor password practices and a lack of multi-factor authentication leaves user accounts more vulnerable to compromise. Hackers can break into user accounts and, from there, either steal sensitive information or launch a more complex attack. This is precisely what happened in the case of Aflac life insurance and Zurich auto insurance
- Inadequate data management: Cloud sprawl, remote working and shadow IT mean that IT administrators often don’t know where data is or how it’s being used. A lack of control leads to inadequate protection, meaning data is more easily compromised or exploited.
A lack of budget and resources
Research shows a lack of IT staff (52%), insufficient budget (47%) and lack of cloud security expertise (44%) directly hinder organizations from adequately protecting cloud resources. As KPMG research found, insurers are generally behind in cybersecurity maturity, and this gap is being felt more acutely now carriers move to the cloud.
Without the right skills and cybersecurity solutions in place, these companies are ill-equipped to combat the unique security and compliance risks posed by cloud apps.
It’s not like insurers are just using one cloud app. Typically, their people–not to mention suppliers, partners and contractors–will use a myriad of tools to connect, communicate and collaborate.
This makes achieving optimum security inherently difficult. Even if a security team manages to perfectly configure one application at a point in time, there’s still a host of other applications out there that need the same treatment, each with their own unique policies, language and configurations.
On top of this, we must remember that cloud providers regularly push out updates that override previous configurations, meaning security teams need to start from scratch time and time again.
Lastly, it’s important to note that cloud apps’ native security tools are pretty basic in nature–and certainly not fit for highly regulated financial data. They’re notorious for producing overwhelming numbers of false positives and frequently fail to identify sensitive information in unstructured formats, making them unreliable and cumbersome.
How insurers can secure the cloud with Polymer DLP
Despite the challenges of securing the cloud, insurers know they can’t go back. Cloud apps work wonders for efficiency, customer relationship management and collaboration.
Thankfully, cloud innovation doesn’t have to forsake security. Insurers just need the right tool for the job. That’s where we come in.
Polymer data loss prevention (DLP) is a no-code data protection and compliance tool that is easy to deploy and even easier to manage. Our solution is designed so even non-security personnel can implement it.
Polymer DLP works by bringing unparalleled visibility and control to the sensitive information in cloud apps like Slack, Teams, Dropbox and more. Using the power of natural language processing and artificial intelligence, Polymer DLP autonomously discovers and protects sensitive data in your cloud apps, enabling organizations to effortlessly fulfill their duties under the cloud’s shared responsibility model.
With our tool, cloud app data breaches and data leaks become a thing of the past. Through the principles of zero trust, Polymer DLP ensures that only authorized users access sensitive data–and only use it in compliant, safe ways. Any attempts to violate data security or compliance policies are instantly blocked and flagged to the security team.
Better still, our tool is embedded with behavioral science nudges, which educate users on risky behaviors so they learn for next time.
The result? Cloud applications where insurance industry data is well and truly safe.
Concerned about your cloud app security? Try a free risk scan today to discover the extent of at-risk sensitive data in Slack, Teams or Google Workspace.