#AllNat Advantage

Sharing knowledge for better business

Author Archive

Tom Weyant

Tom Weyant is the Director of Risk Management & Continuous Improvement at Alliant National. He is a Certified Quality Auditor (CQA) and a Certified Fraud Examiner (CFE).
Graphic of a simply drawn blue house with a whit pad lock on front of it

In the Age of COVID 19 – Be Safe and Secure While Working Remotely

Best practices to help keep your remote environment secure

While working remotely at home provides flexibility and social distancing in this time of COVID-19, it may also open the door to unexpected and unwanted security issues and breaches. By taking a few simple and important steps, you can securely work and have peace of mind that your business is continuing to operate without introducing added risks.

Risks that present themselves range from nuisances and disruption, such as with “Zoombombing” [a disruptive intrusion by hackers into a video conference call], to device and network compromise with viruses, spyware or ransomware.

Here are some best practices to keep your remote environment secured:

Teleconferences

When using Zoom or other remote meeting sites that provide audio and video connectivity, be sure that the security settings are activated to only allow screen sharing by the host, or designated others who have a need. Also be sure to use access passwords or codes available only to the invited participants that are provided in the invite prior to the meeting.

Equipment, Software and Hardware

Often the organization does not provide all equipment or supplies necessary to ensure remote access. The proper protection of information to which the user has access involves connection to the Internet, local office security, and the protection of physical information assets. Below are some of the additional items that may be required:

  • Broadband connection;
  • Paper shredder;
  • Secured office space or work area; and
  • A lockable file cabinet to secure documents when unattended.

Remote users using personal equipment are often responsible for:

  • access to the internet;
  • the purchase, setup, maintenance or support of any equipment or devices not owned by the company; and
  • ensuring current and active antivirus, firewall and malware protection is installed, functioning and updated regularly.

Security and Privacy

Organizations often have policies regarding user logical security responsibilities. Here are a few such responsibilities, which should translate to the work-from-home environment:

  • Log off and disconnect from the company’s network when access is no longer required, at least daily;
  • Enable automatic screen lock (if available) after a reasonable period of inactivity;
  • Do not provide (share) their user name or password, configure their remote access device to “remember me,” or automatically enter their username and password;
  • Enable a firewall at all times;
  • Ensure virus protection is active and current; and
  • Perform regular backups of critical information using a secure storage solution.

Additionally, companies often implement additional logical security procedures for remote users. These may include:

  • Disconnect remote user sessions after 60 minutes of inactivity;
  • Access to company owned technology applications to use commercially available encryption technologies, such as multi-factor authentication, or use of a Virtual Private Network (VPN);
  • Update the virus pattern on a regular and frequent basis;
  • Provide a reasonable backup solution; and
  • Perform regular audits of the company supplied equipment to ensure license and configuration compliance.

Company policies regarding physical security should also carry over into the remote-office. Here are some steps to consider:

  • Maintain reasonable physical security of your remote office environment. This includes access to both company and personal technology equipment and documents;
  • Limit the use or printing of paper documents that contain sensitive, confidential or non-public private information (NPI), and restrict requests for and handling of NPI to only what is essential to perform your job; and
  • Ensure documents containing sensitive, confidential or NPI are shredded and rendered unreadable and unable to be reconstructed.

It is entirely possible to work remotely. A home office can be made secure by adhering to the steps above. Bear in mind that working at a hotel or a cabin or anywhere internet service allows for access presents security issues that may compromise privacy.

For further information, reach out to Tom Weyant, Director, Risk Management & Continuous Improvement, CQA, CFE, directly at tweyant@alliantnational.com or visit www.alliantnational.com/newsroom for additional information and articles related to cyber security and internet privacy. 

businessman punching and breaking the word RISK

Increased Risk Means We Need to Increase Training

Threats are constantly evolving and your training and testing must also evolve to counter these threats and keep your defense robust.

A cyberattack is a malicious and deliberate attempt by and individual or an organization to breach the information system of another individual or company, seeking benefit from the disruption, ransom, or theft of data.

