You should be afraid
The threats to your agency's data are real, but AppRiver has got your back
By Nancy Doucette
"It's not paranoia if they're really after you" was one of the taglines for a movie titled "Enemy of the State." Bringing that thinking into today's technology-enabled workplace, every agency owner and staff member should be taking precautions to ensure that the agency's data is secure. Why? Because somewhere, there's a person in a hoody with an energy drink cooking up some malware that's designed to, at the least, muck up the agency's network. More virulent malicious software can steal confidential information, tap bank accounts, destroy data, and compromise and/or entirely disable the agency's systems and networks.
Don't take it personally, though. Malware developers aren't targeting you specifically. They're opportunists, looking for a vulnerable system upon which they can drop their pernicious payload—and with increasing frequency, that vulnerable system may well be on a mobile device.
And just as mainstream technology is evolving and improving at warp speed, miscreants are getting better tools as well. "Toolkits" are sold through underground online forums. The "faceless ones" simply plug in some simple information, click "Go," and the toolkit scours the Web in search of vulnerabilities in Web sites. Additionally, these toolkits will send out e-mails to potential victims that link them to the malware on the exploited site.
At the NetVU PowerUsers meeting, held in late September, AppRiver, which provides e-mail and Web security solutions, facilitated a standing-room-only session on agency electronic security and the need for an information security plan. Following the meeting, Rough Notes had the opportunity to speak with three AppRiver representatives: Andrew Schrader, national sales director; Fred Touchette, security analyst manager; and Troy Gill, senior security analyst. Additionally, we spoke with some agents who attended the session about their information security plans.
According to Gill, toolkits, (the Black Hole toolkit is especially active currently, he says), are "making it easier for the less savvy criminals to get involved in cyber crime. In the past, it took an elite code writer with the willingness to be a criminal to get involved. Now it doesn't require much in the way of technical skills. This opens the door to a huge number of criminal elements." Each month, AppRiver releases a "Threat and Spamscape Report" at its Web site which provides the "highlights" of the previous month's "hacktivist" attacks, virus, and malware activity. (See an excerpt from the November report at right.)
Touchette explains that the popularity of mobile devices is giving cyber criminals a larger playing field. "It's not just smartphones," he notes. "Everyone has a tablet as well now. They're doing their private business on public wifi. People don't realize a threat yet."
He observes there's a reason why people are more casual about security when they're not sitting in front of a desktop. "Not too long ago it was less likely that someone's mobile device would get infected because essentially every phone had its own operating system. It wasn't feasible for the malware authors to write a different version for every phone that was out there. So there were only a handful of threats to mobile devices," Touchette says.
"Today," he says, "mobile devices are much bigger targets because there are only three major mobile operating systems: Windows, iOS, and Android."
With this as a backdrop, Schrader explains how cloud computing factors into the increasingly perilous task of protecting agency data. "With the push to put all applications up in the cloud, more weight is being put on the agency's Internet connection. There are two big exposure points: e-mail and Web traffic."
With respect to e-mail, he notes: A lot of people don't understand that unencrypted e-mail is the same as a postcard. A good rule of thumb is: If you wouldn't put it on a postcard, don't put it in an unencrypted e-mail. A recent industry study indicates that e-mail accounts for 35% of all data loss incidents among enterprises. Schrader commends the insurance industry's efforts to protect e-mail via TLS (Transport Layer Security) encrypted connections between an agency's server and the carrier's. A list of the carriers that support TLS is available at the Security & Privacy page of the IIABA's Agents Council for Technology (ACT) Web site. Agencies also need to verify that their own server is TLS enabled. With both ends of the transaction TLS secure, that postcard (the e-mail) is "being driven to the carrier's front door in an armored car," he says.
Battling the bad guys
Unfortunately, not all e-mail recipients are on a pre-validated list. For those instances, agencies need to use a third-party solution. Joyce Sigler, CISR, CPIW, DAE, CPIA, attended the PowerUsers meeting. She is vice president-administration and corporate secretary for Jones & Wenner Insurance Agency, Inc., in Fairlawn, Ohio. She says the agency's data security plan closely follows what the Federal Trade Commission recommends for bank-owned insurance operations. In addition, the agency uses most of AppRiver's products. "We look for partners who are experts," she says. "AppRiver stands out because they know the insurance industry and they integrate with the Vertafore products we use. Our employees don't even have to think about it."
