Foiling the hacker
ACT hosts Webinar on e-mail security
By Phil Zinkewicz
In August 2009, a press release from the United States Department of Justice’s U.S. Attorney’s District of New Jersey office announced that “an indictment was returned against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history.”
According to the U.S. Attorney’s press release, the indictment describes a scheme in which Albert “Segvec” Gonzalez and two unnamed Russian defendants (identified as Hacker 1 and Hacker 2) stole “more than 130 million credit card and debit card numbers along with account information” from Heartland Payment Systems, 7-Eleven, Inc., and Hannaford Brothers Co., and also hacked into two unidentified corporate victims.
This is the same Albert Gonzalez who is awaiting trial for his role in the notable attack suffered by TJX that is now only the second largest known breach. Each defendant faces a maximum of 35 years in prison and more than $1 million in fines or twice the gain from the crimes, whichever is greater. At the time of this writing, Gonzalez is currently in jail in Brooklyn, New York, and awaiting trial in New York and Massachusetts related to prior incidents of data theft.
These developments are certainly of epic proportions, but the identity theft and data theft issues are significant not only to corporate giants, but to businesses of all sizes. The Independent Insurance Agents & Brokers of America’s Agents Council for Technology (ACT) recently hosted its third free Webinar on e-mail security titled “Protecting Independent Agent Clients with Secure E-mail Using TLS (Transport Layer Security).”
In announcing the Webinar, ACT Executive Director Jeff Yates said: “Commercial line applications and other confidential consumer information need to be protected if they are sent via e-mail to carriers. Agencies continue to seek our advice on how to protect such sensitive data and so we felt it important to host this Webinar and describe the benefits of using TLS.” Some 650 agents participated in the earlier presentations.
TLS provides an open standard protocol to protect e-mails sent over the Internet. It is built into most e-mail servers used today. TLS requires no changes to the end user (sender or receiver).
Featured at the Webinar was Jim Rogers, director of distribution technology, The Hartford Financial Services Group. Rogers pointed out that e-mail is now entrenched within business workflows and is the way a significant amount of business is transacted between agents and carriers. “The words shared between the parties are often critical to the business relationship and contain information of a sensitive nature that, if lost or stolen, could be harmful to either party.”
According to Rogers, the use of real time rather than e-mail is the best option for moving sensitive client data between the agent and carrier when available, because real time is highly efficient and transports the data directly between the agency and carrier systems.
“However,” added Rogers, “when e-mail must be used to send communications with sensitive client information, such as that contained on some commercial lines applications, it is important for agents and carriers to start to use secure e-mail. If the e-mail is not secured, the contents of the e-mail and any attachments can be intercepted and read as they travel across the Internet, in the same way a postcard can be read when sent through the mail. If an unsecured e-mail is intercepted, the agency would face a security breach creating a significant risk to the agency’s reputation and potential E&O exposure.”
Rogers said there are many secure e-mail applications, but many are fraught with problems, such as difficulty using the applications and the need to remember several encryption codes. “What the industry needs is a standardized secure e-mail application and TLS is the answer,” he said.
Many carriers are TLS-enabled, said Rogers. He named Chubb, CNA, Grange, Harleysville and The Hartford as just some of them. TLS operates independently of the e-mail user, he said. “When an e-mail is sent from one domain, agent or carrier, to another agent or carrier, the servers that control transmission negotiate to determine whether TLS is enabled. If it is, then the servers transmit the e-mail within a TLS tunnel that protects all message content including attachments.”
Rogers said that agencies should use an IT expert to set up TLS on their e-mail server for incoming and outgoing e-mails. The IT professional can also determine which of the agent’s carriers are enabled for TLS, he said.
“TLS provides protection between the agency and carrier e-mail servers. It provides a practical way for an agency to have a secure e-mail pathway for communications to and from commercial clients that have the capability to TLS-enable their e-mail servers,” said Rogers. “This added measure of security will be appreciated by clients and will provide them with the capability to provide more secure communications with their other trading partners that can enable TLS,” he says.
Continued Rogers: “TLS is a security manager’s dream solution, one that requires no work on the part of the end user yet protects e-mail content. It uses an industry standard protocol that is freely available and implemented on most e-mail platforms. For the agency, it is more cost effective than proprietary vendor e-mail solutions and is already included on most e-mail servers.
“In this day and age of focus on security, all e-mail gateways should be configured to use TLS if it is available,” he asserted. “Agents should encourage their carriers to provide the TLS option for secure e-mail and explain to them how TLS is a far preferable alternative for agents than having to learn and then use each carrier’s unique proprietary secure e-mail system.”
For more information:
Independent Insurance Agents & Brokers of America
Agents Council for Technology
Web site: www.iiaba.net