What is your data worth? You might think not much.
But if your agency has a data breach, you will be subject to a $1,000-$100,000 fine per incident. For 100 clients, that's $100,000-$10,000,000 in fines.
Besides the fine, you'd have to notify individuals and media of the breach. Plus, you'd be required to provide monitoring or remuneration to affected parties.
This applies to EVERY agent. Not just health insurance agencies.
But No One Would Hack My Small Agency
Seventy-one percent of data breaches target small businesses.
Consider the information stored in your office and any system you use. This includes your agency management system, comparative rater, and agency marketing system.
You've got a ton of personally identifiable information. Names, addresses, birthdays, social security numbers, driver's license numbers, financial information, emails, and health information.
This information is what hackers are after. This information makes you a target for a potential data breach.
If you think no one will target your agency because you're not a big corporation, you are mistaken.
Ease of Access = Less Security
There are several points of entry for hackers you need to be aware of.
1. Physical access is full access.
Limit access to the critical areas of your agency. Secure your servers in a locked cabinet. Use security cameras and a security system.
Don't leave anything lying around. Put paperwork in a locked drawer or cabinet. Or better yet, scan paperwork into your agency management system and then shred it.
Lock your computer when you're not sitting at your desk.
2. Technology infrastructure is an easy target.
Upgrade your computers. New machines are cheap, much cheaper than fines.
Update and patch your operating systems, software and firewalls. Not just once. But every time your vendors release an update.
Run supported software. If you're still using Windows XP, you're way overdue on upgrading. Microsoft stopped supporting that operating system in 2014.
Encrypt any mobile devices you use, and use high security Wi-Fi. You should disable USB storage and force employees to change passwords every 90 days. Also, force a screen saver lock when a computer is idle for a period of time.
Talk to your IT team. Don't allow your employees to install unauthorized programs on their computers. Don't allow them to plug mobile devices into their computers without approval.
3. Remote access can be a security hole.
Do you or your employees really need remote access? If you don't need it, don't have it.
If you do need remote access, how often do you use it? Turn it on only when you need it. And use two-factor authentication whenever possible.
4. Phone systems are the oldest hack.
Someone could just take a phone home and call from home. Prevent remote access to your phone system. Change the password often. Enable remote extensions only as needed.
5. Your vendors' security is your security.
Do your vendors have a focus on security? Do they do security audits? Ask to see their audit results. Change vendors if they don't comply.
Do your vendors offer security features for their systems?
For example, TurboRater has security features at the user, location and agency levels. We require each user to have his or her own user ID and password. We also encrypt all passwords.
Agency administrators can choose what their users have access to in TurboRater. Administrators can also restrict a user to see and modify only quotes from her location.
Also, administrators can restrict access to TurboRater by IP addresses. Meaning if you don't want a user to access TurboRater from anywhere but the office, you can do that.
6. The disgruntled or unethical employee is the best hack.
Employees who are unhappy or immoral are more likely to steal from your agency. They have access to your data, which makes it easy for them to sell or use this information for nefarious purposes.
Your employees are also vulnerable to social engineering. Social engineering is the art of manipulating people to give up confidential information.
For example, an employee could receive an email from a trusted source whose email was hacked. The email sent from the hacker contains a link or download with malware. Because your employee trusts the person who supposedly sent the email, he downloads the malware, and now your data is gone.
Your team will not like security. But you need to train them on the importance of security and how to recognize social engineering. Security begins and ends with your employees. So include them in the conversation.
Take Your Data Security Seriously
Sixty percent of small businesses close within six months of experiencing a data breach. Whether it is the fines or loss of trust, many small businesses can't survive a data breach.
Yes, security costs money. But a hack costs more. You are a target. You need to act accordingly. (Tweet this!)
The harder you make it for hackers, the less you are a target.
About the Author
As vice president of marketing, Becky Schroeder oversees ITC’s growth through marketing and drives the overall marketing strategy for the company and its products. Her specialties include advertising, social media, email marketing, content marketing and public relations. Becky has a master’s degree in integrated marketing communication from Emerson College in Boston and a bachelor’s degree in journalism from Texas A&M University. Becky is a big Texas A&M football fan and enjoys cooking, reading and spending time with her husband and their three daughters.Follow on Twitter More Content by Becky Schroeder