Part 2: 3 Essentials to Understanding Data Security for Small Business Owners

This blog post is part of a series written by members of IIANC’s Agency Management & Technology Committee.

Guest Post By: Tom Fisher – Insurance Service of Asheville, Asheville, NC

 

Often times small independent agency owners don’t know how to approach data security, or even know if they have a firewall in place.  This is generally put off on the “I.T. Guy” who may or may not actually exist, and for the smaller agency usually turns out to be someone with very little actual I.T. (much less security) experience (think duties handed off to the bookkeeper, office manager, or an owners high school aged son or daughter).

Depending on which ‘survey of the week’ you’re paying attention to, the number one cause of data breaches can vary.  Regardless of which you choose to pay attention to, the same three usually appear at the top: lost and stolen devices, hacks/attacks, and employees (via malice or mistake).

In this series of blog posts I’ll be highlighting these 3 essential areas that every [insert top-dog title here] must understand to have a better grasp of their own security risks and some best-practices to overcome them.

___________________________________________________________________________________

Essential #2:  Take immediate measures that make your agency less vulnerable to hacks/cracks

It’s no surprise that the most publicized data breaches are the result of hacks and cracks.  Target, Home Depot, Sony and Anthem are the unlucky victims of some of the largest breaches in history and all were due to unauthorized accesses by outsiders.  In other words they were ‘hacked’.

Unfortunately there is no such thing as a 100% secure network.  So if corporations with the budgets the size of Target’s are vulnerable to such attacks, then what is a small agency owner to do?

By making your attack surface smaller and more difficult to penetrate you greatly increase the chances that attackers will move on to an easier victim.

Here are the top 3 measures to immediately take within your agency:

1. Practice Good Password Hygiene

If there is one single thing any organization can do to better safeguard their data, it is to follow good password hygiene, which includes the following:

  • Use strong passwords/passphrases. Security research has taught us that the top passwords used year after year are “password”, “123456”, “monkey” and “welcome”. Choose or generate a strong password that isn’t in the dictionary and make sure it contains some symbols and numeric characters.
  • Enable two factor authentication where possible. Two factor authentication (2FA) or two step verification, or multi factor authentication is an extra layer of security that requires two pieces to authenticate. Normally this is something ‘known’ (like a password) and involves something the user ‘has’ (like a FOB or cellphone). It can also include something you ‘are’ (biometrics) and includes retina and fingerprint scans.  Normally, one step is your typical username and password but then also a 2nd piece of information (normally a shorter PIN) is required. These PINs can be generated on mobile devices via an app, sms/text message or perhaps on a special key FOB. 2FA isn’t available for everything but more and more vendors are making it available to their customers on different platforms.
  • Do not reuse passwords or use the same password on multiple sites. The majority of people have between one and a few passwords or password variations they use for every website they visit. This is convenient, yet dangerous. Let’s say your favorite online retailer has a security breach. Your email address and password used on that site are now potentially in the wrong hands. Should you be using that email address and password at multiple other sites (say your bank) those credentials too are now in the wrong hands. Using a complex and unique password for each and every site you visit would eliminate this threat. This sounds difficult but really isn’t when you implement a password manager properly (see next point).
  • Use a password manager. Most of the above password practices are almost impossible to follow without the use of a password manager. A password manager is an application (usually a plugin to your web browser and/or mobile app) that assists in storing, organizing and generating passwords. Not only does a good password manager remember all of your passwords but it can be used to save the links/bookmarks to the sites you visit, as well as automatically fill in your email address/user name/passwords and other ‘form’ information like credit card numbers, addresses, and the like. There are a number of different solutions out there but the big names at the moment are: LastPass, Dashlane, KeePass, 1Password and RoboForm. All of these have accompanying mobile apps so even when you’re away from your regular office/home computers you’ll always have access to your passwords and other site data. Keep in mind that the password you use to secure your password manager instantly becomes the most sensitive piece of data you own.  This should be a long, strong and complex password that you don’t use anywhere else because you are putting all of your eggs in one basket here.  If supported consider using 2 factor authentication if available!

 

2. Apply Patches and Updates Quickly and Regularly

New threats are being created and introduced into the world every hour of every day.  Exploitive malware and viruses often infiltrate a system by taking advantage of flaws in various software. The more popular and widespread the software the more likely it is to have exploited flaws.  Windows, Internet Explorer, Adobe Flash, Java and Adobe Reader are some of the most exploited products out there for one simple reason – they’re the most commonly used.  It is crucial to keep these products updated and patched and most offer a way to automate the process so you don’t even have to think about it.

 

3. Install and Keep Updated AntiVirus Software

AntiVirus/AntiMalware security software should be installed on all workstations. As with most software there are dozens of vendors to choose from. Norton/Symantec, McAfee, Avast, TrendMicro and Sophos and are some of the big players. There are some ‘free’ options out there but often times their licensing model limits the free versions from being used in a corporate, for-profit environment.

A non-exhaustive list is maintained at this Wikipedia page.

More so than with all other software, it is imperative that antivirus software is kept up to date. Antivirus companies often update their software (definitions) multiple times a day to keep up with the ever changing threats.  Make sure your software is set to update itself at least every 24 hours.

 

Stay tuned for the next installment:  Essential #3:  Humans

———-

Tom Fisher has been in the insurance business for over 12 years and has had a profound passion for technology for over 30.   It is at the intersection of information technology. & insurance where you’ll find Tom, using his broad knowledge of technology to help align agency business goals and objectives with technology solutions.

Tom graduated from Western Carolina University with a bachelor’s degree in Computer Information Systems and holds multiple insurance and I.T. industry designations.