Aflac CISO: Insurance Sector Ramps Up Cyber Defenses

Aflac CISO Tim Callahan discusses ongoing initiatives to stay secure as hackers ramp up attacks on financial services.

The insurance industry has traditionally lagged behind the technology curve, but companies in the sector are ramping up their security practices amid a rapid rise in cybercrime.
Threat actors are
increasingly looking to
financial services as a direct source of monetary gain. Insurers initially werent among their primary targets but have become frequent victims as other financial companies adopt stronger security measures.
In the last couple of years, the criminals have turned their attention more to insurance companies, says Aflac CISO Tim Callahan. As the banks have tightened up their security and theres less opportunity there, they have found insurance companies, especially healthcare, have a lot of data.
Now insurers are building their strengths as many of them, especially smaller businesses, are frequently hit with cybercrime. Hackers use a variety of tactics to swindle insurance victims.
Phishing is a popular means of gaining administrative credentials to establish a foothold in the insurers environment. These attacks often target executives so criminals can spark a dialogue and collect their information. Once they secure credentials, they pose as the executive and initiate wire transfers outside the organization, using business email compromise or business email account spoofing.
Privileged user accounts are more vulnerable, says Callahan. Thats what the criminals want.
Insurers have had to adopt new technologies and strategies to fight these threats, says Callahan. He has spearheaded several initiatives at Aflac to protect employee and user data from attack.
Aflac has implemented a more rigorous employee awareness program that goes beyond annual security training. The continuous education model requires ongoing exercises in phishing; for example, employees receive fake phishing emails and are reminded to be more careful if they fall for the scam.
Callahan has a strong focus on improving authentication; specifically, implementing multifactor authentication for any kind of remote access. He has increased emphasis on identity access management, from both employee and client standpoints, and begun a privileged access training program to protect vulnerable executive accounts.
He says measuring metrics helps keep the team updated on progress in the efforts. Weve seen differences, and we know were being a lot more effective, he notes. Theyre heading in the right direction -- but there is more to be done, he notes.
In addition to these initiatives, there are a few major long-term projects to strengthen Aflacs security posture. Callahan explains the company is in the early stages of a new client authentication platform, for example, which he anticipates will wrap up by mid-2018.
Hes also overseeing projects focused on vulnerability management, information governance, and data protection. The latter two initiatives overlap to ensure a fully protective environment for Aflacs information and will be fully complete by 2019, he expects.
Were starting to be able to identify where information is and classify it almost through an automated process, and identify pieces of information that should not be on the shared drive, but in a more secure environment, Callahan says.
One of the top challenges was securing a strong threat intelligence program and sharing information with other businesses. More insurers are collaborating in the Financial Services Information Sharing and Analysis Center (FS-ISAC). Historically, insurance companies havent really done that, but its certainly changing, he explains, noting that membership has risen.
C-Suite Buy-In
For companies looking to improve their security posture, Callahan advises involving the executive team early in the process.
Our whole C-suite is behind this, and theyve given support, which has filtered down to everyone in the projects, he says. There is not a single executive who doesnt know what were doing or why were doing it. That, to me, is probably the biggest factor in our success.
Securing this support involves transparency. Callahan says he had to explain to the board that these projects would be expensive and take a few years to complete. The open communication resulted in some pushback, he admits, but ultimately led to greater understanding overall.
Before you get started on new technologies, however, you have to go back to basics, he says. Define your security strategy and tie it back to the business, and assess the framework and see where the gaps exist.
Some companies go for the technology first and implement fancy tech, but in the meantime, if you havent taken care of the basics, youll still have holes, Callahan says. When you get to the hard stuff, youll lose support.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Aflac CISO: Insurance Sector Ramps Up Cyber Defenses