Schrader says if the agency isn't sure whether a TLS connection is being made, it needs to use an end-to-end secure e-mail product like AppRiver's CipherPost Pro™. It's a cloud solution for e-mail encryption, secure file transfer, and data leak protection. "Whether the sender is on a mobile device, in Outlook, or in some Web interface somewhere, they can hit the 'send secure' button and essentially, they're putting the 'postcard' inside an envelope. It doesn't matter if it goes in an armored car or not. Only the end user can open it. It has a seal on it," he says.
Gordon Wenner, president and CEO of Jones & Wenner adds: "Prior to our association with AppRiver I was concerned about protecting our customer data. It's a huge responsibility and the penalties are enormous if you have a problem. We need to protect ourselves from ourselves," he says with a smile. "I feel much better knowing that AppRiver is watching out for the data we have. Ignorance is not bliss when it comes to protecting data."
E-mail security doesn't have to be complex, Schrader states. He suggests that agencies establish a blended security approach that includes flexible technology solutions that help enforce the agency's e-mail compliance policies. "User education is an important element in an agency's information security plan," he notes. "Unintentional human error remains one of the most common causes of data breach. When users understand proper workplace e-mail usage and the consequences of non-compliance, and are comfortable using the technology solutions, they are less likely to let down their guard and make mistakes." AppRiver's "5 Steps to Help Address Email Compliance" can help an agency get started developing its own policy. The ACT Web site also offers an information security policy framework.
Nancy Sattler, another PowerUsers attendee, is principal owner of Sattler Insurance Agency in Lewiston, Idaho. She says she has implemented an Internet contract that each of the agency's 11 employees signs. She says it addresses data breaches, shared information, general Web surfing, spam, and malware.
In addition to using AppRiver to help with data security, she says she limits access to the agency automation system after hours to only principal owners. "That's how I'm controlling the data going out," she says. "If a producer wants to log in on a weekend, I'm able to change their security setting for that instance."
As for the growing popularity of mobile devices, Sattler says management needs to set clear expectations. "We've had to rethink how we do business," she observes. "Five years ago, no one freaked out if a producer left his tablet at Starbucks…it was a yellow pad! Today, it's a minor disaster because of the data that's accessible via those mobile devices."
AppRiver's Touchette says most devices come with remote wiping and encryption capabilities but they need to be set up and turned on—steps users may not be aware of. Gill notes that agencies using AppRiver's ActiveSync can contact them in the event a smartphone or tablet is lost or stolen so it can be "bricked." "That would keep people from getting access to the agency's sensitive e-mails or whatever personal information is stored on the phone," Gill says.
Both Touchette and Gill agree that having an electronic security policy is an important first step and that should include alerting management when a device goes missing. The next important step is enforcement, although some things are difficult to enforce—for instance, accessing wifi or public hotspots and then logging into the corporate server where customer information is stored. "That's where education is going to have to be a big part of it," they say.
Evidently, the education campaign is working. According to Schrader, the folks in hoodies are now shifting their malicious efforts away from e-mail and more towards Web sites. "They're specifically targeting Google, Yahoo! and Bing search results," he reports. "They set up a site that shows up on page one or two of the search results. No one hesitates to click on those top search results and that's when the malware gets downloaded. Over 50% of malware gets downloaded from search results, so employees need to think differently about where threats may be coming from. Again, education is part of the protection," he says.
He adds that AppRiver has tools that throw up a barrier to certain sites that it considers malicious so employees can't access them.
Schrader notes that threats can come from within an agency as well. He encourages those using temporary employees to conduct background checks before giving them access to the agency's network. "Don't let somebody in the back door by giving them access," he warns.
Additionally, he cautions against allowing staff to use USB portable storage devices. "That's one of the best tricks in the world," he says. "Some 'bad guy' will toss a bunch of brand new USBs in the parking lot. Problem is, they may contain a keystroke logger that can capture critical identity information. Without internal controls, chances are good that a staff person will pick one up and plug it into the network."
So in addition to working with a third-party firm to provide e-mail and Web protection, Schrader recommends having a local layer as well, "something on your network to 'sniff' for trouble in case somebody walks in with that USB they found in the parking lot. The most important thing is that an agency's employees are educated about the risks and use common sense," he concludes.
30-Day Virus Activity
This chart represents email-borne virus and malware activity during the month of October as seen by AppRiver filters. These figures include both malicious attachments as well as malicious links. During October we saw numerous large email campaigns utilizing both malicious attachments as well as malicious links. This traffic resulted in a very malware-laden month in spam traffic. In October we quarantined over 361 million emails containing malware. Malware now comprises the highest percentage of spam that we have seen historically. During October, 21.1 percent (or roughly 1 in every 5 messages) of total spam either contained malware or a link to malware.
For more information:
Web site: www.appriver.com