Christian Mercier, CEO of UV Mutual, invited his rivals to discuss cybersecurity this past fall. Why? Because he sees it as a sector-wide issue. Firms have nothing to gain by keeping their efforts to combat this problem under wraps.
Mercier says that each time a large firm is hit by a major data theft, consumer confidence as a whole is shaken. Mercier, a former member of the military, says he is poised to wage a war against cyber hackers. He urges all Quebec insurers to prepare to defend themselves against these invisible enemies.
“In the world where I come from (the Canadian Armed Forces),” he said in his opening speech, “the degree of preparedness for the unexpected is crucial. I deployed huge efforts with our team to prepare for different components that will help us react well if we need to.”
He finds what he’s seeing in the industry today somewhat troubling.
“Unfortunately, we are in ‘wait and see mode,” he says. “It’s not a subject that people really want to talk about. I brought it to the table at the Canadian Life and Health Insurance Association (CLHIA) during our strategic planning. It’s there, we can see it, but we rarely talk about it, and all the bosses assume that someone else will take care of it. Eventually, one by one, we will be affected by this situation directly or indirectly. It’s only a matter of time.”
How UV Insurance bolstered its security measures
Raising top management’s awareness, securing the perimeter, repeated employee training, putting controls in place, maintenance, and continuous improvement are among the measures that UV Insurance has taken on several fronts to reduce its exposure to cyberattacks, Dominic Villeneuve, director of security and infrastructures at the insurer explains.
In principle, protecting the perimeter from major threats is the fourth step of the action plan, he continues, but the company chose instead to secure the perimeter immediately because that’s where attacks happen. “The Internet is a war zone. We are fighting the hackers,” Villeneuve says.
After a risk analysis, UV took several steps:
• More advanced network monitoring tools were put in place.
• Security platforms were updated and each system’s access via the Internet was validated.
• The company also validated access to the central system, created daily reports, and installed three levels of antiviruses and anti-malware programs.
• The alarm systems were reinforced and optimized.
“Through these measures we gained a 360° vision of the state of the network and of user behaviour,” Villeneuve explains. “Doing behavioural analysis of workstations paid off the most because we saw exactly what was happening in the network. If someone opened a session or inserted a USB stick we were notified. Now we have a precise vision of everything that goes on in the infrastructure.”
Employee training
The second prong was employee training. This is probably the element that had the biggest impact at the insurer in the past year, Villeneuve says.
About 85% of attacks occur through human vulnerability. Only 15% of successful attacks are made through systems, he explains. “It’s much easier to exploit people than systems, especially ones that are up to date.”
First, the firm raised employees’ awareness of security to change the business culture. “If the employees do not have a feeling of insecurity, we can’t change their attitude,” Villeneuve continues. “We had to create this feeling of urgency about cybersecurity.”
The message was transmitted in different ways: striking images, screensavers, and intranet messages. On top of that, all employees took two one-hour training sessions where they watched demonstrations of hacking in the laboratory.
“The effect of this training exceeded our expectations,” Villeneuve says. “People’s habits changed instantly. Now they never leave their screens open. Their telephones always have a password. This password, even a personal one, is complicated because hackers use personal accounts to establish connections and trust with someone so that they can hack into their workplace later.”
Training cyberagents
UV Insurance also formed a cyberagent squad. These employees from different departments received additional training to detect phishing and hacking attempts, and fraudulent calls. To enhance their motivation, they were even issued cyberagent badges.
By making regular tours to check for workstations that were unattended and unlocked, the agents could note violations of this security rule and act in case of neglect. Employees at fault were contacted directly by security. People who plug in a USB stick have to justify their action to the security team.
Campaigns on phishing
Third, UV Insurance carries out one or two phishing campaigns internally each month. They are inspired by the phishing attempts seen weeks before, or by new trends in cybercrime.
“We add a circumstantial aspect,” Dominic Villeneuve explains. “For example, two days before a general meeting I will send out a phishing campaign with the company’s new organization chart. Of course, everyone will click on it. Why? Because that’s what happens in life! We wage different types of attacks based on what we receive. Users also check all their emails carefully. We would rather deal with 50 false positives than one real case.”
At the future head office of UV Insurance, currently under construction in Drummondville, Quebec, blue lights will be installed on the floors. They will blink five times per hour in case of a cyberattack or risk of attack. Employees will know to be doubly cautious with emails and calls.
“Of all the actions we’ve taken, employee training has undeniably had the most positive effects on corporate security,” Dominic Villeneuve says. “The demonstrations of hacking really galvanized the employees. People were reporting cases and calls to us. That’s right, we want people to escalate the information to our level. They now know that hacking is a very real issue today and not just a fear campaign.”
The greatest challenge of this whole process, he says, is to keep the momentum going. “It’s easy to succeed in the first round, but you have to keep it going in the second, third, and fourth rounds. With training twice a year people have no time to fall asleep at the wheel.”
