Data breaches don’t happen to just large corporations. Small businesses are a frequent target of hackers looking for personally identifiable information. ITC President Laird Rixford explains why your agency is at risk and how hackers can get access to your data.
What is your data worth? You might think not much.
But if your agency has a data breach, you will be subject to a fine per incident between a thousand dollars and a hundreds of thousand. For 100 clients, that’s between a hundred thousand dollars and ten million in fines.
Besides the fine, you would have to notify individuals and media of the breach. Plus, you’d be required to provide monitoring or remuneration to affected parties.
This applies to EVERY agent. Not just health insurance agencies. So your data is actually worth quite a bit, which means security matters a lot.
“But no one would hack my small agency!”
Seventy-one percent of data breaches target small businesses.
Consider the information stored in your office and any system you use. This includes your agency management system, comparative rater, and agency marketing system.
You’ve got a ton of personally identifiable information. Names, addresses, birthdays, social security numbers, driver’s license numbers, financial information, email addresses, and health information.
If you think no one will target your agency because you’re not a big corporation, you are mistaken.
There are several points of entry for hackers you need to be aware of.
Number 1: Physical access is full access.
Limit access to the critical areas of your agency. Secure your servers in a locked cabinet. Use security cameras and a security system.
Don’t leave anything lying around. Put paperwork in a locked drawer or cabinet. Or better yet, scan paperwork into your agency management system and then shred it.
Oh, and lock your computer when you’re not sitting at your desk.
Second, technology infrastructure is an easy target.
Upgrade your computers. New machines are cheap, much cheaper than fines.
Update and patch your operating systems, software and firewalls. Not just once. But every time your vendors release updates.
Run supported software. If you’re still using Windows XP, you’re way overdue on upgrading. Microsoft stopped supporting that operating system in 2014.
Encrypt any mobile devices you use, and use high security Wi-Fi. You should disable USB storage and force employees to change passwords every 90 days. Also, force a screen saver lock when a computer is idle for a period of time.
Talk to your IT team. Don’t allow your employees to install unauthorized programs on their computers. Don’t allow them to plug mobile devices into their computers without approval.
Third, remote access can be a security hole.
Do you or your employees really need remote access? If you don’t need it, don’t have it.
If you do need remote access, how often do you use it? Turn it on only when you need it. And use two-factor authentication whenever possible.
Four, phone systems are the oldest hack.
Someone could just take a phone home and call from home. Prevent remote access to your phone system. Change the password often. Enable remote extensions only as needed.
Fifth, your vendors’ and carriers’ security is your security.
Security is not one way. We all must take it seriously and be accountable to each other. Not just for ourselves but also our customers.
Do your vendors and carriers have a focus on security? Do they do security audits? Ask to see their audit results.
Do your vendors offer security features for their systems?
For example, TurboRater has security features at the user, location and agency levels. We require each user to have his or her own user ID and password. We also encrypt all passwords.
Agency administrators can choose what their users have access to in TurboRater. Administrators can also restrict a user to see and modify only quotes from her location and restrict access by IP address.
Six, the disgruntled or unethical employee is the best hack.
Employees who are unhappy or immoral are more likely to steal from your agency. They have access to all of your data, which makes it easy for them to sell or use this information for dishonest purposes.
Your employees are also vulnerable to social engineering. Social engineering is the art of manipulating people to give up confidential information.
For example, an employee could receive an email from a trusted source whose email was hacked. The email sent from the hacker contains a link or a download with malware. Because your employee trusts the person who supposedly sent the email, he downloads the malware, and now your data is gone.
Your team will not like the security. But train them on the importance of security and how to recognize social engineering. Security begins and ends with you and your employees. So, include everybody in the conversation.
Sixty percent of small businesses close within six months of experiencing a data breach. Whether it is the fines or loss of trust, many small businesses can’t survive it.
Yes, security costs money. But, a hack costs more. You are a target. You need to act accordingly.
The harder you make it for hackers, the less you are a target.