This electronic threat is increasing in frequency and complexity and has become very expensive to remediate or to recover from.

Here’s the surprise – almost 90 percent of cyberattacks are caused or allowed by human error from the internal staff of the entity attacked.

This includes failure to follow security rules and protocols, sharing passwords, using weak or default settings, and falling victim to social engineering.

Even the large events such as the hacking at Equifax and Target, were caused by failure to follow the rules regarding administrative password settings, human error.

So whether your business is large or small, you need ongoing, strong training and testing to counter the threats.

Recent survey results of a survey of title insurance professionals by the American Land Title Association show a surprisingly small amount of agents are conducting ongoing staff training, and most do it once when they hire an employee.

This is a recipe for eventually becoming a victim of electronic fraud.

There are simple yet effective steps to take to counter the increasing threats by taking a strong defense, and it starts with regular training and testing to remove or reduce the human error element.

Here is what to do to put a training and test plan into action:

  • Ensure new hires are introduced to and educated on information and data security policies and procedures as well as how to protect nonpublic personal information (NPI) and sensitive information. Emphasize to them the “why” so they fully understand the shared responsibility nature. This should be a core part of their orientation and on-boarding.
  • Set and schedule ongoing training for all employees at every level commensurate with the size of the staff and complexity of your business. This should be monthly, quarterly or semiannually.
  • At a minimum, cover controls over access (passwords; pass phrases; multi-factor authentication), network and data distribution (including never using non-secured networks for conducting business such as those in cafes/hotels/airports), phishing and spear-phishing, and never use a general email service like Yahoo or Gmail when sending NPI or sensitive information; social media and social engineering.
  • Require security measures for smart devices (smart phones, and in particular Androids, account for a large percentage of data breaches).
  • Explain the implications of data loss, which includes reputational hits and potential fines and penalties and law suits.
  • Focus on all media forms – hardcopy as well as electronic – and include proper handling and protection from receipt through handling to secured destruction.  
  • Training may be done with internal documents or you may use a third party to conduct the training (i.e. Data Shield; KnowBe4).

  • After the training, use a quiz to gauge how well your employees understood the material.
  • Develop or use a third party to conduct ongoing, regular internal testing such as phishing or spear phishing testing (i.e. KnowBe4 is one vendor who can provide you this tool). Depending on the results, you may then make appropriate changes and re-focus your training to deal with any weak or weaker topics or areas.
  • Provide a single point of contact the employee may turn to with questions or to report any suspected suspicious attempts to obtain information or data (electronic or by phone).
  • Keep records of the training and attendees and testing results. This will be needed to demonstrate good faith, to meet many state requirements – and it’s a best practice.

Last, keep up-to-date on emerging threats and vulnerabilities and provide updated training to employees to be sure they understand new risks or new controls and why they are important; employees must know how to recognize and report threats to stay vigilant.

This will keep your training and testing current and fresh and serve as a continual reminder to your staff. Remember, this is a marathon, not a sprint. Threats are constantly evolving and your training and testing must also evolve to counter these threats and keep your defense robust.

Written-cyber-security-and-response-plans-Just-do-it

Written cyber security and response plans: Just do it

Despite the rising threat, recent survey results show a surprisingly small number of agents are prepared, as most do not have a written cyber security and response plan.

A cyberattack is a malicious and deliberate attempt by and individual or an organization to breach the information system of another individual or company, seeking benefit from the disruption, ransom, or theft of data – and such attacks are increasing in numbers and complexity.

Despite the rising threat, recent survey results show a surprisingly small number of agents are prepared, as most do not have a written cyber security and response plan.

A written cyber security and response plan is essential to be prepared, organized and to execute appropriate and prompt actions when an attack occurs.

The plan does not need to be complex. To be effective, it should be simple and clear and present key information. It should also be built commensurate with the size of the organization.

