60 seconds with Michael Tanner

We’re bringing stories from the people across our business to you, so you can hear first-hand what it’s like to work at Intact Insurance. In this series, we spend 60 seconds chatting with colleagues from various parts of the company about their experience in the industry, what their role entails, what they’re currently working on, and more.

In this Cybersecurity special, we chat to Michael Tanner, Senior Offensive Security Engineer at Intact Insurance.

Tell us a bit about the Pen test team - what is Pen testing?

Penetration testing can be thought of as a simulated cyber-attack. We look at our own systems the way an attacker would - probing applications, networks, and business processes to find weaknesses before a real adversary can. The pen test team at Intact Insurance consists of three people. Together we ensure Intact Insurance is resilient to various types of cyber-attacks and ensure customer and employee data is secure. 

Can you tell us about your role and what a typical day involves?

Essentially, my job is to think like an attacker so we can stay one step ahead. I usually start my day by scanning a handful of trusted feeds to see what new exploits or attacker tactics emerged overnight. After that, I might help define the scope of a new engagement then dive into actual pen testing, write up a report, debrief a recent test or coordinate with our defensive teams to strengthen our ability to detect and respond to various threats. 

It’s a mix of research, hands-on technical work, and communication, all aimed at one goal - helping the company stay resilient against evolving cyber threats.

What's a common misconception about offensive security?

Many people picture penetration testers as lone hackers who just 'break into things' all day. In reality, every test we run is carefully scoped, authorised and documented so we can help the business strengthen its defences. 

Another popular misconception is that the job is purely technical. While we spend plenty of time testing systems, an equally large part is communication - explaining complex findings in plain language, collaborating different teams and helping leadership weigh risk against business needs.

What has been your biggest recent work achievement?

The planning and execution of a social engineering exercise on the UK service desk, which was conducted following some recent real-world trends we’d seen. The exercise resulted in several weaknesses being discovered, which the business was very proactive at addressing. We rolled out self-service password reset (SSPR) and changes to user identity verification processes, which were a result of this exercise.

What emerging threats should we be aware of right now?

One of the biggest threats right now is identity-based attacks. Attackers are using increasingly sophisticated tactics to trick users into giving away passwords or multi-factor authentication codes, as they know that stealing a password or tricking someone into approving a sign-in is often easier than breaking through technical controls.  

Attackers are also increasingly focusing on privileged employees, like system administrators or executives, because compromising their accounts can give far greater access than a standard user account. 

What advice would your give people when it comes to being cyber secure?

It’s essential to enforce those secure practices we should all be familiar with now -  stay vigilant, question unexpected requests for information, use strong, unique passwords with multi-factor authentication, and report anything suspicious. If your job description implies you have a high-level of privilege within an organisation, be aware that you are more likely to be targeted.

Considering a career in insurance? Check out our latest vacancies and apply today.