Agents and insurers alike have access to and store an impressive amount of sensitive data. In honor of Cyber Security Awareness month, the following checklist highlights how agents and insurers can learn to be more vigilant and proactive in preventing a cyber attack. Remember, cyber-attacks are not limited to large corporations, hackers do not discriminate based on the size of their target.
Identify the potential cyber risks in your office
Any agency or insurance company should identify the potential cyber risks that exist in their office. If the IRS can be the subject of a successful cyber-attack, as it was this year, then no one should feel that they are invincible. In fact, in a 2011 Wall Street Journal article, Visa Inc. stated that 95% of the data breaches it discovers concern its smallest business customers. In the same article, it also noted that statistics show that cyber-attacks on businesses with less than 100 employees increased from 27% to 63% between 2009 and 2010. Those numbers then rose another 64% between 2013 and 2014.
According to the Big “I”‘s Agents Council on Technology (ACT) agencies must prepare for a cyber-attack likely an other potential disaster that could affect an agency whether that be a flood, fire or robbery. As such, it is vital that an agency, and an insurer, put together a comprehensive plan to deal with a potential threat. Identify the type and amount of sensitive data that exists in the office. Next, create a written security procedure plan for your business outlining the best way in which to protect your company’s data. ACT suggests that the written cyber security plan be consistently updated to result in a mitigation of risk.
Control Your Agency Passwords
This is a tough and complicated issue. Hiring employees and giving them access to computer systems naturally means that they will have their own passwords. But, if the owner of the agency or insurance company does not ultimately have control over an employees passwords, disaster could ensue. For example, a disgruntled employee leaves the company without divulging his passwords. That employee technically still would have access to those systems, leading to all sorts of unpleasant scenarios. Or, the low-tech employee who has all his passwords written out or uses sticky notes to track their passwords. What if they lose the paper? In both instances, being lax on password management is opening up your company to unnecessary data security risks.
So what’s an agency or insurance company to do? One solution is for management to issue passwords to employees to ensure that the ultimate control and access to an company’s data is with the owner or high-level management. Another solution might be to look into the use of technology like Signon Once from ID Federation or to employ any password management capability that exists with your agency management system.
And Then Change Those Passwords Frequently —
Once you have sorted out how to deal with new passwords, don’t forget that all passwords should be changed or update passwords throughout your company on a regular basis. For help, the Multi-State Information Sharing & Analysis Center has put together the attached “Easy Tricks for Creating Strong Passwords“.
The word “Password” and “12345” are among the most commonly used passwords. Don’t use them. The strongest passwords have the following characteristics: length (longer than 6 characters); a mix of letters and numbers; no personal information included; and no dictionary words.
Instead use a phrase or acronym to help create a pattern for your passwords and then modify them as needed. Don’t be afraid to use your keyboard to help you.
Mobile Technology Also Includes Cyber Risks —
Mobile technology is wonderful as it allows us to work from virtually anywhere. If an insurance professional is using a mobile device to conduct business, however, this becomes an added security risk for a company. A lost or stolen device that is not password protected is a huge risk that opens up your company’s network and data for the taking.
The Agents Council for Technology suggests the following guidelines for the use of mobile devices in an agency:
- Password protect each and every mobile device;
- Require secure wireless connections for all transactions involving business information, that means no using the free WIFI at Starbucks;
- Implement a reporting process for lost or stolen mobile equipment (ensuring they have location tracking devices or can be wiped clean);
- All mobile devices are wiped clean prior to disposal, recycling or trade-ins;
- Require devices to include encrypted drives and SD cards; use security features on all mobile devices;
- Update software regularly and permit only well-known trusted apps;
- Require the same business practices and procedures for both office and mobile devices meaning proper client file documentation in the agency management system; and
- Use the same best practices and email policies for a mobile device as would be required in office.
Know Who You Are Hiring —
Do your homework before hiring an employee. According to MassIT, the Massachusetts Office of Information and Technology, in-house data theft is a huge problem for businesses. One dishonest employee can wreck havoc very easily if given access to highly sensitive data. Don’t be afraid to do a background check before hiring a potential employee.
Education and Training For All On Data Security —
After hiring the right employees, be sure to train them well. According to ACT, one of the most important pieces of a company’s security plan is to educate and train employees on the roles and responsibilities they have in protecting the sensitive information they deal with on a daily basis. In order to accomplish this, a written security plan should include a company’s security policies and breach notification procedures and should be shared with everyone in an agency. This is to ensure that security and data protection become part of the company culture and a top priority to all. It should permeate all that an insurance professional does throughout the day.
In fact, ACT suggests that all agencies create a training calendar for each of the following topics: IT; security officer; executive management, supervisors, mobile employees and all employees.
Control Document Downloads —
The Agents Council for Technology suggests that agents must understand the flow of real time data coming in and out of their organization in order to control it. Real-time monitoring of data can be accomplished the use of so-called Data Loss Prevention Solutions (“DLP”). These can range from simple desk top based client solutions to network based appliances.
In addition, it can never be overstressed enough to simply make sure all of your employees are wary in dealing with downloads. Advise them ad nauseam to avoid downloading unfamiliar programs or attachments.
Create a Centralized Plan For Dealing With Documents —
While many agencies have become paperless, many more still cling to paper files. Note, the longer a company keeps client information, the greater likelihood that information will become lost or subject to a data breach. Be sure to keep documents only as long as legally required.
Cyber Considerations For A Paperless Office —
While deciding to do away with paper will minimize the proper of lost or stolen documents, there are specific considerations that a move to a paperless office entail. This includes how a company’s data will be stored, transferring written records online and creating consistent and secure workflows online.
If a company chooses to store information on the Cloud, then it should ensure that backup data can be accessed in the event of a data breach. If your company’s data is stored onsite, make sure that it is encrypted.
How You Destroy Documents Is Important Too —
Once a document is no longer need, it is important to have a company policy for the destruction of that file as well. While paper files should be shredded, don’t forget to devise a plan for the destruction of online files, email communications as well as old computer hard drives as well. Mobile devices and their data should be included in the plan too.
Secure Your Network —
While this sounds so simple, it is important to make sure your wireless network has a password to limit access. A company’s VOIP phone system should also be secured in addition to networks.
Be Vigilant in Protecting Confidential Information —
As in all states, Massachusetts has specific laws regarding the protection of confidential information. The Commonwealth’s Data Breach Security Law, Mass. General Law, Chapter 93H, has been in effect since October 31, 2007. Agencies and companies alike must be know how to protect personal information and know what to do if a data breach does in fact occur.