Author: Steve Aronson
Ever try reading a white paper or, worse, a full technical study, on data security issues? They are typically very long, very jargon-heavy and very complex. So what is an agency to do?
Historically, smaller and midsize agencies have paid little attention to the data security issues they actually face, and they haven’t gotten out ahead on the issue. They haven’t looked into their crystal balls to do forward-thinking strategy on information protection. Those that sell cyber coverage may be ahead of their peers, but agencies not operating in that niche are not that focused on cyber security. They haven’t really had to be so far since most of the big data breaches seem to be happening in other industries or at companies much larger than theirs. But data breaches are much more common in smaller agencies than one might think.
The fact is that small and midsize shops are highly vulnerable to hackers and are increasingly targeted as an entry point to reach bigger data stockpiles at larger partners, such as insurers, vendors and clients. The fact that many agencies have not yet experienced a known data breach or cyber interloper might hamper their motivation to hunker down and really do data security. But that is a game of roulette. At some point, your number is likely to come up, and when it does, the consequences can be devastating in both money and reputation – with clients, prospects and carriers.
Many independent agencies rely on the Big “I” to nudge them forward in their cyber knowledge, but even IIABA resources can be overwhelming. The ACT Security Issues Work Group has responded to that problem with an effort to produce a document that is usable on the ground by information technology teams and non-techies alike. The document will be styled as a pocket guide containing short summaries of the most critical issues you face along with brief guidance on how to grapple with them. It will also provide pointers to resources that go into deeper detail, which many readers will want when they get their head around the basics. In fact, the ACT website has a library agents can turn to for free information, and the pocket guide will steer you to many useful sources.
Some of the vendor user groups have successfully disseminated similar products. NetVU, for example, produced a pocket guide and distributed it through carriers and other stakeholders. Ours will address 15 topics. Our committee members are each tackling a couple of the topics and drafting content on their specialty areas. The drafts will go through an editorial process to make sure content is concise, clear and correct.
We have gotten great buy-in from our work group members. They are industry people first, so they are coming at the data security problem from your vantage point. They are passionate about their topics and have dedicated long hours to researching, reading, and attending meetings lead by experts, both in the data security sector and on the business management side where the rubber meets the road. We have heard about many successes and some failures, and all of those stories direct our efforts at producing a practical pocket guide that will provide actionable ideas for your agency.
I expect ACT’s previously published data security document will be updated after the pocket guide goes out. The original 22 issues we considered have been honed to 15, and each topic will get its own section in the document. Here is a brief overview of what the guide will cover:
Mitigation of Cyber Risk—Includes hackers but also natural or manmade disasters
Agency Passwords—Covers seriousness of the issues and solutions
Data Breach Laws—Addresses state laws, regulations and prevention
Document Retention—Federal and state laws on retention proper disposal
Database Encryption—Regulatory compliance and resources
IP Phone Systems Security—Dangers of unencrypted VoIP traffic and other data exposures
Real-Time Monitoring—Data-loss prevention solutions combined with an understanding of the data you have flowing in and out of your network
Paper Versus Paperless—Data hosting, security vulnerabilities, critical planning for going paperless
Protecting Confidential Information—Compliance gap assessments, risk analyses, training to monitor data flow
Remote Access of Agency Systems—Authentication, intrusion detection and prevention, the use of virtual private networks (VPNs)
ASP Systems—Application service provider systems for data backup, automatic updates, virus scanning, etc. for agency management systems
Mobile Devices—Exposures you face from wireless connections and device security failures
Education/Training—How to get everyone on board and keep them there
Document Destruction—Not only about paper files; data resides on portable drives as well as cloud services
Electronic Communications—Laws, best practices and ACORD standards.
Your Security Issues Work Group has jumped in with both feet to help your agency get concise, accurate information that will help you through the various stages of data security. It is for novices as well as those who have already started along the path to cyber security. The key is its digestible size and wealth of resource pointers. We hope you will dive into it yourself and give us your feedback so we can keep improving ACT’s security effort for you. Look for this guide to be produced by ACT this fall.