Cyber protection: critical for all size companies
Because practically everyone in this country carries some form of insurance, it just makes sense that our industry is a major target for cyber threats and that all of us – even small agencies – need to enhance our cyber protection. The information required by insurance, both personally identifiable information and protected health information, makes us a goldmine to cyber criminals and can be highly damaging should we be compromised. What’s more, online digital storage has greatly increased vulnerability to cyber attacks.
Worse yet, your company may not be the intended target: it could be one of your insurers. Try explaining that to their head of IT Security when they find out you, unknowingly, opened the door to their data breach because of your lack of cyber protection. (Read our earlier post about most common types of data breaches and hacking.)
Now that you’re convinced your agency has at least a chance of becoming a target, what can you do about it? While this post is not intended to provide an in-depth, soup-to-nuts discussion, here are the top seven steps you should take to protect your agency’s data and your insurance clients.
1. Perform a security audit
Determine what data needs extra protection, such as clients’ personal information, your agency’s financial records and your employee records. Note where this information is collected, housed and where/how it moves: from your servers, to various types of cloud storage via third-party vendors, and on mobile devices and email.
2. Cyber protection for your data and files
This is the crucial second step, which includes back-ups, network security, passwords and encryption.
Network security. First, ensure that anti-virus software, intrusion detection and firewalls not only keep malware and hackers at bay, but also let you know when they’ve been penetrated. That means have robust anti-virus and anti-malware software and install all updates – immediately and on all devices. Never skip this step.
Back up. Make sure your files are backed up regularly – and test the backup to see that the data is indeed fully recoverable. Do this and you’ll never worry about paying for ransomware on your system.
Passwords. You know the drill; now do it. Never continue using the password provided by the vendor. Never use “Password123”. Make your password strong and not easy to guess – it should not be an actual word, but a combination of letters, symbols and numbers. Hackers have an automated tool that combines dictionary words and numbers in what’s called a “dictionary attack” to be able to quickly hack easier passwords.
Encryption is quite effective as a security measure, particularly when data is in transit, such as on a laptop or thumb drive. If stolen, thieves won’t be able to use the data. Encryption software is readily available and shouldn’t cost you an arm or a leg.
3. Train your staff
Because the majority of the time it’s human error that causes a data breach, whether through lost equipment, use of an unsecured WiFi or unknowingly downloading malware from an email or website, your staff needs to be super-vigilant with your agency’s cyber protection. Train them on what a phishing email looks like. Ensure they use secure passwords and won’t provide secure information over the phone. Training also puts them on notice that you are watching their activity.
Consider limiting access to data you need to secure. The fewer the employees with access, the more secure the data. For those who need temporary access, provide a temporary login and then terminate that login afterwards.
4. Create security policies – and enforce them
Your staff needs to understand clearly written security policies and consequences when they’re not followed. For instance, no personal devices can access secure data via an open WiFi. Any mobile devices that do access that data should have up-to-date security software. All potential employees should be thoroughly vetted to screen out potential inside hack jobs as much as possible.
5. Control vendor access
Carefully choose vendors who store your data on the cloud, ensuring they have the right protections and security measures in place.
- What does the vendor offer in third-party audits and certifications?
- What else can the vendor promise about their safeguards?
- Will the vendor know if there is unauthorized access to your important data, and will they tell you at the first signs of such access?
- What rights, if any, will you give the vendor in your data, or to any data derived or created from your data?
- How, if at all, can the vendor share your data with any other entities, and other what conditions?
- How will you get your data back at the end of the contract, or how will the vendor protect what it keeps?
- If the vendor has access to your systems, how have you limited that access to what the vendor needs to do its work for you?
6. Consider cyber liability coverage
Many carriers will require this. Enough said.
7. Plan for a data breach, in spite of your cyber protection
Assume that someday, it’s going to happen. What are your next steps? How will you contain the breach? What data security experts will you call in? How will you inform your clients, employees, carriers, vendors and others? Where will you direct consumers (clients and employees) to report any suspected loss? What are your legal obligations? Take the time to think it through, then write down your plan, including all contact information, in one file. Encrypt and save on a thumb drive, then store in a safe place.
“If you respond right, an incident that could really hurt your business can actually build trust,” said one cyber security specialist.
Securing your business’s data is a multi-step process that takes time and expertise. Implementing these practical solutions makes it tougher for hackers to slip in; hopefully they’ll move on to easier pickings because your infrastructure is not worth the trouble of hacking into it.
This blogpost originally ran on Arrowhead’s corporate blog. It is used with permission, and modified to better fit the needs of NCC’s clients.