Defining the insider threat: why legacy systems could be the insurance sector’s weakest link

Over the past 10 years we have seen plenty of examples of the type of impact that a security breach or flaw can have on organisations, both big and small.

As insurance companies have beefed up the security around their networks and data to keep out the increasingly sophisticated external threat, so the warnings of the ‘insider threat’ have also increased.

The insider threat: understanding your legacy

In 2018 Mckinsey reviewed the VERIS Community Database and found that 50 per cent of the 7,800 publicly recorded breaches between 2012-2017 had a significant insider threat component, with 44 per cent of these due to negligence.

Often employees inside of the firewall are the cause of data breaches and security lapses. Whether this is accidental or intentional, companies are now having to quickly come up-to-speed and deal with it. Ensuring employees have a good understanding of systems and processes to manage their devices, USB’s, passwords and applications, helps cut down the threat of accidental lapses at least.

There is however, aside from the user, another key vulnerability that is often ignored by organisations when they look at the ‘insider threat’; legacy technology.

The insurance sector depends on technology-based relationships and alliances for growth, but more often than not, their legacy systems aren’t designed to integrate with or support a collaboration. In order for insurance companies to keep up with technological progressions as well as the insider threat they should first look to re-architect themselves, with strong security as its backbone.

The insurance sector has always looked to take risks off other companies’ books or to support individuals who suffer losses that would be catastrophic without coverage. As the internal and external threat becomes ever more prevalent following digitalisation, the sector needs to become adept at recognising the risks that stem from legacy systems and react to them accordingly.

High cost of legacy

The investment made in technology often runs into millions of pounds making the task of updating or replacing it a difficult or even prohibitive one for most companies. However, the older the technology the less chance there is that it is up to dealing with the sophisticated threats, externally and internally. Much of it will have been more than up to the task at the point of implementation, but as the years have rolled on, so the threats now facing organisations and their networks are unrecognisable. Systems which companies rely on would not have been built for the integrations that are now necessary. Equally, mobile strategies can be a gateway for hackers looking to access data, especially those strategies that cannot integrate with legacy systems.

Another issue associated with legacy systems is the frustration that some departments feel when dealing with legacy systems. This often leads individual departments to download cloud apps, outside of the control of the IT department. This creates huge risks as the app is not integrated, inside the firewall or even on the radar of the IT team.

So, the cost of replacing systems is prohibitive, and yet legacy systems are causing a real headache to IT departments in insurance companies up and down the country. The key is understanding the complexities behind the legacy system. This can help ensure that systems continue to be a useful and secure element of your business. How do you know if your legacy systems are an insider threat?

Mind the “skills” gap

As those who implemented what is now considered to be legacy technology, or at least were around when the technology was installed, come to the end of their careers, the skills gap they leave behind is vast. Those left in the IT departments across the public and private sectors, have no knowledge, nor any interest in learning about out-of-date code or technology. This causes real issues from an internal perspective.

You can build the protective walls surrounding your networks as high as you like, but if the supporting technology is seriously out-of-date and not effectively managed, there are going to be easy access points throughout. Organisations across sectors are facing this issue. With rip and replace an expensive and often cost prohibitive method, there is plenty of head scratching going on within IT departments.

Protecting your legacy

There are, however, a number of simple steps that organisations can undertake to help mitigate the risk, stabilise systems, improve performance of existing systems and protect their business from an increasing form of insider threat.

  • Consider a Data Security Audit to identify where data is located, how it is managed and processed. Understanding legacy systems is crucial, especially with GDPR; getting older systems in-line with regulation is more important than ever
  • A System Health Check is another cost-effective way of measuring the level of vulnerability within legacy systems. This type of software consultancy also helps organisations take the appropriate remedial actions to get legacy systems ready for future growth
  • Manual processes continue to put businesses at risks. By taking the step to automate them, companies can help to mitigate this. Data visualisation tools like Power BI can consolidate data from all sources to produce dashboards quickly and easily. It is crucial though that systems need to output that data securely and be ready to connect
  • Business Process Mapping (BPM) can also help work out where there are potential problems and inefficiencies within legacy technology. This allows organisations to put into place fixes before there is an impact on the wider business

The insider threat has been talked about a great deal over the past couple of years, but so often it is focused on the faults or criminal intent of employees. However, whilst legacy technology remains in place, unmanaged, it remains as much of a threat as those who are using it, and a combination of both user error and legacy often leads to insurmountable problems for organisations from both a technological and reputational stand point.

Inarguably, technology has brought disruption to the insurance industry in several ways and the reforming insurance leaders are beginning to make investments in the latest technologies that will enable them to become more customer-centric and cost-efficient, helping them to thrive.

Software Solved specialise in award-winning data and software solutions for a range of clients across the Insurance, retail and logistics sectors.

About the Author

Rob Faulkner is Insurance Practice Lead at Software Solved. Throughout my career I’ve made a commitment to learning. I’m a Chartered Insurance Practitioner, Chartered Fellow of the Chartered Management Institute and Member of the Chartered Institute of Marketing. I love all things Insurance, Tech and Marketing.

I’ve worked in the UK Insurance market for 23 years working in a range of businesses that include Insurers, brokers and software houses in a variety of roles including business development, key account management, schemes, product development and marketing.

Featured image: ©Metamorworks