Michael Spiar, Broker Relations & Communications Specialist | Saskatchewan Broker
Insurance brokers are undoubtedly aware of the risk presented by cyber threats – after all, many of them sell policies to protect their clients from the consequences of falling victim to one. But are brokers doing enough to protect themselves from cyber risk? All too often, brokers know that cyber is a concern, but are uncertain of how to address it.
CSIO has developed a variety of resources to support brokers in implementing a strong cybersecurity policy, covering different types of
threats. This article serves as an introduction to many of them:
A whopping 63% of confirmed data breaches involved weak, stolen or commonly used default passwords, according to Verizon’s 2016 Data Breach Investigations Report.
Many people use short, common, and easy-to-remember passwords such as “123456” or “password,” which makes it easy for hackers to access their accounts. In fact, many attacks don’t target a specific user or company. They simply run a program that attempts to log into several websites at once using a list of email addresses and common passwords (known as “brute forcing”) and take advantage of any account they are able to access.
When establishing password management policies, brokers should consider:
- Never sharing passwords;
- Requiring a mix of numbers, upper- and lower-case letters, and a minimum password length;
- Requiring that users change their password regularly (e.g., every three months); and
- Making passwords into a memorable passphrase (such as “MyPa$$w0rdIsSecure”).
In a ransomware attack, hackers gain access to a computer system and instead of stealing data, they encrypt it so the user cannot access it. They then demand payment from the victim before de-encrypting it. A common ransom for a small organization is typically between $800 and $2,500, but the disruption to business operations can be severe.
Ransomware tips for brokers include:
- Ensure that anti-virus software and firewalls are regularly updated and patched;
- Restrict internet access to trusted websites only;
- Train staff not to download files from an unknown website or open attachments from unfamiliar email addresses; and
- Follow the Principle of Least Privilege, restricting employees to only those systems and files required to do their job, limiting the damage if their computer becomes infected (most BMS products permit this).
In a social engineering attack, hackers will exploit human behaviour to bypass security measures, typically in order to gain access to a company’s computer system. Examples include sending emails that look like they come from a trusted source such as a bank, but are in fact fake (phishing), leaving CDs or USB keys for employees to find and run on their computer (baiting), or simply following an employee into their workplace (tailgating). Prevention tips include:
- Train staff to recognize signs of phishing (e.g., impersonal messages, spelling mistakes, and urgent calls to action);
- Establish strict policies on devices brought in from outside the company; and
- Be aware of unfamiliar people in your office and don’t assume that because they are inside, they were invited.
According to the FBI, a company’s own employees are responsible for 72% of all cyber crime incidents, and another 15-20% are the result of contractors and partners, while only 5-8% are from external threats. In many cases, the breach is accidental, such as an employee falling victim to a phishing scam. Prevention tips include:
- Ensure that partners and third-party contractors with access to your office and/or systems also have adequate security policies in place; and
- Establish data protection controls to track and flag instances when employees access and share confidential data.
CSIO’s intention is to raise awareness around the topic of cybersecurity rather than to make specific recommendations, and brokerages are encouraged to seek the expertise of security experts to assist in the development and implementation of their cybersecurity policy. For more
detail on these and other cybersecurity topics, visit our Cybersecurity page for useful, free infosheets and videos.