Key elements of the plan must include:

  • Perform a risk analysis to mitigate all risks, covering administrative, technical, and physical controls. Simply put, this is what could be vulnerable, what could go wrong and what is or should be done to try to avoid or contain the threat(s).
  • The cybersecurity program must protect the security and confidentiality of nonpublic information, protect against threats or hazards to the security or integrity of information, and protect against unauthorized access.
  • Define a schedule for the retention of data and a mechanism for its secure destruction when data is no longer required.
  • Designate an individual, third party, or affiliate who is responsible for the information security program.
  • Be sure existing controls in place – access controls, authentication controls, and physical controls to prevent access to nonpublic information. Encryption (or an alternative, equivalent measure) should be in place to secure data stored on portable electronic devices and for data transmitted over an external network.
  • Identify and manage devices that connect to the network – a simple inventory.
  • Adopt secure development practices for in-house applications if applicable. Alternatively, obtain this assurance from your service provider that performs the development for you.
  • Use multi-factor authentication to prevent unauthorized accessing of nonpublic information.
  • Regularly test and monitor systems for actual and attempted attacks, maintain audit trails, and implement measures to prevent the unauthorized destruction or loss of nonpublic information.  
  • Keep up-to-date on emerging threats and vulnerabilities and provide ongoing training to employees to be sure they understand existing controls and why they are important; employees must know how to recognize and report threats.

The response plan must include the following elements to be effective:

  • Date of the cybersecurity event.
  • A description of how the information was exposed, lost, stolen, or breached,     including the specific roles and responsibilities of third-party service providers, if any.
  • How the cybersecurity event was discovered.
  • Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
  • The identity of the source of the cybersecurity event.
  • Whether you filed a police report or notified any regulatory, governmental or law enforcement agency and, if so, when such notification was provided and by whom.
  • A description of the specific types of information acquired without authorization, which means particular data elements including, for example, types of financial information, or types of information allowing identification of the consumer.
  • Time period during which the information system was compromised by the cybersecurity event.
  • The number of total consumers affected by the cybersecurity event, or a best estimate.
  • The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.
  • A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.

Don’t wait until an event occurs. It’s a chaotic time full of financial and emotional high stress. Do it now and provide yourself the peace of knowing you are prepared.

Are you covered

Cyber Insurance: Yes, you absolutely need it.

Cyber insurance is now critical to help protect your business.

Cyber attacks are becoming more frequent, clever and complex. Cyber insurance is now critical to help protect your business from major expenses, business loss, and regulatory fines and penalties.

General liability umbrella policies typically do not cover cyber events (Target’s insurance policy only covered 36 percent of its $252 million data breach costs).

This insurance comes in many different variations and costs, so it is important to know what product works best for you, considering and balancing coverage and cost.

Four key elements comprise essential coverage to protect against data breach and loss of customer data:

  • E&O
  • Liability
  • Network Security
  • Privacy

What is most important is that both cyber-crimes and liability are included in your coverage.

The policy may be a standalone, or a rider on to your existing policy. Always buy the most compressive coverage available that you can afford.

Here is why that is so important:

Broad coverage includes both first and third-party coverage. First party only covers your business, while third party will cover the claims against you from customers or clients as well as related damages and court costs.

The below comparisons show why you need both cyber-crimes and cyber liability coverage:

Event Liability Coverage Crime Coverage
Loss of funds (escrow and operational, personal) due to social engineering and electronic fraud or theft No Yes
Fraudulent electronic transfer or divergence of funds No Yes
Employee electronic theft No Yes
Forgery No Yes
Cyber extortion (ransomware) No Yes
Data breach expenses including legal costs, fines or penalties Yes No
Loss of assets and loss of business income Yes No
Recovery of systems and forensics; reputational damages Yes No
Economic damages through network security failure or failure of privacy controls Yes No

Consult with your insurance carrier for specific coverage offerings and cost and weigh the decision that is right for your business and budget. Remember, the broadest form of coverage will best protect you and your business so while it may be more expensive, your business will be better protected against the risks we face in today’s business environment.