by Jeff Yates, ACT Executive Director
High profile cases of identity theft have been all over the general press in recent weeks. We have seen from these cases just how devastating an impact these security breaches can have on the reputations of the firms involved. 59% of consumers now say they are very concerned about identity theft, according to a recent USA TODAY/CNN/Gallup Poll.
All of this publicity has also gotten the attention of independent agencies. A recent IVANS survey found that Internet security is a major concern for independent agents, with viruses and worms being cited as the biggest worry (80%), followed by hackers (42%).
What is often overlooked, however, is that as many as 70% of current security problems result from actions taken by employees—whether it be an outright theft of customer information or an inadvertent mistake that ends up corrupting the business’s systems. Even in the high profile identity theft cases, involving highly sophisticated firms in security management, the breaches often result from simple mistakes, which any business can learn from and protect against.
In one of these cases, the thief figured out a legitimate customer’s too-obvious password and used it to gain access. In another, a former employee of a legitimate customer was able to continue to access the information in the provider’s databases, because the customer had failed to terminate the former employee’s access. In a third instance, criminals obtained an account administrator’s access information, allowing them to create new unauthorized access points into the system.
Agency principals should drive the process in their agencies to make sure:
The proper security assessments are done;
The appropriate policies are put in place;
Existing and new employees are trained on these security procedures and understand their importance; and
Ongoing monitoring systems are incorporated to detect any unusual activity emanating from the agency’s systems, as well as viruses or other “malware,” and to confirm that the employees are adhering to the agency’s security policies.
Over the past year, ACT’s Agency Security Work Group has been working to develop a business tool designed specifically to assist independent agency business leaders and their employees in understanding and protecting against the security issues they face. This new ACT Guide—“The Independent Agent’s Guide to Systems Security; What Every Agency Principal Needs to Know”—is now available for download from ACT’s website at www.independentagent.com/act. The report also includes guidance on securing outside security help, an Agency Security Risk Self-Assessment Tool, a sample Agency Information Security Policy, and steps to consider should a security breach occur.
Many agencies are going to want to engage an independent security consultant to determine the agency’s security vulnerabilities. The new ACT guide, however, can help an agency principal to properly define the scope of such an engagement, so that the engagement is cost effective and the agency handles the issues internally that it is capable of addressing. The ongoing relationship of the security consultant with the agency leadership’s should very much be one of partnership.
Having to keep track of and manage multiple passwords throughout the firm remains one of the biggest frustrations for many agencies. It is vital, however, that the agency not let this frustration get in the way of treating these passwords with the importance they deserve. All of the identity theft cases mentioned above dealt with thieves being able to exploit some vulnerability related to a business’s management of its passwords process.
The passwords management process determines who can gain access to your systems and to all of the data that forms the cornerstone of your agency’s value. How you manage your passwords also determines who can access your carriers’ web sites on the agency’s behalf, for which the agency is typically made legally responsible by the carrier.
One of the most promising developments to help agencies with the proliferation of passwords is the development of the new real-time interfaces with the carriers through the agency management systems and comparative raters, where these agency systems store the needed logons and passwords in a secure manner and apply them when the agency employee accesses the carrier. Agencies are encouraged to implement these real-time interfaces for whichever carriers make them available to take advantage of these security benefits on top of all of the other efficiencies they provide.
In order to reduce the risk of hacking, ACT recommends that passwords be specific to each employee, that they have a minimum length of between six to eight characters, including at least one lower case letter, one upper case letter, and one number, and that these passwords be changed every ninety days. Employees should keep their passwords confidential and always keep them out of view. Passwords should not be put on Agency Intranets where they are susceptible to being hacked. They should not be saved on other applications whose security features are not clearly understood. Passwords also should not be stored on laptops or personal digital devices which have a tendency to be lost or stolen. Finally, it is critical that an agency have a priority procedure to terminate an employee’s access to all systems and websites immediately upon termination. It has been estimated that this important step is overlooked by businesses about 30% of the time.
In addition to managing the passwords process, it is important for agencies to manage the access for its users—that is, to define the extent of the access to applications and information the agency will give to particular employees once they logon. The agency should activate the access controls provided with its agency management system and then determine which users (grouped by role) should have access to particular applications and the accompanying data. Access management adds another layer of security and helps protect the privacy of clients’ confidential information.
The ACT security guide, of course, discusses a whole host of additional security issues that are important for independent agencies to understand and manage. Investments in security are very much like the purchase of insurance. The investments made today, accompanied by effective risk management, can lead to huge savings in the future. It is so much more cost effective to put the necessary security procedures and systems in place upfront, than to have to eliminate the effects of the security breach after the fact—whether it be contaminated files, the theft of customers’ identities, the theft of agency expirations information, or getting the agency’s systems back up and running, so that the agency can continue to conduct business. With the stakes so large, it is no wonder that agency security has taken “center stage” for many agencies as an emerging problem that needs to be better understood and managed.
Jeff Yates is Executive Director of the Agents Council for Technology (ACT) which is part of the Independent Insurance Agents & Brokers of America. Jeff Yates can be reached here. This article reflects the views of the author and should not be construed as an official statement by ACT.