Cybersecurity For Your Insurance Agency: What to Know and How to Start
12 min read
DON’T PANIC!
Don’t panic. I know, the first thing you want to do when someone says, “don’t panic,” is to panic, but hear me out. Even though cyber-attacks happen every day and you hear about a new data breach every week, there are things you can do to help mitigate the risks of that happening to you and your agency.
First Things First
The first thing I think is important is to get an understanding of where you and your agency is at right now in terms of cybersecurity protections. Take a step back and try to get perspective on what tools, technologies or processes you currently have in place. Once you know where you’re currently at, it will be much easier to take the next steps.
The goal of this article is twofold:
-
Educate you, an Insurance Agent or Insurance Agency Owner, on the most important things to know about Cybersecurity that will help you actually stay secure
-
Share how to get started “doing cybersecurity” even if you haven’t done anything yet
A note to the reader. If there is a word or phrase you don't know or don't understand, google it. Don't leave your cybersecurity to chance.
What You Should Know About Cybersecurity
Regulation and Compliance
First of all, I want you to know that much of what I discuss in this article, depending on the size of your business, could be applicable to the laws and regulations of your state or industry governing body. For example, NYS Department of Financial Services has some pretty hefty cybersecurity regulations. If you process credit cards you will also have to comply with PCI-DSS requirements. For health information you have HIPAA to comply with.
At the end of the day, you’re most likely regulated by some governing body that has imposed some level of cybersecurity requirements. Regulation is a pain in the neck and many times regulations don’t really help you to be more secure, however, that’s the reality we live in. Your cybersecurity program must at minimum comply with your states and industry governing bodies laws and regulations, otherwise, if you have an incident and/or are found to be non-compliant, you could be looking at hefty fines.
Just know that compliance does not equal security. In other words, compliance is the absolute minimum. In order to truly protect your organization, you must go above and beyond the law.
The Myth of 100% Security
The most important thing to keep in mind is that, there is no such thing as 100% security. There will always be a way to circumvent the protections you put in place, no matter what. This is a universal truth. Risk management is at the heart of cybersecurity. Just like you cannot prevent all losses of a business risk, you cannot prevent all losses from cybersecurity risk.
"100% security is 100% dysfunctional."
Allan Alford, Delivery CISO at NTT DATA Services
Defense in Depth, a CISO Series Podcast
What this means is that even if 100% security was attainable, where everything is locked down tight, you would create so much of a hurdle for business and employees to jump through, that it would take you hours to get a job done that normally would have taken minutes or less.
Don’t Go It Alone
Cybersecurity is hard, especially when you’re just starting out, and doubly so when you don’t know much yet about cybersecurity. I highly encourage everyone to find someone they trust, to partner with them to help make the learning curve a little less severe. This trusted adviser should be someone who can help you understand your risks as a whole, help you plan and strategies what security protections you need, and help you carry out and implement new processes or strategies or technologies. When you find a company or someone who looks out for your best interest, hold on to them and don't let go!
Here are a few options you have when it comes to finding someone to help you with your cybersecurity program.
3rd Party Vendor
For some Agents this support might come from a 3rd party Cybersecurity company. Not only can these companies help you setup better security practices, but they will help you install cybersecurity tools, and some can even monitor your computer network for you. Using a vendor doesn’t excuse you from the responsibility of your cybersecurity, however, it does help lower the burden on you, so you can spend time doing what you enjoy and what actually brings in money to your agency. This type of arrangement is typically referred to as managed services. Keep in mind that not all vendors are created equal. Just because an IT company can setup your new computer doesn't mean they are necessarily the correct team to protect that computer.
Solo Consultant
Another option would be to contract a solo consultant. Many towns and cities have these types of IT and Cybersecurity professionals. These are the small 1 or 2 person shops that typical focus their efforts on helping smaller businesses such as a small insurance agency or a CPA or attorney. This might be a good idea if you cannot afford the higher costs of managed services, but you know cybersecurity is important and you’re okay taking on more of the responsibility to implement and maintain your cybersecurity program. You will typically get more of a personal touch and form a closer relationship. You might even be able to barter service for service. Keep in mind my grain of salt message from above.
You and/or Your Staff
Another option is to have an employee (and/or yourself) manage and maintain the cybersecurity program. If you’re the business owner, you should at the very least know what’s going on anyways and be involved at a high level with the cybersecurity program. However, you could task an internal employee with the responsibility of the day to day cybersecurity efforts. This could obviously take away significant time from working on other job duties of this person so keep that in mind.
