Prepare to be Hacked: How to Minimize the Damage

Hacking is big business. It’s been estimated that cybercrime will cost the global economy $600 billion this year[i]. While some attacks will happen behind the scenes, 93% of them will happen right before your very eyes in the form of phishing attempts[ii].

Phishing is the attempt to obtain sensitive information, such as a password or account number, by impersonating a trustworthy source. These often arrive as emails requesting that you sign in to cloud storage services (OneDrive, Dropbox) to view an important invoice or past due bill. Moreover, they often appear to come from a trusted sender, or even a coworker. In the past six months, phishing attempts have increased by more than 60 %[iii], and 22% of employees have clicked at least one phishing link this year[iv].

If you do the math, it’s very clear that the odds are not in your favor. While threat prevention and Security Awareness Training are crucial pieces of your cybersecurity strategy, I’d like to give you one more piece of advice: Expect to be hacked.

It’s no longer enough to try to keep the bad guys out. We need to shift our focus to understanding what they can access when they do get in, and how we can limit their reach. To do that, we need to understand three key things: What data are we keeping, where are we keeping it, and who has access?

It has long been a practice of agencies to keep a permanent record of every business communication. As these records become digital, hackers gain access to years or even decades of non-public information, often long after these records serve a business purpose. As a result, The National Association of Insurance Commissioners is proposing that all Agencies adopt a strategy for reviewing and purging non-public information that is no longer needed[v]. I would encourage you to make a list of the type of data you’re collecting, determine how long it’s needed (by regulation, or business process), and make a plan for eliminating as much as possible to reduce your exposure.

I tend to find at least three treasure troves of client data in every Agency I meet: The Agency Management System, Email, and a shared location such as SharePoint, OneDrive, or a network share. Often, the data stored in email or the shared location is redundant, and only stored there for convenience. Even more alarming, this non-public information is often uploaded to a personal email or cloud account. In fact, 87% of Senior Managers have uploaded business files to personal accounts[vi].

Remember: What’s convenient for you is also convenient for the hacker. It’s important to keep non-public information in as few places as possible, so that monitoring and protection can be as focused and effective as possible. And it should never be permissible to store client data on personal accounts.

It’s also important to limit access to non-public information, so that a single breach will expose as little data as possible. Do all employees need access to client payment records? Do commercial lines employees need access to personal policies? There are numerous ways to limit access, and there’s certainly one that will work in your Agency. I encourage you to make a list of the roles and responsibilities of your employees. You can use that list to begin building a plan to limit the amount of non-public information that can be accessed and compromised by their accounts.

By expecting a security breach, turning our focus inward, and understanding how non-public information is stored and accessed, we can reduce the amount of data that a single breach can expose. Smaller breaches mean less data to sell to the next bad guy, and this hits the hacker where it hurts the most: The wallet.

[i] McAfee Economic Impact of Cybercrime, Feb 2018

[ii] Webroot 2018 Threat Report Mid-Year Update, Sept 2018

[iii] Webroot 2018 Threat Report Mid-Year Update, Sept 2018

[iv] Webroot 2018 Threat Report Mid-Year Update, Sept 2018

[v] NAIC Insurance Data Security Model Law MDL-668

[vi] Virtru Security Insights

Published in Primary Agent Magazine, February 2019.