…Many agents ignore the human factors that put their agency at risk for security breaches and incidents.
Security through responsibility
Responsible computing leads to increased agency security and productivity
By John Chivvis
|
…Many agents ignore the human factors that put their agency at risk for security breaches and incidents. |
Statistics say that over 70% of all business disasters can be attributed to either system/hardware malfunction or human error. However, many agents—while attacking the IT side of the issue with patches and updates, software and hardware—ignore the human factors that put their agency at risk for security breaches and incidents.
For more than 20 years, Tim Woodcock, president and CEO of the Davie, Florida-based Courtesy Computers, Inc. (www.courtesycomputers.com), has been working with insurance agencies and their computing systems. Woodcock says that by implementing a few simple practices into the overall business and employee workflow, agents can increase security, reduce exposure to data loss, and even increase productivity. “Whether you call it disaster recovery or business continuity planning, it is all about taking steps to mitigate risk,” adds Woodcock.
Probably the simplest, yet most effective, investment is to have a security audit performed on the agency’s systems on a regular basis. “I always recommend that agents get an external vendor to conduct these audits,” says Woodcock. The reason he recommends external IT consultants instead of an agency’s internal IT staff is that looking at the system from the outside typically provides a more objective and granular assessment of the systems, networks, data and workflows.
Reports are provided with explanations of the current state of the systems, where the problems are, the severity of the potential risk(s), and a prioritized list of solutions. “Usually the first one is the most shocking,” confesses Woodcock, because in some cases the audit highlights human error or misconceptions.
Woodcock explains that the audits his firm provides include extensive external security and intrusion detection checks. “A few weeks ago, we told an agency: ‘no, you don’t have a firewall,’ even though they thought they did.”
A thorough audit will also highlight physical and internal issues. Woodcock has seen his share of servers in unsecured hallways being accidentally reset by employees, servers overheating in rooms without proper temperature control, backup systems that do not write good backups, open access to employee computers with sensitive data on-screen, and networks plagued by employee-introduced spyware.
While some may see an annual audit as just another added expense, Woodcock says that it is a simple investment that, in the long run, will save an agency money. He points out that agents will lose anywhere from $38 to $100 per employee for every hour of downtime, “and that doesn’t even factor in what it costs for us to come in and fix it.”
Woodcock says that one thing that some agents like about an external audit is that it allows them to make the outside auditor the “bad guy” when it comes to enforcing new policies. “We don’t mind being the bad guys up front,” says Woodcock. “It also assists the agent when it comes to implementing IT policies.”
According to Woodcock, agencies need to consider implementing policies that address acceptable use of the Internet, proper use of agency systems, and keeping systems and resources secure. “It’s amazing how often I get a ‘deer in the headlights’ look when I ask agency owners or principals if they have a basic Internet abuse policy or a security policy for employees in place,” says Woodcock.
“We worked with one agency that reported that their system was ‘lethargic,’ and that their Internet usage was spiking at lunch,” recalls Woodcock. It turned out that the agency would allow employees to surf the Web during lunch. What Woodcock found was that approximately 60% of lunchtime surfing was spent shopping and banking online and 12% was spent visiting “adult-themed” Web sites. “We also found that the spike lasted until 1:45 p.m.—not exactly the lunch hour,” says Woodcock. “When you talk about that big of a productivity loss, that’s millions of dollars in lost revenues.”
Besides acceptable Internet and e-mail usage, an agency’s information security policy needs to address the handling of computer security issues including viruses, employee installation of software or downloads, and use of passwords. “In this case, less access is more security, so grant it as needed for each employee,” says Woodcock. “Because of the sensitivity of the data, you must have controls to ensure that only authorized employees have access—including remote access.”
The other side of implementing an information security policy is monitoring the use of IT resources and informing/reminding employees of the penalties for not following the guidelines spelled out in the policy. “If you tell them that you will be scanning their systems and monitoring the network, and you do,” says Woodcock, “then unacceptable use will stop.”
However, a good information security policy is not just for spelling out the responsibilities of the general employee, but for IT staff as well. Keeping data secure requires regular scheduling of updates and patches of software and hardware—and the verification of backups. “Too often backups are assumed to be good,” says Woodcock, “but in actuality, more than 70% of all tape backups fail due to disk errors, bad tapes or other problems. Even though the logs may say it’s good, it’s always important to have a process in place whereby ‘test restores’ from backups are performed.”
Audits and policies are good tools to have in place, but according to Woodcock, these are only as effective as the agency that promotes them. “Security is a top down issue,” says Woodcock. “If you have employees read and sign a policy, and they place it in their desk drawer, and they never give it another thought, then it has done absolutely no good,” says Woodcock.
“You can have it all in place but unless everyone is actively involved and participating in building awareness, it’s useless,” says Woodcock, who recommends utilizing multiple methods for building the awareness of responsibility. One way is simply posting eye-catching flyers around the office with important reminders, updating them or moving them around from time to time to keep the information fresh. Another way is to develop a list of frequently asked questions to provide answers to those questions about using IT resources. Many agencies are even making use of their own intranets or internal start-up pages/desktops displaying tips or questions of the day as a non-intrusive yet very visible reminder of the importance of responsible computing.
Probably the most effective way, and the one most recommended by Woodcock, is where “security awareness training” is built in to the agency’s workflow, and agency owners or principals and managers make a conscious effort to keep training their employees. This may include adding an annual employee meeting for specific training or be as simple as taking five minutes of each staff meeting and dedicating it to a security or IT issue. “In my experience, the agencies that have greater awareness, have better security practices,” says Woodcock.
Woodcock says he sees more and more agencies implementing responsible computing practices into their workflows, from timely updating of patches and virus definitions to testing of backups to network monitoring. Some of these changes stem from a risk prevention standpoint, some from a network performance standpoint, and some from a productivity/investment standpoint. To help agencies learn more about these practices and their importance, Woodcock has developed a Web site, www.courtesycare.net, with information, policy templates, and other related resources. *
The author
John Chivvis is a Texas-based writer who specializes in topics of technology implementation. His work has appeared in a number of national and regional publications.