WINNING AT DATA SECURITY WHACK-A-MOLE
With more cyber threats popping up, agents now have a bigger hammer thanks to ACT’s “Security Issues Pocket Guide”
Agency Principal Steve Aronson admits he can’t keep his hand down when an industry technology group puts out a call for volunteers. “I’ve been a technology agent leader since 1981,” he says. And he isn’t slowing down. He currently serves on the board of ID Federation and the Agents Council for Technology (ACT), he chairs the ACT Security Issues Work Group, he’s a member of the NetVU (Network of Vertafore Users) executive committee, and he is an AUGIE (ACORD User Groups Information Exchange) Ambassador.
Steve represents the third generation at Aronson Insurance, a 25-person agency based in Needham, Massachusetts. In 2010, when the state was among the first to enact a data security law, the Massachusetts Association of Insurance Agents (MAIA) asked Steve “to lead the charge on behalf of agents to figure out what we needed to do,” he recalls.
Meanwhile, Ron Berg, executive director of ACT, was doing what he does—surveying the technology landscape, looking at technology trends and, within those trends, watching for the next technology challenges about which agents need to be aware.
One of the trends identified by ACT’s Strategic Future Issues Work Group in its 2015 Hard Trends Report, released in February 2016, was ”Information Security & Privacy Regulation—Cyber Liability.” According to the report, “These hard trends are the foundation for developing the industry’s ‘must-do’ recommendations, action, and responses to the challenges and opportunities presented by the hard trends.”
Ron observes: “Technology advancement is a double-edged sword. With every technology advance, there are multiple opportunities for those with bad intent to take advantage—overtly or in the background.”
Birth of the Pocket Guide
Steve considers his agency to be in the small to medium-sized category, so he is including himself when he says: “Small and medium-sized agencies don’t have the expertise or the on-staff personnel to easily address the data security risks that we face.”
He and Ron discussed their mutual fears and concerns around the cyber threats confronting agencies. “Ron recalled my efforts on behalf of MAIA when Massachusetts enacted its data protection and privacy law, and invited me to lead the then newly-formed Security Issues Work Group,” Steve explains.
Once again, Steve couldn’t keep his hand down.
He explains that the original goal for the Security Issues Work Group was to create a document “that even the smallest agency could make use of to improve their awareness of the data security risks that they and their staff face every single day.” It’s available at the Independent Insurance Agents & Brokers website, independentagent.com/actsecure.
The guide looks at four key areas: prevention, knowledge, document retention, and security. Among the issues that Prevention addresses are cyber risk mitigation and password management. Knowledge addresses understanding the data breach laws in the states in which an agency does business, as well as agency security guidelines. Document retention includes developing a compliant document retention strategy, as well as creating a process for document destruction from LANs, cloud devices, local and mobile devices, and USB or external drives. Security offers best practices for compliant data encryption, as well as ways to mitigate risks associated with remote access of agency systems.
“The Pocket Guide is set up to help agents identify where their risks are,” Steve explains. “Once agents know what the risks are, they are better able to shut them down. This gives them guidelines and helps them focus on the areas where they need to pay attention, rather than starting from scratch.”
Ron adds: “The first iteration of the Security Issues Pocket Guide looked at the top 15 things agents need to work on. That’s a lot. But taking one, two or five things and starting is better than being overwhelmed and doing nothing. Agents can identify the holes in their data security plan, or figure where to start, or just begin a strategy.”
A more in-depth Summary Guide also is available at the independentagent.com/actsecure site. It includes numerous links to online resources under each of the 15 top things, so agents can access as much or as little information as they wish.
In the area of education and training, Ron points out that “as an industry, we need to keep in mind that agency IT staff really hasn’t been trained to be a data security staff. They’re two different things.”
He adds, “IT is there to connect things, to make connections, to allow access and data transfer. That’s contrary to the idea of a data security group, which exists to put adequate controls over all that.
“Many agencies don’t have a dedicated IT staff,” he continues. “But training isn’t just for IT staff. It’s for all staff. That’s critical.”
From student to teacher
“I have a stand-up meeting with my data security team—that’s my leadership team and me—once a month. It lasts no more than five minutes,” Steve reports. “I show them some of the horribly creative, convincing emails I get, telling me to click on this, or go here or there. We all need to be reminded on a regular basis of the sophisticated techniques the bad guys use. Our staff has so much to do every day; they sometimes forget to look critically at every email they get. They need to ask themselves: ‘Is this really from our client? Or is it the bad guys?’
“The staff regularly shows me examples of phishing emails they receive,” he adds. “They’re proud when they find them and we share them with the entire staff. If one person gets that phishing message, others may as well. This helps us remind each other that we’re getting hit every day and we need to be diligent.
“Once we agents have a better handle on our own data security risks, we become much better counselors and risk managers for our clients,” Steve says.
He shares his insights related to data security with commercial clients when they’re having a team meeting or a lunch ‘n’ learn. “This stuff is real and our clients are getting hit as well,” Steve emphasizes. “They appreciate that we are teaching and engaging them because they’re seeing the same kinds of phishing emails that we are. We become a trusted adviser, rather than just an agency that sells an insurance policy.”
On the drawing board
Ron points out that there is a Security and Privacy page at the ACT website that includes all the data security and cyber-based information that various Work Groups have developed. As part of the early May 2016 Phase 2 kickoff for the Security Issues Work Group, short-range and medium-range tactics were discussed and agreed on. Ron says an update of the Agency Information Security Plan development materials available at the Security and Privacy page was among the projects discussed.
He says the Work Group also plans on identifying the best videos that feature topics such as phishing and spear phishing to help agencies with their in-house training.
Also in the area of training is a project, “21 Days to Tighter Security,” suggested by another Security Issues Work Group member. Ron says although details are very preliminary, this will be yet another way agencies can manage their own training. “ ‘21 Days’ is based on the idea that it takes 21 days to create a habit. This tool will help agencies understand what to click on and what not to click on, dos and don’ts around passwords, and care around accessing agency systems via unsecure Wi-Fi and personal devices,” he explains.
Data about breaches affecting independent agencies is tough to come by, he acknowledges. He says ACT is working with state Big “I” associations in an effort to encourage agencies that have been breached to share their stories. “Case studies will help other agencies,” Ron notes. “Small agencies are being hacked and breached. Agencies need to hear that it’s happening to their peers.”
As it turns out, Steve Aronson isn’t the only one who can’t keep his hand down. Ron points out that the Security Issues Work Group currently has 33 members—volunteers from carriers representing leadership, business as well as IT, with a similar mix of talent from vendors, agents and brokers, user groups and associations. “This Work Group isn’t so big that people feel like they can’t speak up,” Ron says. “But it’s big enough that we can create task groups to handle projects like ’21 Days’ and updating our various online materials.”
But Ron is always putting out calls for more volunteers. “We want to engage more perspectives so we are able to generate better and better resources.”
If you’re getting the urge to raise your hand, shoot Ron an email (firstname.lastname@example.org). n
For more information:
Agents Council for Technology (ACT)
Security Issues Pocket Guide
By Nancy Doucette