[BreachExchange] Security Matters: It Starts With the Whole Industry

Audrey McNeil audrey at riskbasedsecurity.com
Thu Aug 4 19:48:30 EDT 2016


http://www.insurancejournal.com/blogs/itc-insurance-
technologies-corporation/2016/08/04/422271.htm

Your first concern should not be what comparative rater or management
system to use. Your first concern should be your security plan.

Many recent articles and seminars have focused on cyber liability and its
importance to modern businesses. Ironically, the same people selling cyber
policies are the ones with the worst security.

Insurance agents are not the only ones. A lack of security within any
organization comes down to the balance of security and accessibility. Users
find it cumbersome to do things such as change their password regularly.
They are lazy.

A High Profile Example
Facebook CEO Mark Zuckerberg recently had his Twitter, Instagram, and
Pinterest accounts hacked. How did this happen?

In 2012, LinkedIn’s user and password database was hacked. Hackers reviewed
the data dump and decrypted all the passwords. They determined Zuckerberg
used the password “dadada” for his LinkedIn account. When they tried his
LinkedIn username and password on other websites, they worked!

Not only did Zuckerberg have a basic password, but he used that password
across more than one website for years. Yes, the head of one of the most
influential tech companies in the world was too lazy to a. create a complex
password; b. use different passwords across multiple websites; and c.
change his password often.

A lack of security can take other forms besides reusing the same simple
password on many websites.

Passwords written on post-it notes.
Unsecured equipment in offices.
Unencrypted hard drives.
Sharing of passwords between your agency software and your personal bank
account.
Susceptibility to social engineering.
Out-of-date software and operating systems.

These are just a few of thousands of hazards that threaten insurance agents.

Not Just a Job for the Big Guys
Remember the Target data breach in 2013? The real culprit of the breach was
one of Target’s vendors. The vendor was compromised via an email malware
attack. Yet, who did everyone blame? Target because they were the
progenitors of the data.

Agents too must be accountable to their partner carriers and vendors. You
must maintain a level of security related to the level of risk your data
presents.

You collect full name, date of birth, social security number, and address.
This is the superfecta of personally identifiable information. It requires
the pinnacle of security.

Agency resources are often limited. Security is often sacrificed to make it
easy for producers.

Remember by making something easy for an employee to get in, you make it
easier for hackers too. Educate employees on the importance of security.

You can also lean on vendors and carriers to assist in the security of your
data. Use security features provided by vendors. (We recently released
two-factor authentication and also have auto password expiration. Plus, we
require complex passwords.)

This is simply scratching the surface.

Security Needs to Be a Priority for Everyone
It is time for the industry as a whole to make security a priority. This
responsibility falls on everyone – agencies, carriers and vendors. Security
is not one way. We all must be accountable to each other.

We must take security seriously. Not just for ourselves but also for our
customers.

Carriers are starting to require that agents secure a customer’s personal
information. We’ve seen these requirements begin in the past few years.
Some carriers have even started to request a level of cyber liability
insurance.

However, these demands are often not reciprocated back to the carrier.
Agents are the ones who are sending their clients’ information to the
carrier to receive a rate.

How many agents have asked what happens if a carrier’s systems experience a
breach? Was it not the agency that sent them the data in the first place?

Software and service vendors to agencies and carriers are no different. You
send data to your comparative rating system vendor for processing. You send
data to your agency management system for safekeeping.

I can count on two hands how many times I have been asked for details on
the security and insurance coverages related to the securing of an agent’s
data.

A Breach Costs More Than Money
Even with a cyber liability policy, an agency is unlikely to survive a
security breach. A policy can make you and your clients whole again. But,
their faith in you as a trusted steward of their data will be irrevocably
damaged.

What steps are you going to take to safeguard their data for years to come?

Stay tuned to this blog as we explore in future articles how you can secure
your organization from security threats impacting the industry.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160804/7385fcf8/attachment.html>


More information about the BreachExchange mailing list