You may have been hacked but not know it yet. Here’s how to find out and check your data is being protected in the right way.
IT touches almost every element of an insurer or broker’s day-to-day business but is more complex today than ever before. This increase in complexity means many smaller companies cannot afford the variety of skills needed to run their own IT departments and often outsource to a managed service provider (MSP).
What is out of sight is often out of mind, and a lot of businesses don’t have clear insight into how their IT is run, and whether their best interests are being looked after.
Cybersecurity is regularly overlooked until something bad happens, which is when we often get called in. Asking the right questions of your IT department or MSP to help you understand your current security posture today can head off threats before they cause significant damage to your business.
Intersys hosted a webinar for insurers and brokers, moderated by James Livett, Associate Director of the London & International Insurance Brokers Association (LIIBA), on 30 June – ‘Insurance and Cyber Risk’ – which explored which questions to ask first, and why. Below is a summary to get you started:
1. Has Our Business Been Breached?
To quote former Cisco CEO John Chambers, “There are two types of companies – those who have been hacked and those who don’t yet know they have been hacked.” The data-rich nature of insurance makes carriers and brokers top targets for cybercriminals and remote working has created and exposed system vulnerabilities.
Have you thought about who is accessing your system right now? How would you know? Hackers often have access to systems, data, files, and emails for months before a breach is detected so you may already have been compromised.
Your IT department should be retaining access logs to track what is being accessed and when in the event of a breach. Check this, and how far back they go. Intersys goes further by setting up monitors that alert when suspicious activity occurs, such as mass file downloads or deletions, or an account being accessed from two countries minutes apart. We compare this to a CCTV system monitoring who is going in and out of your virtual data vaults, meaning you can respond before it’s already too late.
2. How is Our Sensitive Data Stored?
Often a small team with access to highly privileged information has the keys to your entire infrastructure and all the data you keep. As well as ensuring these individuals – and any third-party organisations processing your data – are storing and sharing information in a secure matter, you need to ensure your business can continue as usual if key IT staff leave or are unavailable.
Highly sensitive data must be stored in a secure location and retained for no longer than necessary.
Password hygiene
- It’s incredibly important to change your passwords at least once a year.
- Ensure that MFA (multifactor authentication) is enabled on all your accounts.
- Don’t store passwords in spreadsheets and don’t use the same password in different places.
- We recommend using password managers which create long random passwords and autofill them at login.
It’s also important to know what information on your company is available on the internet. We have a tool that generates a report of everything linked to your company domain, which we are currently offering to insurers and brokers free of charge. Contact us to find out more.
3. How Are Our accounts Protected?
The single most effective way of securing your organisation today is multi-factor authentication, which should be enabled wherever possible. Employees may complain that they have to take extra steps, but security is often at odds with convenience. Today, a username and password are simply not enough.
You could also consider locking down your systems to specific locations or preventing admin accounts from being accessed by specific devices. Do you know who has the admin rights to change users’ passwords, access their data or operate their mailboxes? We’ve seen poorly configured organisations in which all users are admins, meaning huge damage can be done if just one account gets breached.
4. How Do You Manage Company Data Stored on Devices?
Nowadays, insurers and brokers have multiple users accessing sensitive data on multiple devices, both in the office and remotely. If your organisation is not encrypting its devices, it should be. Encryption scrambles the data stored on a device’s hard drive unless the right password is entered, protecting it if the device falls into the wrong hands.
You also need to think about what information is being stored on each device. Best practice is for company data only to be stored on company devices, but for smaller companies it may not be financially viable to equip everyone.
Many startups also employ a ‘bring your own device model.’ One way of keeping your data safe without taking total control of a personal device is to use a ‘mobile application management tool’ which protects just the applications storing company data and enables you to encrypt them and wipe them remotely.
5. Where is Our Data Stored?
Data security regulations and compliance requirements vary around the globe. Ensuring your data resides securely in the country where the business operates is especially important.
If you use multiple MSPs and cloud service providers, it is your responsibility to ensure they host your data under the right regulatory framework for you and your customers. Did you know, for example, that early customers of Microsoft 365, formerly known as Office 365, may still have data backed up and supported in the US?
6. When Did You Last Test Your Backups?
It’s always important to check with your IT department that backups are running, but you also need to check what is being backed up, and where.
If data is backed up in another jurisdiction you could be breaching compliance rules. If it’s backed up onto hardware, is that hardware vulnerable to flood or fire damage? If it’s being taken off site, is it encrypted, and far enough away to be safe?
Storing backups in a building down the street may mean they are exposed to the same perils as the originals. It’s also worth noting providers like Microsoft 365 are not foolproof. We’ve seen incidents where their backups have failed and would recommend using our tool to backup 365, which is relatively inexpensive.
As well as testing the technology, test your business continuity plan. What will you do when something happens to your information? It can take days to download a full cloud backup. A global chip shortage is currently causing delays of weeks or months to replace server hardware. How will you maintain business as usual in these timeframes?
Cybersecurity is an ongoing process. More than that, it’s a culture. Building awareness and good cyber hygiene among all employees is the best defence against attack. But with insurers and brokers highly likely to have been targeted in the last year or two, it’s vitally important you take stock of your current situation and exposures – and that starts by asking the right questions to the people managing your IT.
Intersys provide IT services to the London area and we are well placed to service the London insurance market.
If you’d like to chat to us about your cyber security, contact us here. We have also created a free downloadable PDF factsheet which contains all the key questions to ask your IT staff.