Like many companies in the insurance industry, we’re adapting to the novel coronavirus outbreak, and that adaptation includes our cybersecurity practices. In this post, we share some of what we’re doing to ensure you get uninterrupted access to the data and information you need.
We began these practices well before the pandemic, as part of our ongoing cybersecurity efforts, but we’ve adjusted them because our teammates are now all working from home.
Employee education and behavioral guidelines
Cybersecurity is as much about behavior as it is about technology. Our employees are smart and conscientious, but we can’t expect them to learn everything they need to know about cybersecurity on their own.
So, we provide frequent interactive training and set specific rules about using company equipment and networks. We send out updates on new cybersecurity threats and how to thwart them, and we reward employees for reporting suspicious emails that are likely phishing, spear-phishing, social engineering or other attempts.
We also invest in tools to make it easier for employees to follow our guidelines. For example, we provide a password management system so our teammates can easily create and store unique, strong passwords for all online accounts.
As many insurance professionals work remotely, it’s essential to maintain effective cybersecurity practices
Coronavirus Resources for Insurers
Separate access for work and personal devices
Before COVID-19, we set up a separate network in our office for employees’ personal devices, such as smartphones, and for guests. This separation protects the network storing Protection Class and Loss Cost data, commercial property reports, circulars and other critical information. If, for example, an employee or guest unknowingly connects a personal device that’s been compromised to this designated network, the threat is contained, and there is no threat to the network storing the information you depend on.
Now, many of our teammates are connecting to our network through a virtual private network (VPN), and we’re maintaining that same separation but in a new way. We require employees to connect only WSRB issued and maintained devices through the VPN. Personal devices are not allowed. On WSRB devices, we’ve installed specialized endpoint protection software and ensure they’re updated with the latest security patches. We don’t have the same level of control over employees’ personal devices, so we need to keep them off the VPN.
Some companies allow employees to connect any device through the VPN, but that practice creates greater risk of malware infection because the company lacks control over the device. That laptop, phone or tablet may not have sufficient protection against malware and could potentially be accessed by multiple users in the home who are not employees. If those users don’t know WSRB’s cybersecurity practices — and most likely, they do not — they could unintentionally download malicious software to the device that later ends up on the WSRB network.
Using multi-factor authentication
Many cybercriminals attempt to steal user names and passwords through phishing or spear-phishing. Although we train employees to recognize and avoid these scams, we know it’s important to have an extra layer of protection. Multi-factor authentication is that extra layer.
Our entire team uses this process when logging into critical accounts. They enter their user names and passwords and an additional code randomly generated by an app on a separate device. If a cybercriminal did succeed at stealing credentials, that information alone would not be sufficient to access our employees’ accounts.
We’re also taking several other cybersecurity steps, but we won’t share all of them publicly. Why? Doing so could actually increase risk to the WSRB network and the data you need every day to make smart decisions. If you’re a Subscriber and have questions about what we’re doing, feel free to contact us at 206-217-0101 and ask for me by name.
Anthony Higgins is WSRB’s Security Analyst. In that role, he oversees cybersecurity practices, employee training and our partnership with Gartner, a trusted information technology security consultant.