By Joe Esser
INSURANCE AGENCY SECURITY
Now more than ever, it’s everyone’s responsibility
Insurance agencies are hubs of sensitive policyholder data, and that data must be shared with carriers. Recent lockdowns across many U.S. states due to the COVID-19 pandemic have presented challenges for agencies, who continued to operate based on insurance’s status as an essential business. At the same time, cybercriminals saw new opportunities to penetrate businesses, with more employees working from home.
A lot of the time, these will be personal computers that haven’t been under management of the agency or brokerage, so you have no idea what the patch status is, if there’s sufficient anti-virus or if there is already an active infection on the computer.
Having a written security plan and protocols in place can ensure that the privacy expectations of policyholders are met, and that an agency or brokerage follows regional and national laws.
As chief technology officer at RedBird Security, some of the top cyber-risk concerns I see for agencies and brokerages include phishing and spear phishing attacks, as well as unsecured cloud apps like Office 365, Azure and Dropbox. Agency and brokerage leaders need to properly train personnel on current cyber threats and securely implement virtual private networks (VPNs) and remote access, especially as more employees are working from home.
Secured VPN access
Agencies and brokerages must first identify what their current firewall allows for in terms of VPN access. Some will offer client VPN as a licensed feature, either per user or just against the device, so you’ll need to have licensing in place for your expected user base once workers are remote. Unified Threat Management and Next-Gen Firewalls (NGFW) can add security features at the firewall level, beyond just passing traffic. This additional layer can help mitigate threats before they reach the internal network. Most vendor offerings add anti-virus, anti-spyware, anti-malware, intrusion detection and prevention, Geo-IP filtering and SSL inspection, among others.
A second concern is the condition of the computers you allow to connect to your network through VPN access. A lot of the time, these will be personal computers that haven’t been under management of the agency or brokerage, so you have no idea what the patch status is, if there’s sufficient anti-virus or if there is already an active infection on the computer. Those are all things to keep in mind. Agencies and brokerages should ensure that their staff have a reputable, up-to-date anti-virus program from a vendor they approve. Each employee should run a full scan of their computer to verify it is clean, and the agency or brokerage will want to make sure employees are updating their operating systems regularly. A better option might be to lock down VPN access to only work computers or a terminal server with company-approved protections already in place, which employees can then use to access the network.
By now, many agencies have employed disk encryption on their devices and taken steps to further secure their email. One way to do this is by using email encryption as a layer of security to protect emails containing sensitive information in transit. Another way is by enabling Multi-Factor Authentication (MFA). MFA brings an additional layer of security to the mailbox log-in process, requiring a user to accept the log-in attempt before it goes through or to enter a regenerating token in addition to their password. Having MFA enabled helps protect a user’s mailbox and its contents from another person gaining unauthorized access and either stealing information or impersonating the user.
Attachment sandboxing (naming might vary) is the process of scanning attachments for malicious content (like viruses, malware, malicious Office macros and OLE, etc.) before it reaches the user’s inbox. Users should still be educated on spotting spam email, but such scanning helps catch some threats at the front door and places them in a quarantine folder before a decision needs to be made on it. For instance, many people receive fake emails from UPS with an attachment and unsuspectingly open them. This attachment then installs a Trojan on the computer and/or network. With sandboxing, you can strip these attachments and have them inspected prior to delivery to the end user. In this way, a bad Excel file with a payload in it can be deleted, but a good document with macros in it to perform cell calculations is allowed to arrive to the end user’s mailbox.
Top security must-haves
Every agency should make use of tools and strategies to ensure optimal security. Elements of a good security program include:
- Spam filtering and attachment sandboxing
- Next-gen/UTM firewall with SaaS security
- Training for employees
- Layered network security
- Tightened or prohibited remote access
- Procedures to manage, isolate or eliminate BYOD/IoT equipment
- Enabled data encryption at rest and in transit wherever possible
Locking down remote access through VPNs, limiting open ports, Geo-blocking requests and logging access can ensure agencies and brokerages are able to secure their data no matter where it is. Restricting administrative access and incorporating group policies can also ensure consistency, allowing employees to focus on day-to-day tasks without interruption. Agencies and brokerages need to remain vigilant, as well as maintain consistent policies and security restrictions, while at the same time training staff on the latest security concerns and any changes to security protocols.
Proactive security steps
- There are a number of actions agencies can take to help bolster security. These include:
- Penetration testing to help reduce security exposure locally and remotely
- Secure email when sharing private data
- Incorporate MFA into all available areas of access (cloud, email, VPN, etc.)
- Regular vulnerability assessments and patch management
- Educating end users
- Audit log collection, automated response and incident alerting
The best piece of advice I have for any insurance business is to be cautious about the levels of access provided to unmanaged employees’ home computers. You can’t really speak for the patch level or security of that personal computer. It would be best to have someone confirm that each computer has modern anti-virus, is fully patched and is not running an operating system beyond its end of life (i.e., Windows XP or Windows 7).
Another secure solution might be incorporating remote software like LogMeIn or TeamViewer and allowing a user to connect to his or her own work computer, which you know has whatever security options your office adheres to; still, your IT department should confirm that any home computer is free of keyloggers and other bad contaminants.
Policyholder data security is the concern of every insurance employee. Employees should be enrolled in a phishing training program; most offer videos and interactive training to end users. These also use actual (fake) phishing emails that are sent to employees’ inboxes to make sure they are following their training. These programs have options where, if a user does click a link or open an attachment, a message is sent to an administrator or IT contact. When that happens, the administrator or IT contact can reach out to the user for further training or to highlight the error so that the employee will not make the same mistake in a real-world scenario. In the same arena, there are also security awareness trainings that cover a wider variety of topics to further users’ understanding of security.
Security is vital to any insurance business, and everyone has a role to play. Employees need to be vigilant when opening emails, especially when working from home. The agency or brokerage itself needs to establish proper security protocols and practices for everyone with remote access, and it needs to maintain up-to-date security and computer software to ensure there are few system vulnerabilities that can be exploited. Extend remote capabilities cautiously, and—above all—make sure everyone receives appropriate training on security protocols, policies and what to look for to protect sensitive data from harm.
Joe Esser is chief technology officer for RedBird Security, a Participating Partner of Applied Client Network, which coordinates this column. RedBird Security is a full-service managed service provider focused on technology needs of independent agents and their security.