At work, a lot of actuaries price cyber insurance policies. At home, all of them should be thinking about cyber protections.
That was the message from CAS Fellow Eduard Alpin at the CAS Spring Meeting in his talk, “Cyber Resilience for Companies and Individuals.” Alpin is chief actuary at Resilience, a company that helps its corporate customers manage their cyber exposures.
High-profile corporate incidents like the cyber attack that roiled MGM Resorts International last year have their at-home counterparts. Alpin illustrated the parallels. He cited real-life and hypothetical examples.
Alpin spelled out the basics of cyber controls and showed what can happen — in business and at home — if common cyber controls aren’t followed. Controls included Identity and access management, and social engineering protections.
Identity and access management
These protections ensure that the right people are performing the tasks that they should. Techniques include managing and verifying passwords and limiting access.
Password management. Alpin recommended using password managers, which generate unique, complex passwords every time you need one. When you access that site later, the manager logs you in automatically.
Password managers deter two types of attacks:
•Brute force, where a bad actor just keeps trying common passwords (think: ABCD1234) on a site till one works.
•Credential stuffing, where the hacker tries passwords pulled from one hacked site on another site, like a bank.
In 2022, business publication Fast Company was breached when the password used by one of its employees (“Pizza123”) was hacked from another site. The employee used the same password on their Fast Company profile. The result: Hackers stole data and pushed out offensive notifications under Fast Company’s name.
An example of an at-home equivalent to a credential stuffing attack is where hypothetical actuaries use the same password (“Actu@ry24”) on all their accounts. The password contains a capital letter, numbers and a special character, so they think it is secure. But a hacker recovers the password from one site, then tries the credentials at a series of bank sites until it works.
At home, Alpin noted, password managers are particularly important. Most people have more personal log-ins than work-related ones.
Multi-factor authentication (MFA). Most people are familiar with these, Alpin said. A person signs on, then gets a separate request — usually a code sent via text or email — asking them to confirm they are indeed signing on. An MFA would likely have foiled the Fast Company hackers, Alpin said.
Privileged access management (PAM). Here, employees only receive access to the computer tools they need to do their job. Actuaries, for example, don’t “need access to production development code,” Alpin said. If the actuary’s account is hacked, PAM prevents the hacker from finding sensitive information elsewhere.
Social engineering protections
Social engineering attacks involve bad actors tricking employees to send them money or valuable information.
Phishing is the best known example: sending a fraudulent email that seems to come from a reputable source. It has variants, including voice messages (“vishing”) and SMS messages (“smishing”).
“There’s a lot of ‘ishings’ in cybersecurity,” Alpin said.
Another variant are deepfakes, where AI tools are used to generate a voice or image or video of a person doing something they have never done. If there is video of you online, Alpin said, cheap, easy-to-use editing tools can swap your image onto something you have never done.
Even if the fakes are identified before they create financial harm, Alpin said, they can create reputational harm.
A California couple lost $160,000 when scammers pretended to be their escrow agents for a home sale. The hackers were monitoring the actual agents, so were able to intercept the money they had induced the couple to send.
“This has been happening for years,” Alpin said. “It’s really sad because people can lose their life savings.”
Taking control at home and work
“It’s really important to train people to avoid falling for social engineering threats,” Alpin said. He shared dos and don’ts:
Do:
•Question the source of unsolicited information.
•Call the counterparty directly to confirm requests.
•Visit the trusted website directly (instead of clicking a link that the suspicious actor has sent).
Don’t:
•Click on links.
•Respond to emails.
•Respond to texts.
•Share personal information.
•Share passwords, PINs or one-time codes.
He recommended making an old-fashioned phone call to confirm an electronic beckoning is legitimate.
That might have helped the victim of an elaborate deepfake early this year in Hong Kong. He was instructed on a video call to make a payment by his CFO. Everyone else on the call, including the CFO, was a deepfake reproduction. The victim forwarded $25 million (U.S.) to the bad guys.
Recent scams combine social engineering and password management. A bad actor (who has already stolen your password) pretends to be from your bank and calls to warn of suspicious activity on your account. To check things out, they recommend you sign on with them on the phone and give them the code sent for multi-factor authentication. When you do, they can get into your account and drain your savings.
Viruses often arrive this way. Businesses can adopt antivirus and endpoint detection and response solutions. The latter monitors devices to detect and respond to threats like ransomware and malware.
The at-home equivalent is using one computer for transactions like banking and another for fun activities like gaming. That way, a child who accidentally downloads malware might mess up their own computer, but they won’t provide access to the family bank account.
Both businesses and families should back up data periodically, Alpin said. It’s an important control; Alpin’s company regularly looks for it when underwriting clients. Backups should be frequent. There should be three backups. One should “air-gapped,” meaning it is completely separate from all computers and the internet.
Good cyber controls work at home as well as at work, Alpin said.
“There are interesting parallels between what companies see as important and what individuals can benefit from in their everyday lives.”
Jim Lynch, FCAS, MAAA, is retired from his position as chief actuary at Triple-I and has his own consulting firm.
