This blog post is part of a series written by members of IIANC’s Agency Management & Technology Committee.
Guest Post By: Tom Fisher – Insurance Service of Asheville, Asheville, NC
Often times small independent agency owners don’t know how to approach data security, or even know if they have a firewall in place. This is generally put off on the “I.T. Guy” who may or may not actually exist, and for the smaller agencies usually turns out to be someone with very little actual I.T. (much less security) experience (think duties handed off to the bookkeeper, office manager, or a principals high school aged son).
Depending on which ‘survey of the week’ you’re paying attention to, the number one cause of data breaches can vary. Regardless of which you choose to pay attention to, the same three usually appear at the top: lost and stolen devices, hacks/attacks, and employees (intentional and unintentional).
In this series of blog posts I’ll be highlighting these 3 essential areas that every agency owner must understand to have a better grasp of their own security risks and some best-practices to overcome them.
Essential #1: Encrypt and control mobile devices and portable media to mitigate the risks associated with lost and stolen devices.
A 2014 study done by BitGlass showed that since 2010 the loss or theft of employee mobile devices with information on them accounts for 68% of all healthcare related data breaches.
Lost and stolen laptops don’t provide the sexy headlines the same way Chinese hackers seem to, so you’re more likely to hear those stories even though chances are they happen less frequently.
The good news about this type of loss is that it’s much easier to prevent and defend against than other types of losses.
Humans make mistakes and we all do silly human things at some point. Have any of the following happened to you or sound unrealistic?
- Leave your iPhone at a restaurant or in the back of a cab
- Forget your tablet or laptop in the seatback on your flight (and not realizing it until you’re at the hotel)
- Drop a USB drive that contained the data for the reports you were going to work on that evening
- Leave your car unlocked while running into the convenience store, only to find your laptop bag gone after returning home
It’s easy for one to stick their head in the sand and state “We’ll never be hacked”, but it’s much harder to deny that any of the above could realistically happen to a business owner or employee.
While BYOD policies, procedures and good common sense are a good start to preventing these losses, what we must do is make these devices more easily found once lost and make the data on these devices inaccessible to unauthorized persons should we lose possession of them.
We can accomplish these objectives by using a two pronged approach of encrypt and control. Both have potential to work hand-in-hand, depending upon the type of device.
Simply put, encryption can be thought of as scrambling and locking data. In order to unscramble and have the data be in a useable format, a key (usually in the form of a password) must be provided. Keep in mind that a password protected device does NOT automatically or necessarily make the data contained on the device encrypted. Depending on the specifics, like the type of device, how you go about encrypting the contents varies by method and cost.
- On PC’s (including laptops and some Windows based tablets (like the Surface Pro)) it is most important to understand, just because your computer asks you for a password to login does NOT necessarily mean its contents have been encrypted. Some tools to encrypt data on PCs include:
- Bitlocker – built in and free in certain editions of Windows. Details can be found here.
- DiskCryptor – free under GNU. Found here.
- A full list of PC encryption tools can be found here.
- On Mobile Devices:
- Apple iOS: Apple made it easy. Enabling a PIN or passcode on your iOS tablet or phone will automatically enable encryption on the device.
- Google Android: Just having a PIN or passcode on your Android based phone or tablet will not enable encryption (although it is a prerequisite). A great article on how to turn on Android encryption can be found here.
- Microsoft Windows Phone: A special version of Bitlocker is available in both Windows Phone 8 and Windows Phone 10. It seems that managing and turning encryption on is much easier in the more recent version. Read about it here.
- Mobile Device Management
Mobile Device Management (MDM) software is generally installed on tablets and smart phones but is available for laptops and PCs as well. Usually by installing a simple app, this software allows agency management the ability to remotely control a device. There are many providers of MDM software out there with varying features, but a few of the most important features include:
- The ability to fully wipe devices. This is handy in the even a phone is lost with little to no hope of recovering the device.
- The ability to partially wipe devices. Usually the ‘partial wipe’ will remove specified email accounts (belonging to the company) as well as removing any other sensitive corporate data. The partial wipe is generally used in circumstances when an employee who had corporate email on a personal device leaves the company.
- The ability to locate devices. Sometimes a device is truly lost and not maliciously taken. By using GPS most MDM software solutions provide a way to pinpoint the location of devices for recovery.
- The ability to enforce passcodes, passwords, PINs, etc. If left to their own devices (pun intended), most people will choose not to protect their phones and tablets with a PIN, passcode or password. Good MDM software will enforce the use of these security measures and report any devices not in compliance to IT staff or management.
A comprehensive list of MDM software providers can be found here.
Stay tuned for the next installment: Essential #2: Thwarting Hacks & Attacks
Tom Fisher has been in the insurance business for over 12 years and has had a profound passion for technology for over 30. It is at the intersection of information technology. & insurance where you’ll find Tom, using his broad knowledge of technology to help align agency business goals and objectives with technology solutions.
Tom graduated from Western Carolina University with a bachelor’s degree in Computer Information Systems and holds multiple insurance and I.T. industry designations.