blur, subway

How to protect data from phishing and other cyber dangers

Jun 01 2016

Phishing attacks are rampant. In a given day, people receive more than 100 million phishing messages, subjecting businesses to an endless barrage of attempts to access valuable data.

Jim Routh, Aetna, cyber security, bSwift

Jim Routh, Aetna’s chief information security officer, addresses attendees at the 2016 bSwift Summit in Chicago, Ill. | Eric Vo

Aetna’s chief information security officer Jim Routh said there have been a number of data breaches in the health care industry since 2015. While some are calling it an epidemic, there is a certain type of data hackers are after, according to Routh.

“These specific hackers are after employee data, which is targeted for cyber espionage activities,” Routh told a gathering of employers at the 2016 bswift Summit in Chicago, Ill. “The hackers use employee specific data to craft compelling phishing emails to ultimately obtain credentials to the employer’s network for future cyber espionage campaigns harvesting R&D intelligence for economic gain.”

Different methods to protect privacy, data from phishing

Data breaches are happening in more diverse ways, according to Routh. The most common method is phishing, where hackers send an email claiming to be the user’s employer or bank. The email typically has a link leading to a webpage that looks identical to the company the hacker is claiming to be. The user is then asked to input their credentials, which are then saved by the hacker. If the targeted user falls for the trick, they can unwittingly cause a damaging security breach.

Routh suggested that employers consider using a different authentication methods for logging into computers, phones and email accounts. The conventional method of inputting a username and password – a binary authentication – is obsolete, Routh said. Instead, businesses should consider using a behavioral-based model that uses multiple inputs like fingerprint or swipe that measures pressure and force unique to the user.

“It provides a better user experience that is mathematically more effective than passwords at controlling access to systems while it also reduces the costs of providing a password reset capability,” Routh said.

Employers can take a number of steps to protect data, starting with education at the company and individual level. For example, employees need to understand that social media and social networks are considered public spaces, not private information.

There are also a number of questions employers can ask to gauge their own risk and security when considering employee benefit platforms such as:

  1. What controls are integrated into the software development process?
  2. Is there a mobile security program for mobile applications and what controls are used?
  3. What methods are used to add trust to outbound and inbound email?

More questions to consider:

Cyber security related questions to ask by Jim Routh, Aetna's chief information security officer

To learn more about how other business leaders are approaching and being proactive about cyber security, click here.