The top tools to increase cybersecurity regardless of agency size
By Joyce Sigler
According to the U.S. Small Business Administration’s Office of Advocacy’s article “Frequently Asked Questions About Small Business 2023,” a small business is one that has fewer than 500 employees—a definition that fits most independent insurance agencies.
As small businesses, the same agencies that sell cyber coverage often don’t believe they’re targets of hackers. They don’t recognize cybersecurity as a valid exposure because they don’t think that they have anything a hacker would want.
What’s the attraction?
There are several reasons for hackers to be interested in independent insurance agencies. It’s not an agency’s size but its capabilities and access to its data that make it attractive to hackers. They don’t always know what they’re going to find, so they’re going on a treasure hunt.
Remember, hackers are motivated by money. Their goal is not to put an agency out of business or hold the agency hostage. They’re looking for any data that has value on the dark web so they can sell it. They might be searching for ways to launder money, perhaps through the agency’s commission payments or bank accounts.
Hackers are also interested in learning who the agency does business with and whom they’re connected to. Think of the information that the agency has collected on high-net-worth clients or owner entrepreneurs, for instance. The agency also has connections to banks, carriers and other agencies that hackers might be able to exploit.
Don’t overlook the small things
Agencies don’t always think about the ways they’re exposing personally identifiable information (PII). Many agencies still have some form of paper files that may not be stored or disposed of correctly. Think of how many times an employee writes down a client’s credit card number and saves it in a file or keeps sticky notes with passwords on the desk or wall for anyone to read.
COVID also made us complacent about where we work or conduct business, and it has blurred the lines between personal and professional. When we work from home, smart devices like Amazon’s Alexa, Google Assistant or Apple’s Siri are always listening and a smartphone’s microphone may have access to all your apps.
Not many people turn off the geolocator or Bluetooth when they’re not being used. How many conversations have you overheard in a coffee shop, in an elevator, on the commuter train, in an airport or even in your own agency that disclose confidential information?
Another common source of a data breach can be the electronic equipment an agency uses, trades in or upgrades. Often, we don’t erase a printer’s memory when it’s replaced, which is critical when the machine is an all-in-one that also scans, faxes and emails documents.
An agency is likely to provide employees with company-owned computers or tablets with appropriate security; however, many don’t provide company-owned smartphones. When agency employees use their own devices for work, they may not be required to install security on those devices.
The first time an employee accesses agency files on a personal device, they’ve created a potential back door for a hacker.
Don’t forget about company cars or rental cars. Often, employees will pair their smartphones with a car’s navigation or entertainment system. Then, when they return the rental car or trade in the company car, they don’t reset the defaults or delete the smartphone connection. I’ve gotten into a rental car and have been able to see the list of contacts from the prior driver.
How many times have you seen someone wearing their building or company access cards on a lanyard? These are valuable and easy to hack, especially if the card shows the name of the company clearly.
Although carriers are developing a more
collaborative spirit when it comes to
cybersecurity, the age of technology and our
technical capabilities are holding us back.
Count the cost
Not every data breach or hack has an immediate hard-dollar cost. For instance, after you notify all the parties affected by a breach, how many of them will continue to do business with you?
Also, when calculating the impact of a cybersecurity incident, it’s important for agencies to consider the downtime they face.
- How long will it take to notify everyone in every state who might have been affected by the breach, including employees, clients, vendors and carriers?
- How long will it take to get new credentials from each carrier you do business with so that you can continue to write policies?
- How much time will your employees spend dealing with the ramifications of the breach instead of writing new business?
The first time an employee accesses agency files
on a personal device, they’ve created a potential
back door for a hacker.
–Top tools to increase cybersecurity
Using a virtual private network (VPN) and changing network passwords are no longer enough to demonstrate that agency management has done everything it can to reduce its chances of being a hacker’s target. What are the top tools an agency can use to increase its cybersecurity?
- Training and awareness for employees. Humans are still an agency’s greatest vulnerability. Be sure your employees know what a phishing scam looks like because you can’t always tell from looking at an email address or reading a text message.
Consider designating a security program manager, as recommended by the Cybersecurity & Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security.
The security program manager’s role is to implement a strong cybersecurity program that fits the agency’s needs. As long as the manager is committed to maintaining cybersecurity, a background as a security expert or an IT professional isn’t necessary, says CISA.
- Audits of workflows and processes. Start with a list of each process and confirm who is authorized to access which files. For current employees, limit confidential file access to those who have a “need to know.”
Who can make changes or should have “read-only” access? Do you shut off access when someone leaves? As mentioned previously, review how and when paper files are destroyed or digitized. Invest in a high-quality shredder or contract with a company that takes paper off site to shred.
- Data breach drills. The best way to be prepared for a data breach or other cybersecurity incident is to practice, practice, practice. CISA also recommends holding regular simulation exercises, often referred to as “tabletop exercises.” These drills will identify the key stakeholders—including employees, clients, carriers and vendors—who need to be involved in the remediation and who need to be notified.
Test different scenarios so you’re prepared no matter how the breach occurs.
- Multifactor authentication. According to the National Institute of Standards and Technology, U.S. Department of Commerce, multifactor authentication (MFA) is a system that requires more than one distinct authentication factor to be successful.
MFA can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are:
- Something you know, such as a password or personal identification number (PIN).
- Something you have, for example, a cryptographic identification device or token.
- Something you are, such as your fingerprint, face ID or other biometrics.
- Managing passwords safely. Recognizing the challenge of password management, ID Federation has developed SignOn Once, which eliminates the daunting task of keeping track of separate IDs for all the carriers that agencies deal with.
Each agency user has one ID, password and MFA to log into their management system, replacing the myriad logins that agencies must use each day. Transactions are safer, which provides additional protection for clients. (Visit bit.ly/RN-MFA for more information.)
Working with carrier partners
A key component of the agency-carrier partnership is a strong understanding of where cyber exposures exist. Agencies may unknowingly have open playgrounds that inadvertently become playgrounds for hackers. The carrier can’t assume the agency will take care of cybersecurity or is as sophisticated as the carrier’s tech team.
Carriers can help agencies with best practices to make their systems more secure and they can direct resources to cybersecurity that smaller agencies do not have.
Although carriers are developing a more collaborative spirit when it comes to cybersecurity, the age of technology and our technical capabilities are holding us back. The ability to turn this industry around is sometimes our biggest challenge. For large legacy carriers, updating their systems and security is like trying to turn a 1,000-foot cruise ship.
If a carrier deals with hundreds or thousands of agencies and agency management systems, the carrier’s data is increasingly vulnerable to a breach. If an agency is hacked, all of the carriers’ data with the agency might be targeted. When the agency and the carrier both use SignOn Once with MFA, the level of protection is maximized.
It’s an exciting time from a visibility standpoint. There is and likely always will be competitiveness among carriers and among agencies—but cybersecurity is an industry-wide need, and industry collaboration through SignOn Once by ID Federation can make a win for us all.
For more information:
Joyce Sigler, CISR, CPIW, CPIA, NcIA, NcAM, NcSA, is vice president of acquisitions and technology, agency licensing and compliance, at SeibertKeck Insurance Partners in Cleveland, Ohio. She is a board member and past chair of the Network of Vertafore Users (NetVU). She can be reached at