There are pros and cons to each of the 3 approaches I mentioned above, many of which are obvious. When considering if a vendor, consultant or an internal employee is right for you, there are some things you should at the very least consider.
-
Expertise - You don’t need a degree in computer science to start implementing cybersecurity protections, however, the more you have to protect or the more complex your environment, the more expertise you’re going to want. This of course is also dependent on the amount of risk you’re willing accept.
-
Time - It takes time to plan and implement cybersecurity protections and processes and tools. These things happen over time and cybersecurity as a business function never ends. Patience is highly required.
-
Money - Cybersecurity can be inexpensive at the cost of maintainability, complexity and time. There are free tools that you can leverage, however, you also run the risk of those tools being very individualistic and not addressing all of your needs within a single product, which creates many more products than maybe you truly need. You as the Agent or Agency Owner have to decide how much security is enough for your business to address your risks and thus how much money you're willing to spend to protect it.
How To Start Implementing Cybersecurity
Starting something new is always difficult. It’s always overwhelming and you’re not sure where to start or who to listen to or what some of the first things you should do are. Fortunately, there are some very straightforward steps you can take right now that will immediately help protect you and your company. Let’s start with the basics.
Less Planning More Doing
I know the saying, “if you fail to plan you plan to fail,” however, if you are at a point where you don’t have any protections at all, I would encourage you to throw that plan out the window for right now, and just start implementing some basics. Here is a list of things I would recommend you implement today if you do not have these in place yet.
The Basics
-
Anti-Virus - This won’t protect you from everything, but it will protect you against some, which is better than no protection. Windows Defender is built into Windows10 and is a great option when you’re just starting out, and it’s free. There are also more robust and feature rich anti-virus products out there. Not all anti-virus is equal, so do some research and try to understand what it is you’re getting and what you need. This is where that trusted adviser can really come in handy.
-
Web Content Filtering & Ad Blocker - Content filtering scans websites as you visit them and cross-references them with a list of known bad or risky websites. Some products will even analyze the content on the website to determine if it’s doing anything shady. If you come across one of these sites, it will prevent you from accessing it. Again, there are free and paid affordable options out there that can be setup within minutes and will help protect you against a lot of the junk and malicious content on the internet. Just like anti-virus, it’s not a silver bullet, but it’s really good to have. Along the same lines as web content filtering is ad blockers. These can be installed as a plugin in your web browser. The good ones, like UBlock Origin for Google Chrome, will block a lot of junk. I highly recommend installing an adblocker in your browser.
-
Multifactor Authentication - Also known as two factor authentication or 2-step authentication. A recent study by google found that enabling googles SMS (text message) 2-step verification for your google account blocks 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks. What this means is that a hacker would not only need to know your password, but they would also have to somehow obtain that random code that’s sent to your phone. They can do this by tricking you into giving it to them (social engineering) or they can potentially perform a SIM swap to obtain this code from your phone. While this can happen, it's a little more on the unlikely side for you as of now. Much like above, it’s better to HAVE multifactor authentication enabled than not.
-
Unique passwords for all accounts - The reason this is important is because of something called password reuse and credential stuffing. There is a website called Have I been Pwned which allows you to enter your email address and find out if it has been compromised in a data breach. The service also has a list of 555 million passwords that anyone can download. What that means is there are over half a billion passwords floating around the internet. A common attack technique is to try your email address that’s been found in a breach, johnsmith@gmail[.]com (for example) and try the top 100, 1,000, 10,000 most common passwords against your email account, social media, bank etc. The daily news is evidence that this technique works more often than not.
-
Enable automatic updates on all devices - Software and hardware manufacturers are churning out updates to their products at an ever-increasing rate. This is due to a number of factors, one of them being, there are more hackers looking to break into computer systems and networks now than ever before. There are more people tinkering and trying to find digital loopholes. Fortunately, there are also some good guys and girls (we call them white hat hackers as opposed to bad guys or girls which are typically referred to as black hat hackers) who are researching and analyzing these same products. These white hats then report the vulnerabilities they find to these software and hardware manufacturers so they can fix their product and issue an update to it. By enabling automatic updates, you ensure that you receive those critical updates as soon as they are released. Doing so could cause instability with your devices, however, the downside of someone hacking into your device or network is much worse than having to deal with a finicky computer for a day.
