He knows what the “bad guys” know and he’s trained to think how they think. When it comes to analyzing cyber vulnerabilities for insureds,
CNA has a secret weapon.
Nick Graf, consulting director of information security for CNA’s risk control unit, specializes in data leakage prevention and security awareness. He holds a Master’s of Science in computers, information and is, among other things, a Certified Ethical Hacker.
Celebrate excellence in insurance. Nominate a worthy colleague for the Insurance Business Awards.
“Ethical hacking, at a high level, really is a practice in education,” Graf says. “There’s this understanding in the security industry that security is ever-changing. We’re working against an adversary: the bad guys, the hackers, the attackers, however you want to classify them.
“Previously, at a company, people may not have understood how a hacker was actually going to attack you. So there was this thought, if we can start training the good guys to understand the same methods and mind-state that the bad guys are using to attempt to breach systems and steal data, then that can help you better protect your company from these types of attacks.”
So the 35-year-old trained up. Having worked at CNA on its information security team – working on in-house security – for nine years, he jumped over to the customer-facing side about three years ago. After earning his ethical hacker qualification he began penetration-testing CNA’s website for vulnerabilities, before transferring over to examining clients’ cyber security needs.
“To really get in to being an ethical hacker, you’re looking at the types of things like: how would a bad guy attempt to hack into you?” he explained. “You’re looking at things like penetration-testing of systems. You know, [for example], if I’m a bad guy, one of the methods I may use is scan the public-facing internet presence of a given company. I’m going to look at what types of servers that they have facing the internet … and by looking at these servers I can garner information off them as to what sort of operating system they run, what maybe their level of security is. By knowing that they are running an outdated version of Apache web server, there may be a known exploit that I could leverage to gain access to it, and then gain access to whatever else it is connected to on the back end.”
So when clients engage CNA for cyber insurance, Graf may end up examining and analyzing their internet security protocols. He’ll speak in-depth with the insured’s IT department and discover where their problems might lie. Then he’ll also work to better educate them on best-practices for staying safe.
“The point is to have this discussion with [an insured’s] security team, make these findings and make these
recommendations, and then hopefully help our insureds to get a better security posture overall,” he said. “That’s win-win for us. If we can help them avoid a loss before it occurs, that’s best for everybody.”
Related stories:
The "tremendous hacking target" your clients don't know about
Hackers can seize control of cars: what it means for insurance