I recently had the pleasure to be a panelist for Spot On Insurance’s Compliance Conversations: Cybersecurity. My fellow panelists and I provided a TON of great information during these webinars. (So much so that it grew to a three-part series!) For those of you who missed the live webinars, I wanted to share with you what I believe are some of the most important takeaways from these conversations and the discussions that led up to them. So, here are our top six cybersecurity plan must-dos.
Know where your data lives and how it walks around.
Fred’s recommendation is the ideal starting place for any cybersecurity plan. After all, how can you effectively protect your data if you don’t know what it is, where it is stored, and who has access to it?
We live in a world where we can take our work with us anywhere. (This is especially true now that remote working has become more popular during the COVID-19 shutdown). But before we do so, security protocols need to be in place to track, identify, and immediately respond to even suspected breaches. As Fred explains, “Having a system taken down [as part of a security protocol] is an inconvenience, but it’s far less inconvenient … than to have all your data compromised.”
Spend the money; it is not a luxury or unnecessary expense.
Information technology, including cybersecurity, isn’t a money-maker for most insurance businesses. That can lead to a certain reluctance to invest time and money in preparing for something you hope will never happen. (Hey, isn’t that the argument that people use for skimping on insurance coverage?)
But as Russ points out, in today’s increasingly digital workplace, an information system that functions securely and reliably makes possible the business activities that do drive profits. That’s not to mention financial and reputational losses that can result from a cybersecurity incident. Those costs can greatly exceed the amount you could have invested to protect yourself.
Create a layered technical approach.
Of all the advice shared in the webinars, this one from Paul is possibly the most important. There is no magic bullet for cybersecurity, no single practice or security tool that provides unbreachable protection.
A successful cybersecurity plan involves concentric rings of defense between your data and the many threats out there in the world. It addresses both technical issues and human factors. Additionally, it is constantly evolving to confront new threats, to take advantage of new hardware and software solutions, and to respond to changing user needs and expectations.
Train, don’t shame.
While all the panelists mentioned the importance of employee training, I wanted to stress the importance of positive reinforcement in such programs. Even people who use information systems on a daily basis often don’t understand how those systems work. That can be intimidating.
If people fear being ridiculed or punished for mistakes, they are more likely to hide them. When it comes to cybersecurity, every minute that problems go unaddressed risks additional damage. It also exponentially increases the time and money required to correct problems.
Do not use the same passwords across multiple systems or applications.
Dennis shared how using the same, or very similar, passwords in different settings greatly increases your online vulnerability. If one system is breached, you’ve left yourself open to attack on all the other platforms you use as well.
This tip was just one of many that Dennis offered, but it highlights an important truth. Although there are many complex solutions out there to protect your data, often the simplest (and least expensive) steps can have a huge impact.
Not your system? It’s still your problem.
Last, but certainly not least, Jo Ann reminds us that regulators hold licensees accountable not only for their own cybersecurity plan but also for those of their third-party vendors.
It may feel a little awkward to quiz your suppliers, service providers, and strategic partners about their arrangements. Still, you don’t want to be doing everything right only to find yourself connected to a system that’s wide open to the world! This can be especially true of companies from less-regulated industries that aren’t (yet) putting the same emphasis on cybersecurity.
Here are the links to the recorded webinars. I hope you enjoy watching them!
This first webinar aired live on June 25, 2020, and helped answer the questions: Who needs cybersecurity? and What is a cybersecurity plan?
This webinar aired live on August 13, 2020, and helped answer the questions: What should your cybersecurity plan include? and In what order should you tackle those tasks?
This webinar aired live on September 10, 2020. It helped answer the questions: What should I do first to improve cybersecurity? and What resources can help me implement our cybersecurity plan?