How can the insurance industry get a grip on phishing?

Human beings are a curious and inquisitive species. When we get a parcel with our name on it, we are eager to open it as quickly as possible, often not knowing the contents or who the sender is until its revealed. Well, this habitual behaviour is what cybercriminals rely on when they send online phishing scams to staff in the workplace and, worryingly, it is the most effective cybersecurity threat going. 

In fact, phishing had reached an all-time high earlier this year, while 82% of data breaches involved a human element being compromised. This could be a result of stolen credentials, phishing, misuse or simple human error – either way, humans continue to play a very large role in both cyber incidences and breaches alike. Alternatively, it has never been clearer how important the human ‘element’ or ‘layer’ is to modern cybersecurity efforts.

When it comes to cyberattacks, no organisation is safe, with industries grappling with how they can better develop their human defence to detect, protect and report suspicious actions before their systems are compromised. 


Digging into the threat of phishing deeper, research has revealed among the top industries, those that operated within insurance were the most susceptible to being duped by phishing threats. This was calculated by testing an organisation’s employee susceptibility to simulated phishing attacks over 3 phases which then provided a Phish-prone Percentage (PPP). After testing over 30 thousand organisations across, 19 industries, insurance had the worst score of 52.3%. This shows that insurance workers are currently the worst performing at identifying cybercriminals’ phishing and social engineering tactics.

Of course, no industry, business or individual likes to be singled out, but by raising the issue, we can effectively make change – immediately and in the long term – to ensure overall security behaviours, attitudes and culture are being improved.

You may wonder why insurance firms are being targeted by cybercriminals but they are a natural target. Businesses within this sector collect a substantial amount of information that impacts products, policies, services and pricing. This then influences policy holder and consumer decisions on a wider scale. Furthermore, individuals that interact with insurance providers will likely input their own data which may include financial, health and other personally identifiable information; all highly desirable because of the value on the dark web and other underground hacker forums.

Fostering more secure behaviours

To make this change, organisations operating in the insurance industry must avoid the common mistake many businesses do when trying to tackle cybersecurity threats: investing heavily in the latest, and supposedly, ‘greatest’ technology. While technology shouldn’t be disregarded, the core issue is the psychological and mental habits of the workforce that need to be first adjusted. It’s a much deeper issue. Solely investing in technology is just a reactionary and shallow response that will not address the organisations security culture.

Security and risk management leaders within insurance firms need to understand that in order to favourably change security behaviours within their organisations, their programmes must have: 

  • A clearly defined and communicated mandate 
  • A strong alignment with organisational security policies 
  • An active connection to overall security culture 
  • The full support of executives 

Without consistent and enthusiastic executive support, raising security awareness within an organisation is certain to fail. 

Security professionals and business leaders at insurance providers need to ensure they are fostering an environment that is security-ready by investing in both the focus of their security awareness and training programme and the readiness level of their staff. 

Delving deeper, there are many elements that can help improve an organisation’s culture which include having all employees understanding their roles and responsibilities regarding protecting the organisation and themselves from a cyberattack. 

Leading by example

Another security element to factor is the importance of having role models within the company. This is essentially the phrase ‘lead by example’. C-level and senior management should all be active participants in all aspects of driving security awareness throughout their organisations, which includes participating in the same security awareness training requirements that the rest of their employees are expected to complete. By having them be the torch bearers and creating what should be ‘normal’ practise within the workspace, the security behaviour will naturally change. From here, you can then discover ‘security champions’ who are other participants from within the company who can help shape the overall security culture.

Security departments can also ensure the success of their programmes by having engaging security awareness content. In turn, this will lead to a positive learning experience and ultimately favourable secure behavioural change. In an industry where content is king, the recommendation is to align with a security awareness provider that can supply your organisation with multiple flavours, versions and varieties of content that appeal to all different learning styles. 

Remember, forcing your workforce into a singular learning style limits the experience, material consumption and overall retention. It may be tempting to leverage your internal training organisation to lead this programme development, or to partner with a vendor that provides a one‑size‑fits‑all approach. Both options will lead to a long-term inability to shape your audience’s security-related thoughts and actions.

A Culture of Security

Ultimately, the desired goal is to build humans as the last line of defence for your organisation by way of creating a culture of security. This requires employees to individually and collectively understand their responsibilities and knowing the required actions to effectively tackle social engineering threats. 

To achieve this, a combination of phishing simulation and training with behavioural reinforcement will create that strong security culture which will enable your employees to make smarter security decisions, every day. By going the extra step and measuring the workforce’s phishing proneness, you will know if your security culture is providing strength or weakness. Furthermore, having these foundations will lead to immediate results that will be sustainable in the long run and will radically reduce overall risk to your business.

Javvad Malik is lead security awareness advocate at KnowBe4.