It used to be if you just said the magic word "Abracadabra," you could get access to any and all sorts of wonderful things. It seemed the older we got, what was hidden on the other side of the door became less mystical but more complex in the journey of getting there.
As technology in business became an integral part of our daily workflow, securing information and controlling access turned out to be not only critical to success but legally required, as well.
Usernames and passwords are now an expected first step to gaining entrance to everything from programs to systems and information in general through servers, PCs and mobile devices beyond anyone’s expectations. As with most new processes, a whole new product line was built up around it, with businesses created for the sole purpose of securing information and each one within each industry having its own way of doing it.
Passwords of a certain length or those made up of an alphanumeric combination of characters including capital letters but no symbols might be required. Of course, these would need to change every 30 or 90 days, depending on your set protocol, and you could not repeat the same password within at least two cycles. Simple enough, right?
Well, if your business is like many, passwords are simple because your staff simply jotted down the current password on Post-it notes stuck around their computer monitors. What could be more simple? Passwords are difficult to remember if you weren’t using your child’s birthdate or your anniversary, so securing access to important and private information became the worst-kept secret. Despite the technique used by many mystery novelists of hiding clues in plain sight, it doesn’t really work well in agency offices.
For years, the process of securing access to information apparently developed along two paths—one that was the simple and low-tech approach, and another that invested in encryption technology, various types of token generators and other authentication measures.
Hardware and software-based options started being used in all different situations. Biometrics, from fingerprints to, in the more sophisticated environments (i.e., military), retina scans or some combinations thereof, were employed to try and foil even the most aggressive of hackers.
For most of us, the complexity of the programming behind many of the security solutions is irrelevant as long as it works. I have downloaded a few different apps that capture and secure usernames and passwords for sites I visit frequently as well as banks and credit card or PayPal entry screens. They work to varying degrees and integrate somewhat seamlessly, but first you need to spend the time to load all the information into the apps, which in my case is no easy task.
The second issue is ensuring security into your workflow. Some apps integrate with your browser well enough so if you visit a new site that requires you to set up a username and password, it will either generate them for you or capture what you initially set them at then lock them into a "vault" so you won’t have to enter them again. These examples tend to be for personal use, although some have enterprise-level versions.
One app I sampled stored all of my usernames and passwords in its vault, shared the vault on my different devices and, once captured, allowed access through a single username and password. Because of the way it worked, for those devices on which it had been established (Mac, iPhone and iPad), I never had to enter those username or passwords again.
The most secure process for protecting private information, whether our own or that of our customers, is always going to be the one that happens automatically; where individuals don’t have to remember which password to use for which system. It also makes managing passwords in an agency easier, especially as staff changes occur. Anything that is easy makes its use more likely.
An example of such a process is the current industry development and testing of a "trust framework," which is a secure, non-proprietary means to ensure there is a single identity to get into an application as might be used between an agency and carrier. IIABA’s Agents Council for Technology (ACT) has been supporting and tracking the progress of this project being undertaken by several companies involved in piloting a "federated ID" approach.
At a recent meeting of ACT, Jim Rogers, assistant vice president, The Hartford and member of the Trust Framework Initiative, explained that this project is based on an existing security standard which will make it available across platforms, systems and companies.
A federated ID system is an evolutionary step along the path of securitization of information shared between partners. Today it’s all about IDs and passwords and all the challenges that go along with that world. As independent agents represent multiple companies and often have different programs (agency management systems, comparative raters, etc.), the burden of managing the different passwords can be overwhelming.
In a federated environment, there is one ID for each agent and it can work through the agency management system with different carriers. This approach works successfully in other industries and can do the same in insurance. As a result, the use or need for multiple passwords or IDs would be reduced.
This increased security exists by the mere fact that the individual user doesn’t know his or her own password so he can’t change it or inadvertently provide it to someone else, or store it on a Post-it.
To follow the progress of this initiative, visit www.IIABA.net/ACT and click on the "Security and Privacy" link on the left. You’ll find position papers, meeting information and ACT Committee updates.
As the use of real-time transactions become more commonplace among carriers and agents, the challenge of adjusting how passwords are handled within this new workflow becomes greater as well. I believe a federated ID system will support this new workflow very effectively once it achieves widespread adoption.
In the interim, many carriers have adopted the use of non-expiring passwords for real-time transactions. This doesn’t address the big challenge and one of the "holy grails" historically sought by agents; that of the not-so-simple single sign-on process. Implementation of the federated ID potentially can make single sign-on no longer necessary. If it happens in the background without any workflow adjustment needed by agencies, then what does it matter if there are one or 100 passwords to enter into a transaction with your carriers?
In the final analysis, the real "secret on passwords" is it’s not about passwords at all: it’s about workflow and security. Whether you take the approach of a single sign-on or federated ID/trust framework service or a personal app like 1Password from AgileBits (https://agilebits.com/), they are all pathways to improving your workflow efficiencies while providing greater security.
Data security, protecting private information or just good, common-sense practices is no longer a choice, either, ever since the Health Insurance Portability and Accountability Act of 1996 (HIPAA, the security and privacy rights of individuals). For insurance agents and carriers, good security practices and procedures are a must.
Agents should implement a privacy and data security policy within their businesses and make sure all employees know and understand what it means. Check on ACT’s website for prototype security plans, articles and white papers as well as a webinar on "Implementing an Effective Information Security Program in your Agency."
Start by understanding the exposure within your agency, what steps you currently take to secure the data and what you need to do to optimize your procedures. To paraphrase, better safe—and secure—than sorry.