Cybersecurity: An Ounce of Prevention is Worth a Pound of Cure

– Regina Stephenson

Benjamin Franklin was a big fan of insurance, but he might have been a bit nonplussed if someone had given him a preview of the industry in 2023.

Risks have changed, and one of the big ones businesses face in this century (and insurance businesses doubly so) is cybersecurity. Insurance carriers, in this case, often sit on both sides of the table. Carriers may insure against cyber threats, and regardless of their line of business, also need robust cyber protection.

Though Ben wouldn’t have recognized the industry today, his aphorisms and turns of phrase still apply, even in cybersecurity. Hackers, malware, spyware, and other bad actors are upping the ante on digital attacks, but, even today, an ounce of prevention is worth a pound of cure. In that spirit, we’re serving up a few ways you can take proactive preventative action to protect yourself from cyber problems.

Physical asset management basics

When it comes to cybersecurity, physical asset management is still a critical part of good cyber hygiene. Insurance companies must take steps to ensure all devices and data networks are secure from unauthorized access. The following are some basics in preventing your hardware from being compromised by bad actors:

• Inventory your assets. Without knowing what you have, you can’t maintain adequate standards and manage your equipment.
• Maintain a plan for asset tracking – modern tech often can remotely track your equipment via GPS. And you’ll want to be able to wipe equipment remotely in the event that a tablet or laptop falls into the wrong hands.
• Standardize physical access controls for hardware and data. This means recognizing that not all people should have access to all things all the time.
• Plan for what to do when employees churn. Do you want people to return their equipment? Can you wipe software and reset it to a trustworthy level of use? Or should you replace each unit entirely? Different organizations take different approaches – understand which one your team is comfortable with.
• Make your teams responsible for their own risk. With a distributed workforce, company tablets and laptops may be floating around at coffeeshops or conferences states (or even countries) away from headquarters. Thus, training your employees on good security hygiene is essential. This could mean being clear about the consequences of leaving a laptop unattended in public or even in their own homes, or it could mean training for how to manage tailgating or unstructured data (think, customer logins on sticky notes).
• Drill, baby, drill. (OK, OK, we’re sorry, we’re sorry, couldn’t resist a good slogan. Or a bad, bad slogan.) The point here: Practice various scenarios of physical hardware breaches and make your organizational response a routine.

While some of these practices seem very basic, the reality is that even a bare minimum effort (EFFORT!) can prevent cursory attacks on your physical security.

As a real-world example, 26.5 million discharged veterans’ data was exposed to online vendors after a Veterans’ Affairs employee took unsecured material home, and it was stolen from their house.

Digital cybersecurity best practices

In a digital-first world, security worries have quickly moved from focusing on physical smash-and-grab concerns to the threats lurking in 1s and 0s.

Insurance carriers have more cybersecurity concerns than most. Thanks to the data-driven nature of the insurance business and the numerous regulatory standards carriers have to adhere to, data protection is non-negotiable.

Many of the same preventative practices that you take to protect your hardware assets apply to your software and digital assets, as well:

• Inventory your digital assets and keep all software up-to-date.
• Maintain records of data access and changes over time.
• Frequently review internal controls for who can access what data, and use things like multi-factor authentication (MFA) to validate logins. You might find working off a zero-trust framework adds another layer of security.
• Make a plan for the transfer and protection of institutional knowledge.
• Train your employees on basic preventative measures.
• Practice how to cope with downtime or your response to (and any mandatory reporting for) a hack or ransomware situation.

Your employees should receive regular training on cyber hygiene and how to recognize potential threats such as phishing emails or links. Conducting vulnerability scans and tests can help identify weaknesses in system architecture that could lead to exploitation of the network if left unchecked.

By taking fundamental precautions, insurance companies can maintain their customers’ trust while remaining compliant with regulatory standards for data security protocols.

Why third-party security matters

If you’ve shored up your own cyber hygiene, you may be sad to hear that third-party security can still be a serious risk to your own cybersafety.

If your vendors are lax, they introduce vulnerabilities to your tech ecosystem and pose a risk to your reputation and core business. For an example of why third-party security matters, we need look no further than 2023’s MOVE-it breach, which exposed the data from scores of life insurance carriers and subjected millions of Americans to privacy violations.

Assessing your partners’ security isn’t always an easy ask. No one wants to get halfway into using a robust, helpful digital tool only to have to cut ties upon discovering  security vulnerabilities. Instead, by vetting third-party vendors for their security practices, you can reduce the risk of data breaches and protect your customers’ sensitive information.

Hopefully, your partners use one or more security standards to align their internal controls with externally prescribed best practices, such as:

• Service organization controls (SOC) 2 Type I: Businesses that provide third-party services complete a review of a prescribed checklist of risks and controls.
• SOC 2 Type II: This is the follow-up to a Type I, which comes through auditing those risks and controls over a period of months (or even a year) to evaluate how well the controls in place work in reality.
• National Institute of Standards and Technology (NIST) Cybersecurity Framework: This is a widely recognized set of guidelines and best practices for organizations to manage and improve their cybersecurity risk management processes.

Conclusion: Assessing your cybersecurity needs

Sometimes, cyberattacks are reminiscent of the Ocean’s 11 movies, where an elaborate scheme starts with a shocking diversion and proceeds through a sophisticated series of maneuvers that finally catches the organization unawares. Yet, more often what it really looks like is a C-suite exec who’s still using their kid’s middle name as every. Single. Password.

Taking cybersecurity seriously means making it easy for your employees and anyone else on your network to follow your best practices with things like password keepers and a regular update cadence. It means deputizing your staff to take active roles in security. And it means making your third-party vendors show you that they don’t pose a risk while providing you services.

To learn more about how AgentSync treats its partners, please reach out, and we hope you had a safe and happy cybersecurity month!