SIX STEPS TO GET YOUR CYBERSECURITY STARTED
Because now more than ever is the time to take this seriously
If you are anything like us, cybersecurity was always this abstract thing that we knew we were supposed to take seriously. But it was easy to push off for more pressing items, especially ones that were simpler to do and didn’t seem to cost an arm and a leg.
As always, as an insurance agency network, we provided best practices and shared resources with insurance agency owners on the importance of protecting Personal Identifiable Information (PII) but, if we were being honest with ourselves, none of us truly internalized the urgency of the issue.
Then, COVID-19 happened, and as the pandemic hit the United States hard, most of us moved to working from home and hackers had a field day. Numerous emails from fake accounts were sent to our staff, providing an “innocent” link to click on or asking to provide PII information. And they just kept coming. Even small mom-and-pop agencies were getting hacked and turning to us for help.
Everyone knows it is bad practice to provide passwords and bank account information over email, but for an insurance agency, even providing full names, addresses, and policy info can put you at risk.
To deal with the situation, we put together six simple-to-follow cyber-security steps for insurance agency owners. Of course, we strongly recommend partnering with a credible IT company to assist you through this process. However, not all of us have the budget, so these six steps are suggestions to help you get started:
- Assign staff to a cybersecurity team. Appoint a team responsible for managing the security of your data. Without clear designations, security issues can become a blame game quickly, and we are not just talking about verbal conversations. Make a written, mutually understood, and agreed-upon policy for who is responsible for what. You do not want to be left in a position of not knowing who has the most updated passwords, who has administrative access and who doesn’t, and who has the contact information for an IT company or your attorney in case there is a breach.
- Use multi-factor authentication. Whenever you log into a program that requires a password, turning on multi-factor authentication (MFA)—also often referred to as two-factor identification or authentication—creates an additional security step. Instead of just needing a password, MFA will prompt your employees to provide a phone number or a security code that is sent via text. This simple step can have an enormous impact on your agency’s security. MFA can be turned on simply by adding the feature to your Office 365, Gmail, or file-storage admin account.
- Enable encryption in your emails. Everyone knows it is bad practice to provide passwords and bank account information over email, but for an insurance agency, even providing full names, addresses, and policy info can put you at risk. To mitigate this risk, put an encryption feature on your emails whenever your employees need to share confidential information, both internally and externally. This can be done by updating your licensing with Office 365 or Gmail, which can be accessed through your main admin account.
- Require security from your vendors. We all partner with multiple insurtech companies to increase efficiencies in our agencies. But for any company that integrates with your agency management system or that you allow to access your data—such as email marketing platforms, online quoting vendors, and customer self-serve web portals—it is now essential that you get your hands on their cybersecurity info, too. Ask for proof of cyber liability insurance, copies of their security policies, and updated contracts detailing liabilities for data leaks.
- Create an incident response plan. In case of a (now inevitable) data breach, it is a best practice to put a plan in place before there is even an issue. Your incident response plan should be printed and available at your employees’ desks, so that in case of a breach they are able to easily follow the required steps. This helps to ensure damage is mitigated and all issues are corrected as quickly as possible.
At minimum, your plan should include what to do if any of the following happens:
- Theft or loss of physical equipment
- Unauthorized access to your systems, such as someone remoting into a computer or running malware in the background
- Insiders/Phishing. An insider attack would involve any attempt by either a current or past employee who asks to share information over email that should not be shared, whether it be a legitimate request by the employee, or a phishing attempt spoofing the employee’s name.
- Oversight. Mistakes happen, such as sending an email or sharing a file with the wrong person.
- Communicate, communicate, communicate. Walk through your incident response plan with all staff and encourage open dialogue so your employees feel comfortable asking questions and bringing issues to your attention. Hold regular meetings, trainings, and check-ins—particularly with your newly-designated cyber-security team—to stay on top of any changes within your company. Your security policy and response plan are not “once-and-done” documents.
As insurance agency professionals, we promise protection to our insureds. And one of those protections must be their privacy (i.e., data). So, we think it’s safe to say that now more than ever is the time to take this seriously, especially as hackers and malicious software programs become more and more targeted toward our market.
If you’d like to learn more, the Independent Agents and Brokers of America (IIABA) Agents Council for Technology Agency Cyber Guide 2.0 lists additional steps for a more secure agency, as well as resources and compliance laws in each state. Travelers provides a Cyber Academy to help businesses learn about emerging cyber trends and The Hartford offers a Cyber Center full of resources and tools.
For more information:
Agents Council for Technology
Agent Support Network of America
The Hartford Cyber Center
Travelers Cyber Academy
Kathy Bova is vice president of education at the Agent Support Network of America (ASNOA). Daniel Molinero is technology administrator at ASNOA.