ACT e-News dove into the issue of cyber crime with Paul Viollis, founder and head of Viollis Group International (viollis.com), a leading security advisory firm. He breaks down some myths and helps agency leaders understand key vulnerabilities.
ACT e-News: Thanks for joining us, Paul. When we think of cyber security, what are we really talking about?
Paul Viollis: Without exception, the biggest issue advisors and agents alike need to preemptively contend with is protecting client data. A breach of clients’ personal data can rapidly destroy the agents’ personal and professional brand and open them up to significant liability past any available insurance coverage.
Crypto is another issue. [Cryptography intrusions beat your encrypted protections.] Crypto hackers can’t get in unless you let them. The only way to prevent this kind of intrusion is to educate your people.
Make sure you’re not already compromised.
Educate every single person in your office how to manage incoming communications and how to quarantine problems.
Monitor activity, looking for encroachment.
Upgrade your encryption as needed.
ACT e-News: It sounds like you need specialists—more knowledge than the typical agency has.
Viollis: You’ve got to go to a specialist, as there are no off-the-shelf solutions. IT is critical to any business, but when you are talking about the type of malicious code that is being circulated, traditional IT personnel are simply not equipped to detect it. Hence, the need for an anti-crime approach.
ACT e-News: Talk to us about systems monitoring for intrusions and unauthorized software. Maybe there are unauthorized users active in portions of your system or temporary applications or utility files that aren’t supposed to be there.
Viollis: No question. The most frightening part about that is this new code cannot be detected with current scanning programs. Monitoring is rapidly becoming the standard since breaches are so final in nature.
ACT e-News: And denied entry incidents—like someone is trying to gain access to guarded files and the system successfully kept them out?
Viollis: That’s right. You definitely want to monitor. You don’t want something bad to island hop—go from computer to computer. If you spot it early, you can quarantine it, keep it from getting out of control. The complexity is beyond the regular IT guy’s ability to fix.
Remote monitoring by a professional group is an option. It can spot the problem automatically and have systems in place to block its progress. It can contain the problem a lot faster than an agency’s in-house team or IT subcontractor can.
ACT e-News: Maybe I’m pretty secure—encrypted, educated. How do I make sure my vendors and clients and other partners aren’t an unlatched gate of entry for the bad guys?
Viollis: It’s sort of like sending your kids to kindergarten. You know someone in there is sick and your kid is going to be exposed to all sorts of things. The need to spot it and block it is paramount.
ACT e-News: OK, but what are my options if I don’t have a monster budget for cyber risk management?
Viollis: Do you actually know how much it costs? It all depends on your size, your system and your infrastructure. As I’ve said many times, “Cheap is expensive.”
ACT e-News: Say I’m all-in on the technology revolution in the industry. I want to maximize my digital use—e-signature, secure forms transactions, social media, commercial data mining, cloud storage and software housing—but I’m afraid that just makes me more vulnerable to hackers.
Viollis: The greater the social media presence the greater the risk. But that’s why protecting your systems and data is the number-one priority. Doing a vulnerability assessment is the first step.
The cloud has a very poor reputation for doing background checks on users and software companies. It’s a hotbed of problems. And social media is a huge gamble—the profit versus the risk might not be worth it.
ACT e-News: What’s the biggest misconception agents have today in their agency regarding cyber crime?
Viollis: That it’s not going to happen to them. Most have their heads in the sand. They think they won’t get hacked. Let me tell you, crime is all about opportunity. More than 95% of insurance companies that have retained us have been post-breach.
ACT e-News: The guys out there phishing and hacking aren’t all super sleuths. It’s like locking the door to your house. The burglars go through a neighborhood checking doorknobs. The one that’s unlocked is the one they enter.
Viollis: Yeah, and you know what? Not one client is going to be understanding when they get that call from you that their data has been compromised. They’re packing up and going somewhere else. All your free credit report monitoring isn’t going to keep them.
ACT e-News: What about a cyber-risk/cyber-security insurance policy for the agency?
Viollis: I wouldn’t count on that. Here’s the thing: you either accept the responsibility for protecting your systems or you don’t. The right decision is your choice.