The following is an opinion article written by Jacqui Nelson, Managing Director at Dekko Secure. The views expressed within the article are not necessarily reflective of those of Insurance Business.
As insurance firms and brokers become increasingly reliant on electronic workflows, ensuring effective data security has never been more important. Sensitive client files and correspondence must be stored and shared in ways that prevent access by unauthorised parties.
This shift to digital communication comes at a time when the number of cyberattacks taking place is growing by the week. Keen to access data for potential financial gain, cybercriminals are always looking for ways to steal files that are being stored or in transit.
According to the latest Allianz Risk Barometer, cyber incidents now rank as the top risk for Australian businesses. Many understand the potential for both financial and reputational loss that can result from a cyberattack.
Insurance providers are also aware of their responsibilities under both the European GDPR laws and Australia’s Notifiable Data Breach (NDB) regulations. Both mandate strict guidelines around what firms should do to secure their data stores and what steps must be taken if a breach occurs.
Improving data security
There are a number of ways an insurance firm or broker can improve the security of sensitive information and communications at all times. Six top tips to follow are:
- Undertake a security audit: To understand the cybersecurity risks facing the firm, it’s important to fully evaluate all the systems and processes being used. Follow each workflow and look at where the data being used could potentially be compromised. View processes in the light of the GDPR and NDB regulations.
Importantly, undertake assessments from a business rather than technical perspective. This is important because responsibility for any data breaches rests with senior management and the board. Evaluate what impact a data breach would have on operations and the potential long-term effects it could have on the firm.
- Check your security tools: Another important step is to fully evaluate the security tools and processes that are currently in place. Determine whether they are providing sufficient levels of protection and whether there are any remaining gaps that still need to be filled.
Take time to determine whether people can circumvent existing security measures and potentially put data at risk. If evidence is found, further measures should be put in place to prevent these practices.
- Evaluate existing communication channels: Carefully determine all the communication methods and channels being used, both internally and externally. Evaluate how files are being shared between staff members and with clients or other external parties.
Staff could potentially be using insecure file sharing services, such as Dropbox or Google, which could increase the chances of data loss breaches. Measures need to be put in place to ensure that only secure channels are used at all times.
- Educate staff: Research shows that the vast majority of all data loss incidents are caused by human error or ignorance. This could be anything from clicking on an infected email attachment to leaving an unencrypted laptop computer in the back of a taxi.
Conduct regular cybersecurity education sessions for all staff to explain to them the types of risks being faced and the practical steps they need to take to reduce vulnerability. When staff understand why they should handle data in secure ways they will be much more likely to comply, thereby lowering the chances of a successful cyberattack.
- Find an email alternative: Email has become entrenched as a widely used business tool, but it remains a very insecure way of exchanging sensitive data. A much more effective approach is to implement a secure file sharing platform through which data files can be shared.
Ensure all staff are trained in the use of the new platform and have a clear understanding of why it should be used in place of more traditional email-based workflows. The platform can also replace other insecure practices such as loading files on to a USB key.
- Check where data is stored: It is also important to have a clear understanding of where critical data files are being stored. While most are likely to be on internal servers, some could be kept on cloud-based platforms or systems owned by external parties.
With data sovereignty becoming an increasingly important issue, it is vital to know geographically where data is being stored at all times. If any locations are deemed to be insecure, their usage should be immediately halted.
By following these tips, insurance providers can ensure their critical data files remain secure at all times. The risk of cyberattack can be lowered and the potential for long-term financial or reputational losses significantly reduced.