Basics 2.0
Now that you’ve got Basics 1.0 set up you can move on to Basics 2.0. Everything I mentioned in the section of the above takes minimal effort and most of which can be setup and configured in minutes. The next group of basics takes a little bit more configuration, but typically can be setup with just a few hours of work. With some technical acumen you can easily set all of this up yourself. However, having that trusted partner help with these can speed up the implementation and make sure they are setup correctly and securely.
-
Backups - A good rule of thumb is to backup your data at least once a day. If necessary, you can backup more frequently, such as every hour. Save those backup files someplace secure. Make sure you tightly control who can access them. If you can, it's also a good idea to have multiple copies of those backups saved in different locations. For example, save one copy to a removable drive and another copy to some kind of cloud storage service. Backups are critical to making your agency resilient against a cyber-attack or even just system related issues such as a failing hard drive or power surges.
-
Encryption - This is the process of converting data from a readable form into an encoded, unreadable form. This data can only be encrypted if you have the proper decryption key. The reason this is important is because, even if someone was able to get their hands on your data, or steal your laptop, as long as the data is encrypted, it’s going to be much more difficult for that person to actually read that data and do something significant with it, such as sell it. There are even safe harbor laws that state if you can prove the data stolen or access was encrypted than you may be removed from the burden of reporting a data breach.
-
Inventory - This is quite simple. You cannot adequately protect what you don’t know you have. There is not much protection you can put in place that’s going to prevent someone from walking through a wide-open door that you didn’t even know was there. There are many free tools you can use to do an inventory of your network. This software can find hardware devices such as computers, servers, printers and switches. Most inventory software can even find and provide you a list of software installed on those devices. Once you know all the devices you have on your network, you can then begin to lock them down and secure them.
-
Email Filtering - There is an annual industry report called the Verizon Data Breach Investigations Report. In the 2019 report Verizon found that in their research, Phishing was the top threat action and was involved in 32% of confirmed breaches. Email is a significant vector for cyber-attacks. Email filtering is essentially software that scans emails before they reach your inbox. That software can scan URLs and attachments for malicious content, will check senders email addresses in known blacklists, prevent a large portion of spam emails and much more, all before making it to your inbox. The bad emails can be quarantined or automatically deleted and prevented from making it to your inbox.
-
Firewall - The Cybersecurity and Infrastructure Security Agency (CISA) explains this nicely. Firewalls provide protection against outside attackers by shielding your computer or network from malicious or unnecessary network traffic. Firewalls can also prevent malicious software from accessing a computer or network via the internet. Firewalls can be configured to block data from certain locations (i.e., computer network addresses), applications, or ports while allowing relevant and necessary data through.
Key Industry Resources
Now that you know some basic cybersecurity protections to implement, I want to share with you where to learn more. Below are a few key industry resources that I know can be beneficial if you dig into them and take advantage of them.
-
Big I Cyber Guide 2.0 - A nice resource to get you started on a number of different topics. The guide includes a cyber strategy roadmap, regulation information, security policy templates, vendor lists and a lot more.
-
Department of Homeland Security CISA SMB Toolkit - Top notch resources to help SMB get started with cybersecurity, a leadership agenda and a hands-on resource guide.
-
Sans Internet Storm Center - Very good resource for cybersecurity news, current events, new vulnerabilities and more. They also have a daily 5-minute podcast that is a must-listen for staying up to date with new and trending vulnerabilities.
-
Stay Safe Online - Everything you want to know about staying safe online and helping you keep your business secure. Tips, strategies and a ton of additional resources.
-
Stop Think Connect - This is a great resource to share with employees, customers or anyone else who wants to learn some of the basics of staying secure in our ever-connected digital world. Tips range from how to keep a clean computer to protecting your personal information.
Embrace the Unpredictable
At the beginning of this article I told you not to panic, and if you have read this far that might be exactly what you’re doing. That's not intentional on my part. Cybersecurity can be overwhelming and scary and nerve wracking. I know it because I feel the same way about it too, and this is my job.
I encourage you to embrace that uneasy, anxious and unpredictable feeling when you think about cybersecurity. It’s normal. It’s a survival tactic. If you didn’t have that feeling, it might mean you just don’t care about cybersecurity. Use that energy and channel it into implementing strategic cybersecurity initiatives that provide actual security to your agency. Don’t get swindled by fancy tools or new technologies and buzzwords. At least initially, stick to what is proven to work and can be implemented for little cost and the most reward (e.g. security).
Best of luck, you can do it! One step at a time!