A Message from a Cybersecurity Expert
Here we go again, same evil, same demons: trojan horses, bots and botnets, spyware, worms, scams and phishing. Then there’s ransomware, a set of malware programs that hackers install on your network that blocks access to data or publicizes confidential data unless a ransom is paid. Ransomware has become big business. Not even our critical infrastructure is safe.
Public disclosure of confidential company data leads to the mother of all bumpy roads. Victims are subject to hefty regulatory fines, expansive remediation costs and irreparable damage to brand reputation. A publicly traded company will see its stock tank. Folks need to get serious about cybersecurity. While no one is immune to cyber assault, several high-impact/low-cost countermeasures have shown to be highly effective in neutralizing the invisible forces that threaten to undermine our business. Here’s what you need to do.
Use your local Windows Firewall. Enable the Windows Firewall default settings on all agency workstations. If you’re already using a third-party firewall, save yourself some money and get rid of it. Perimeter firewalls are overkill for most agencies. Windows Firewall is all your agency needs to both thwart most attack vectors and prevent the insertion of network services that are not on Microsoft’s safe list. Your antimalware system will scan incoming program files for malicious programs, thereby completing your endpoint protection.
Use two-factor authentication (2fa). 2fa technology requires two authentication methods to verify your identity: something you know (your password) and something you, not the bad guys, have (a four to six-digit integer texted to your smartphone).
This second hurdle makes it more difficult for the bad guys to access your applications, emails or devices. Microsoft provides step-by-step instructions on setting up 2fa on your agency’s desktop computer, employee home computers/laptops, tablets and smartphones.
Implement a robust password management system. Password management systems like LastPass or 1Password enable you to securely log into any web-based system from any computing device, anywhere in the world. It chooses complex passwords for you and stores them, along with other authentication information in the cloud, where they are available whenever you need them. You’ll never have to remember another URL, login ID or password again.
Enable full-disk encryption. Activate Microsoft BitLocker, a Windows 10 Pro feature that encrypts your entire hard drive when you’re logged out for the day, rendering it useless to intruders.
Encrypt all email attachments that contain non-public information. Never send non-public information (NPI) in an unencrypted email attachment. You can easily encrypt email attachments using PKZip, WinZip or the native encryption features in office applications like Excel and Word. Likewise, never store NPI in the body of an email.
Use a virtual private network (VPN). VPNs use an encrypted connection over the internet, ensuring that sensitive data is safely transmitted. It prevents intruders from eavesdropping on your internet traffic and effectively extends your agency’s network far beyond its four walls.
ExpressVPN, NordVPN and PureVpn all offer great plug-and-play VPNs at reasonable monthly costs.
Store sensitive company information in cloud-based “vaults.” Never store NPI locally. If you must feature NPI in Word, Docs, Sheets, Excel, etc., store it in Microsoft Vault or Google Vault. These free tools enable you to store sensitive files in a 2fa secured, encrypted directory in the cloud.
Call to Action
Insurance agencies face a plethora of challenges from using the internet as a business-enabling technology. For example, securing NPI used to mean locking the front door. Now, it has taken on a level of complexity that most agencies are ill-equipped to address. Governments have now stepped into the fray, imposing vague cybersecurity regulations that declare what you must protect, without saying how — case in point, the New York Department of Financial Services Cybersecurity Regulation.
Daunting indeed, but not to worry. Take a deep breath, relax.
You can mount a vigorous defense. Commit yourself, get some help if you need it and get it done. It’s easier than you think.