From ITC Agent Conference 2015...
ITC takes the security of your data seriously. You should too. As an insurance agent, you hold critical personally identifiable information about your clients. Learn how to protect your agency and your clients' data from an actual hacker and someone who wants to protect you from hackers.
4. Sorry to Scare You…
• In case of a security breach you could be
• Subject to $1,000 to $100,000 per incident
• Qualify each piece of breached data as a separate
incident
• Required to notify individuals and media of
breach
• Required to provide monitoring or
remuneration to affected parties
• Applies to all agents. Not just health.
5. What is Your Data Worth?
• Financial data is $5/record
• Health data is worth $50/record
• Identity theft data is worth $188/record
6. Security and Confidentiality
Laws
• Health Insurance Portability and Accountability
Act (HIPAA)
• Health Information Technology for Economic
and Clinical Health (HITECH)
• Payment Card Industry Data Security Standard
(PCI DSS)
• Sarbanes–Oxley Act of 2002 (SOX)
• Gramm–Leach–Bliley Act (GLBA)
• State and Federal Laws
• Cyber Liability, Professional Liability, Errors and
Omissions Policies
• Carrier Contracts
7. What is Considered PII?
• Name
• Address
• Birthday
• Social security number
• Drivers license number
• Financial information
• Email
• Health information
8. Ease of Access = Less
Security
More difficult to access, more security
9. Points of Entry
• Physical
• Technology infrastructure
• Remote access
• Phone system
• Cloud and vendor products and services
• Employees
12. Physical Access
• Limit access to critical areas
• Anywhere with a computer or access to
security infrastructure is critical
• Secure servers in a locked cabinet
• Security cameras
• Security system
• Even alarm inner doors during business hours
14. Technology Infrastructure
• New machines are cheap
• Update and patch
• Operating systems
• Software
• Firewalls
• Run supported software
• Encrypt mobile devices
• Use high security Wi-Fi (WPA2-PSK or Enterprise
RADIUS)
• System policies
• Disable USB storage
• Force password change
• Force screen saver lock
• Install prevention
16. Remote Access
• Do you or your employees really need it?
• How often do you use it?
• Turn it on only when you need it
• Use two-factor authentication
• DUO
• RSA Key
22. Employees
• Users do not like security
• Train users as to importance of security and
how to recognize social engineering
• Security begins and end with them; include
them in the conversation
24. More Security = Less
Threat
The harder you make it, the less you are a target.
25. Suggestions
• Create a security program
• Longer passwords are better
• Change passwords often
• Use authentication that changes
• Hire an IT professional to secure your
network
• Keep all software patched and up to date
• Lower your attack profile
• Encrypt everything
Ask questions…77% say their company is safe from cyber threats
66% say they are not concerned with hackers, cyber-criminals, or even employees stealing data
47% believe a data breach would have no impact on their business
https://www.staysafeonline.org/business-safe-online/resources/
71% of data breaches target small businesses
96% of data breaches target payment card data
Do any of these required fields look familiar to an agent?
Doors, Server Room, Desktops
Using cameras to socially engineer or steal passords.
Wi-Fi (hide SSID, MAC, limiting pools), Operating Systems, Software, Firewalls, Mobile Devices (Laptops, Tablets, Phones), Crack windows login. XBOX/PS DDOS of Firewall. Dont allow you to be a point of contact either.
Updates to OS, Software, Firewalls. Mobile devices encrypted storage. Crack windows login.
Remote Desktop
GoToMyPC
VPN
Two factor. Access = security hole.
VOIP, Conference Bridges, Long Distance Calling, Paging
Someone could just take a phone home and call from home.
Focus on security? Security audits? Save password is bad. Require local install of data.
Save password is bad. Require local install of data.
Disgruntled Employee, Unethical Employee, What is social engineering? Other vulnerabilities can be exploited to leverage social engineering.
60% of small businesses close within six months of experiencing a data breach
SMB Security Program Status:87% do not have a formal written security policy
59% do not have a security incident response plan for a data breach
50% of users still use poor passwords
83% do not have a system to require employees to periodically change passwords