—Reprinted with permission from PIA Management Services Inc.—
The state of cybersecurity
CEO, Infinitely Virtual
If awareness is a precursor to constructive change, the murky world of cybersecurity has notched some real, albeit incremental, steps forward during the past year. That’s particularly the case in the financial services sector, which includes the insurance industry. On a number of fronts, companies, organizations and individuals are beginning to think more deeply about and act more decisively on the threats they face—an acknowledgement of how pervasive and challenging those threats have become (famously Equifax, but others as well).
As CSO, an organization that provides security decision makers with information to help them to stay ahead of evolving threats and defend against criminal cyberattacks, observed in February:
In the past year, tremendous regulatory developments have taken shape in the realm of cybersecurity, fiduciary responsibility and legal liability for licensees … starting with the State of New York’s Department of Financial Services (NYDFS) Cybersecurity Requirements and ending with the National Association of Insurance Commissioners (NAIC) Model Law. Within this framework, insurance agents and brokers are required to complete continuing-education training on a regular basis, for credit (of some kind). At least in theory. But, even if the state of cybersecurity readiness doesn’t exceed these supposed minimums in the near term, this counts as progress. Ditto for the growing embrace of two relatively new constructs for thinking about cybersecurity, both of which may ultimately be more influential in righting the balance between bad actors and the organizations they victimize.
While perceived threats and vulnerabilities are assumed to exist outside the firewall, truly effective security policies assume nothing. The conventional wisdom once held that everyone inside the network was trusted and everyone outside was not. The newer, more enlightened, paradigm for security is “more trusted” and “less trusted”—and that’s where the principles of least privilege and zero trust come into play. And, while the understanding and acting on these principles falls to the cloud-hosting provider, it’s a good business practice for your agency to be aware of these principles and to act accordingly.
In savvy organizations (i.e., those firms that have partnered with a vigilant host), least privilege applies to every employee. Encryption is the rule internally, and multifactor authentication to log into every networking component and storage system is mandated; no one can delete a snapshot or burrow into the firewall. The upside is clear: Since all user data is inside the network, there’s no need to sweat issues like internal encryption—the hosting provider more than likely already has handled it for users. And, that extends to the rights conferred on users, for example, their ability to use home equipment on an office network. Of course, without that a vigilant cloud-hosting partner, users may indeed need to sweat the unattended details, like encryption and authentication, since they’re flying without a net.
As blogger Gresham Harkless of CBNation puts it:
the Zero Trust model of network security has been … spurred on by the constant barrage of cyber threats that seem to continually break through traditional security measures. Many businesses are recognizing that the ‘trust but verify’ model often fails to stop cyber threats. Zero Trust instead says that we must ‘verify and never trust.’
Interviewed by Cyber Security Hub, Russell Walker, CISO for Mississippi’s Secretary of State, put it this way: “The perimeter in the traditional sense has disappeared. The network itself is no longer a static environment we can put barriers around, have a guard at the gate and say, ‘Now we are protected.’” Walker also is right to underscore that zero trust and least privilege aren’t merely technologies and policies. They truly do involve changing the way IT staff and end-users think and approach their environment.
Your agency’s role
That handoff—from these two powerful theoretical constructs to demonstrable practices in real-time—is everything. While cloud infrastructure providers do a good deal of the heavy lifting, every organization has a role to play, implementing and evolving security policies and procedures that best fit its environment and business requirements.
Changes in business procedures and practices don’t necessarily need to be large; in cybersecurity as in other endeavors, the margins often are quite slim, and seemingly minute adjustments can make a world of difference. Consider clickbait, that pervasive—and potentially debilitating—pest in so many email inboxes. As Golden Frog GmbH, a Swiss security company, observes:
clickbait is often associated with titles of articles over-promising content … the source of clickbait disguises itself and uses links to confuse victims. The best way to protect yourself against clickbait is similar to protecting yourself against phishing—be careful what links you open and always be sure the URL is secure. If the business is unfamiliar, search for reviews of the company to learn if it’s reputable before visiting their site.
The good news is that for any business in the insurance sector, meeting the minimums in security policy and practices is achievable and can be surprisingly effective.
All organizations need to have a process that: 1. evaluates threats; 2. selects threats to blunt based on importance; 3. assesses and implements policies/technologies to block; 4. measures success/failure; and 5. starts again. Taken together, these stipulations can serve as an addendum to an existing policy, or as a framework for new internal guidelines. Treat the following recommendations as a starting point (e.g., recommended security settings; and security policy recommendations). They are worth your agency’s time.
Security settings hacks
No. 1: Minimum password length. Require minimum eight character passwords.
No. 2: Complex passwords. Require lower case, upper case and special character.
No. 3: Maximum password age. Require all users to change password every 90 days.
No. 4: Account lockout. Lock accounts after multiple unsuccessful login attempts.
No. 5: Two-factor authentication. Require users to accept login request using mobile phone.
No. 6: Restrict IP address. Lock RDP port 3389 to only specified office IP address if it’s static. That way, even if people had a user name and password to your agency’s system, they wouldn’t be able to access the system remotely.
No. 7: Install SSL certificate. Purchase and setup verified Secure Sockets Layer (SSL) certificate, to encrypt all traffic between your agency’s website and its internet browser.
No. 8: Site-to-site. Only allow connections over a virtual private network (VPN) from the office. This will help your agency protect its privacy online and maintain your agency’s data security.
No. 9: Use a remote desktop gateway. This will block all connections to standard remote desktop connection (RDP) port and will require all users to authenticate over a secure HTTPS.
Security policy hacks
No. 1: Make sure no one in your office writes passwords on paper.
No. 2: Passwords should never by saved in a plain-text document on your agency’s computers or server.
No. 3: Make sure everyone knows not to share their passwords with anyone inside or outside the company.
No. 4: Staff should not leave their computers unattended while they are logged in to the system.
No. 5: Do not save any RDP credentials.
No. 6: Tell and teach staff to avoid logging on to a server from unknown computers.
No. 7: Make sure all your agency’s anti-virus programs are updated and that you run regular scans.
No. 8: Make sure operating system and programs are updated on regular schedule.
No. 9: Do not give users administrative rights to their computers and use a built-in super-user account for system administration. Although these suggestions and recommendations are tactics, they’re integral to a strategic approach to cybersecurity—an approach that ought to be understood as a form of corporate physical fitness. And remember: Sitting ducks can’t move nearly as swiftly as hawks.
Stern is founder and CEO of Infinitely Virtual, which offers products and services based on virtual dedicated server and cloud-computing technologies (infinitelyvirtual.com or @IV_CloudHosting). The company is based in Los Angeles.