In the current wave of ransomware attacks, large insurance agencies have a bright red target on their backs because they have lots of personally identifiable information (PII) and have the means to pay high ransoms. Smaller insurance agencies are just as vulnerable but might not have the means to secure or reclaim client information. Regardless of size, insurance agencies that do not properly educate their staff are leaving major gaps that can be exploited.
One of the most common ways for agencies to lose valuable information is through insider threats, which occur when employees or people with approved access to your systems take or leak information through sabotage, theft, espionage, fraud or just plain ol' human error.
By preparing agents to be the first line of defense against cybercrime, insurance agencies can change employees from risks to guardians and minimize the chances of an attack that harms their clients, reputation and bottom line.
Improve email security with agency-wide policies and multi-factor authentication
Compromised emails are the entry point for 60% of cyber attacks and create opportunities for criminals to plant ransomware, steal funds and misuse sensitive information. Hackers have access to databases chock full of compromised email accounts. Agencies want to keep employee emails off these lists, but they also need to protect themselves if an agent's accounts find their way there. Criminals can use these accounts to gain access to your agency network like a lily pad, leaping from a personal account to a work account to a company-wide breach.
Here's an example: John Doe is unaware his Facebook credentials are in one of these illicit databases. Hackers have access to his full name, personal email address, password and place of work: ABC Insurance. They learn from the agency website that agents' email format is email@example.com. With this information, they can email John and other agents or attempt to log in to his work email. Whether or not he's reused his password, an experienced hacker can get access in a matter of minutes.
See also: 6 Cybersecurity Threats for Insurers
There are multiple steps agencies can take to minimize the chances of compromised emails:
- Don't publish any employee emails on your website. Limit public emails to aliases such as firstname.lastname@example.org or use a contact form.
- Don't let your agency's security hinge on another site's vulnerability. Ensure employees don't use their work emails to sign up for other websites.
- Use multi-factor authentication (MFA) for all email log-ins. While text messages are one way to add an authentication factor, SMS channels are vulnerable to hacking. MFA apps are the gold standard and are likely free to use with your agency management system, such as Microsoft 360.
Educate agents about phishing and safe email habits
All agents must be vigilant about phishing emails that steal PII by impersonating another person or organization. Phishing has become sophisticated enough to fool multiple employees within an organization, posing as legitimate emails from systems that criminals know an agency uses. Whether your agents are working on-site or remotely, all it takes is one successful phishing attempt for a bad actor to install malware or steal sensitive information.
Good email habits and open communication can thwart phishing attacks:
- Err on the side of caution when opening links and entering log-in information. Agents should not log into a website directly through a form in an email.
- Verify the domain name/URL of any link opened from an email. Cybercriminals create fake, nearly identical pages that can fool anyone not paying close attention to what website they're really on.
- If your agency uses Slack or a similar platform, you can dedicate a channel to report suspected phishing.
Encourage vigilance in and out of the workplace
A great way to ensure that agents are vigilant is to test employees with a mock-phishing email to see if they catch it. There is software available that can help with this, or you can have a close contact from outside your agency send an email asking agents to reply with a phone number or other piece of PII. If the email sounds urgent enough, many times people will reply with the requested information thinking they are helping in an emergency. Collect the emails that come back to your outsider contact and discuss them with the team as an opportunity for education on cyber security awareness. Once you have a baseline, repeat the test every few months and monitor how your agency's cybersecurity improves (we hope) over time.
It's also a good idea to educate agents on the value of regularly checking their personal account security to prevent a lily pad breach. Websites like Avast and haveibeenpwned inform you if there are PII leaks associated with your email address. Agents can check their personal accounts at these sites and keep on top of their own data security for the security of their agencies.
See also: Hidden Dangers for Cybersecurity
Insurance agents need to treat their emails like they're the keys to the agency vault -- because they are. Increasing email security through these simple methods makes your agency much harder to breach and will ultimately save money and prevent headaches, including lost goodwill among clients.