October cybersecurity awareness month has ended. We have read the articles, improved our understanding and are more aware of increasing cyberthreats.
But are we taking action? Any action comes at a cost, which we can plan, measure and document. But cost and resource constraints can also prevent action, and we seldom evaluate the cost of doing nothing.
There is a cost of doing nothing about cybersecurity, even if not measured.
The insurance industry is based on avoiding risk. Any action is evaluated for the potential incremental risk. And often we are hesitant to move forward due to the added risk of something new or different.
But cybercriminals embrace risk, and their goal is to take advantage of your inaction. They constantly develop new and better methods to breach your security, improving their social engineering techniques and technology. IDs and passwords were adequate to protect your agency 25 years ago, but not today.
Doing nothing elevates risk
If you are not updating your level of cyber-protection — if you continue to use only IDs and passwords — you are steadily increasing the chances that your digital assets will be compromised by ambitious and nefarious players.
It will cost you.
The actual cost is often not known until after the event. It can run into the millions for a large company, and it can put a small company out of business.
Digital breach analysts estimated that MGM would lose $8.4 million a day while recovering from the hack discovered in September 2023. And the average cost of a data breach continues to increase, with 2023 setting an all-time record high of $4.45 million, up 15.3% from 2020, according to IBM’s “Cost of a Data Breach” report.
The leading digital security company Norton provides the following top three statistics about passwords.
- In 2022, more than 24 billion passwords were exposed by hackers. (Digital Shadows, 2022)
- More than 80% of confirmed breaches are related to stolen, weak or reused passwords. (LastPass, 2021)
- Nearly 60% of individuals make their passwords stronger as a result of noticing unauthorized access to their accounts or devices. (Norton, 2021)
Jen Easterly, director of the federal Cybersecurity Infrastructure Security Agency (CISA), provides the following guidance for risk mitigation:
- Use strong passwords.
- Turn on multifactor authentication.
- Recognize and report phishing attempts.
- Keep software updated.
Right Hand Cyber Cybersecurity suggests a strong password is at least 20 characters long, adding, “Attackers can crack your password in 58 seconds if it is eight characters or less.” According to NIST guidelines, a long pass-phrase works better than a password as it is extremely strong and easy to remember.
Think of the use of an ID and password as analogous to a closed door — but by using MFA, you also lock that door. Multifactor authentication (MFA) adds a critical second layer to the authentication process.
Microsoft says, “MFA can block over 99.9% of account compromise attacks.” Using MFA across all access points is important for comprehensive security. As quoted by Independent Agent magazine, Derek Kilmer, associate managing director, professional lines broker, Burns & Wilcox, says, “Where we found it challenging is when insureds think that they may have MFA in place, they have a loss, and then they realize they actually don’t have it in place — that gets into a really gray area with markets.”
Improve cyber protection with operational security
ID Federation is a nonprofit organization created by peers in the insurance industry to help agents be both cyber secure and maintain operational efficiency. In the independent agent channel, each agency connects to an average of 10 to 12 carrier partners. Using a different MFA process for each connection is operationally inefficient.
ID Federation has created a trust framework and process — SignOn OnceTM — to share credentials from your agency management system with carrier partners without having to re-enter the information. ID Federation supports MFA for improved security. Working together, volunteer agents, carriers and technology providers have empowered ID Federation’s mission to maintain the highest level of cybersecurity and operational efficiency for the independent, inter-insurance transaction universe.
Encourage your carriers to participate in ID Federation
Help make the industry more secure with operational efficiency for independent agents. Agents don’t need a different MFA sign on with each carrier partner. Use your management system credentials to securely access carrier agent portals.
SignOn Once by ID Federation is in production today with the two primary management system providers — Applied Systems and Vertafore — and with carrier partners like The Hartford and Nationwide.
Doing nothing is costly. The technology keeps moving. You put yourself at risk. Bad actors can get ahead of you if you continue to rely on outdated security practices.
Alvito Vaz is executive director of ID Federation. He is a long-time participant in AUGIE and has held business and technology leadership roles at Progressive and Travelers. He can be reached at alvito@idfederation.com.
