Hear from a Cyber Security Evangelist on Top Tips to Keep Your Insurance Agency Safe from Attack
Insurance agencies possess sensitive customer information that fraudsters would love to get their hands on, and insurance itself is a powerful lure for ransomware attacks.
This makes the insurance industry especially vulnerable and attractive for cyber criminals.
Along with all the human and economic suffering caused by the global pandemic, 2020 was also a record-breaking year for hacker attacks and data breaches. Unfortunately, most insurance agencies, like all other businesses, are painfully unprepared for a cyber breach, which seems odd given how much we love to preach to our clients the need for proper cyber liability coverage.
But with a $3.9 million price tag for the average SMB breach, and hackers striking every 39 seconds, it’s never too soon to implement a solid digital security plan.
What Security Really Means
Security is all about staying one step ahead of the cyber criminals and patching the most obvious holes.
As more transactions move online, insurance agents must be more vigilant when handling client information. The insurance industry tends to be slow to adopt technology, but with increasing threats of cyber attacks, it’s more important than ever to evolve your agency’s protective measures.
Cyber literacy training for everyone who handles records and interacts with clients is critical.
An agency’s most vulnerable entry point for fraud is through human interaction, a factor in almost 90% of all data breaches.
With that said, it is amazing how many agencies I’ve come across in my practice where I see them using third party solutions that require them to email lists and/or reports of data from their management system to the third party vendor.
If you’re an agency owner and taking nothing more from this article than this, this is not safe and you should never straight up email a list or report of client info!
You can set up all the software defense layers, but it only takes one person to mistakenly hand over login credentials in a phishing email, and the hacker has gained access to client information.
Another example of ways employees can grant access is via web-based viruses. Employees will inadvertently download a malicious file and now you have malware creeping through your company’s servers.
Cyber Risks and Your Agency
There are some simple steps you can take now to protect your agency, data and clients.
Implementing multi-factor authentication (MFA) is the gold standard for login security measures. MFA is using more than one method to ensure the identity of a user.
Whenever someone — whether an employee or an external user — logs onto a service or app, or accesses an administrative function, they need to provide corroborating information that matches what’s on file. In addition to a password, multi-factor credentials will add another channel, like sending an SMS to the listed mobile number, asking for additional details established through security questions, or requiring a biometric (fingerprint or face scan).
Because SMS channels can be hacked, experts recommend using an authenticator app for MFA.
Your agency is interacting with customers, carriers and vendors. Who should be accessing what information? All information is potentially valuable to a hacker, but the private details entrusted by clients should be particularly protected and available to only a few with security clearance.
Phishing is another hacker favorite.
They create emails that appear to come from trusted companies or people designed to get the receiver to input their credentials or sensitive information like financial details or social security numbers.
Thwart these incursions by training people to never provide sensitive information through a link in an email or even over the phone.
While phishing attempts are broad, spear phishing is much more targeted and planned. Criminals scour employees’ social and other public platforms, looking for details they can use to create realistic extortion schemes.
Awareness training that emphasizes the danger in revealing too much online is important. Also, remind people to never use work emails for non-work related use or list emails on your website. Spam and phishing protection software will also check and filter emails as they come into your system.
As employees moved to telework platforms thanks to the pandemic, it’s more important than ever that company data is secure. All data should be in the cloud and backed up regularly, including an email management system and employee desktops too, an even more secure option than a VPN.
DNS (domain name system) protection is another level of protection that blacklists known danger sites and filters content.
Using secure DNS servers helps your employees from accidentally going to malicious sites, prevents virus “stowaways” on outgoing mail, and also helps prevents hackers from getting into your domain.
Staying on top of critical patch releases will plug vulnerable areas of your site.
Data Is King
Beyond providing cyber literacy training to your employees and storing your data safely, there are solid technological tools that can defend against sophisticated hacker attacks.
Protecting all of your agency assets — financial, data and reputation — and meeting, or better yet, exceeding any state compliance mandates for security measures is a competitive advantage.
The pandemic pushed millions of people into remote work, online shopping and virtual client relations; accompanying that trend is the rapidly growing threat of cyber crime. Data is the lifeblood of cyber criminals, and every day they probe thousands of businesses to find weak points to find information they can extort.
Don’t let yours be one that succumbs to an attack. &