We’ve all heard of the big ‘hacks’ where millions of our fellow citizens’ data is spirited away by some unknown cybercriminal to be sold on the notorious Dark Web. These attacks against multi-billion dollar companies are often are caused by some random employee with a simple password or a person trying to get their work down by using an unsecured internet portal. While seemingly innocent mistakes, it leads to real-world problems which cost their company in both fines and bad PR as well as the individuals in identity theft protection and credit locking. So if companies with the financial resources like Target, Home Depot, Delta, Gamestop and Arby’s can get data stolen what are the chances for small insurance vertical businesses?
According to the statistics there has been a steady rise in cyber-attacks against small businesses (less than 250 employees) over the last few years with more than 50% experiencing some form of data intrusion or malware. Even without a massive public presence and marketing recognition, like our insurance carrier partners, there are still numerous avenues for small businesses to have a cyber intrusion event that creates a financially draining and confidence deflating rift in carrier confidence. The problem is we’re all still connected to the same internet, we all still receive the same emails, we all still have employees who could use ‘password’ as their password so in a sense the same issues that bring down billion dollar firms are the same ones we need to protect against. Thankfully, our job might be a bit easier.
So the good news, from my perspective, is that our chances are very good for keeping our insurance partners data safe. We have less employees to provide cyber security training, we have fewer access points to firewall, we have fewer emails to scan, we have only one website to scan for vulnerabilities, we have fewer PC’s and databases to encrypt, our business continuity and disaster recovery plans can be a bit simpler and our Computer Security Incident Response Team can meet by swiveling in their chairs. While it still seems like a bunch of work, thought and effort go into trying to keep even a small businesses data secure these are the items that at minimum any business needs in order to just scrape by a modern insurance carrier security audit… and they are justified in asking. Any data breech of our system is a poor reflection on that of our partner at a time when policy holder retention is at a premium. Just like moving from guide books to estimating software or from 35mm to digital photos the technology that facilitates our business offering changes over time and we must change with it. The bad news however is all this security comes with a pretty hefty cost.
The directives and funding come from the top of any organization so having senior management who understand data security challenges and are willing to employ protective measures is the first key to a successful strategy. Next is having a strong technology officer who can define the goals of how the company will fight against a breech from both a personnel and technology perspective as both are equally important – If all the doors have locks but no one uses them then the house is still unsecure. This leads to the next key which is actually writing the informative documents and policies, creating the needed procedures, and implementing the needed process improvements. Here is where rubber meets road. Finding a comprehensive online security training classes for all employees and ensuring the employee handbook and supporting documents clearly outline security expectations is just as important as giving your IT managers the needed tools and desktop software to keep all the company’s PC’s patch updated and the virus definitions current.
Just like in all things progress happens which unfortunately means cyber-criminals will be writing more effective malware as quickly as white hats are working to prevent the next Wannacry ransomware attack from halting a business’s operations. It’s up to each small business to employ the needed defenses in order to keep the data we’ve been entrusted secure. We have to be ever vigilant because while we only need to fill out the security assessment once in a while the threats are constantly knocking at the door – so make sure to keep them locked!