On the wake of some of the largest data breaches to hit healthinsurance companies, the National Association of InsuranceCommissioners (NAIC) has followed on the heels of the Securitiesand Exchange Commission and has issued a "guidance" on cybersecurity. In April, the Cybersecurity (EX) Task Force of the NAICadopted the Principles for Effective Cybersecurity InsuranceRegulatory Guidance.

The Principles for Effective Cybersecurity:Insurance Regulatory Guidance looks to state insuranceregulators "to ensure that personally identifiable consumerinformation held by insurers, producers and other regulatedentities is protected from cybersecurity risks." The guidanceencourages insurers, agencies and producers to secure data andmaintain security with nationally recognized efforts such as thoseembodied in the National Institute of Standards and Technology(NIST) framework. The NIST framework provides guidance on managingand reducing cybersecurity risk for organizations of all sizes,putting them in a much better position to identify and detectattacks, as well as to respond to them, minimizing damage andimpact.

Producers, agencies and insurance companies could all be heldliable for the loss of protected health information and personallyidentifiable information of prospects and clients, such as aperson's full name, date of birth, address and Social Securitynumbers.

The NIST Framework consists of five functions, each divided intosubcategories, as well as standards, guidelines and best practices.A security consultant who specializes in threats and cybersecuritycan assess networks and help secure them using the NIST Frameworkand other standards. Whoever you work with should be familiar withcommon threats targeting the insurance industry, as well as thetactics, techniques and procedures attackers are using around theglobe.

Function 1: Identify

Identify assets and risk so you can prioritize your securityefforts. First conduct a risk assessment to identify all yourinformation assets, such as client lists, business strategies,marketing information and client data. Then rank each of themaccording to their values, from very low to very high, to help youfocus on protecting the high-value data.

Perform a vulnerability assessment to see what systems andcompany web-facing applications are weak. Your assessor can helpyou rank the likelihood and probability of a threat exploitingcertain vulnerabilities, and can assess your internal and externalnetwork controls, policies and procedures, gaps compared toregulations, and best practices.

(Shutterstock)

Function 2: Protect

Once you know your information assets and their values, gaugeyour resources accordingly and decide what measures will protectthem. You may need security devices and software, but also staff tocontinually operate the devices. Many organizations erroneouslybelieve that they can buy a security solution to protect theirnetworks from intruders. However, all cybersecurity protectivedevices (firewalls, instruction protection/detection systems,unified threat management appliances and others) need to beconsistently configured, managed and updated with the latestpatches—as long as the update won't harm the network.

Once you buy a protective device, you need the oversight of astaff member to operate it to its best ability. No matter what anysecurity vendor says, all protective devices need consistent humaninteraction. There is no device that works automatically afterplugging it into your network. Numerous breaches have occurredbecause people were not properly operating protective devices. Whendevices are not properly and consistently configured, hundreds ofalerts go off and are ignored.

(Shutterstock)

Function 3: Detect

Despite preventive controls, security incidents still occur.That's why it is important to detect anomalous activity quickly toremove any attackers and prevent or lessen any damage. Monitor yournetwork traffic and your endpoints (servers, workstations andlaptops) 24 hours a day. It takes about 48 days for mostorganizations to recognize that they've been breached, according tothe 2013 survey report "Post Breach Boom" by the data security researchcenter Ponemon. However, when your network is continuouslymonitored, you can spot anomalous activity as soon as itoccurs.

In addition to monitoring your network, you also need to havedetection systems on your endpoints (servers, laptops andworkstations) that are also continuously being monitored. Thatallows you to see any anomalous activity on them so you can stopthe attackers before they traverse the network.

(Shutterstock)

Function 4: Respond

The sooner you recognize you've been breached, the sooner youcan get the attackers to minimize the damage. The longer attackersare in your network, not only do you lose more and more data, itbecomes more difficult and costly to get the attackers out. Gettingattackers out of your network takes a lot of expertise that mostorganizations don't have.

Less than half of respondents to the Ponemon Post Breach survey said theirorganizations have the tools, personnel and funding to prevent,quickly detect and contain data breaches. While your organizationcan try to respond to a breach on its own, unless it has afull-time security team that works with threats day in and outconducting incident response engagements, has a global view of thethreat landscape, and is familiar with certain patterns attackersmake in networks, it may not be able to remove the entire threat.If it removes all but one trace of the threat, the attackers couldstill be hiding inside the network.

The average time to resolve a cyberattack is 45 days, with anaverage cost to participating organizations of $1.6 million duringthis 45-day period, according to the 2014 Cost of Cybercrime Study: U.S. by Ponemon.That long time span and high cost can greatly be reduced if youunderstand the attackers and the ways they work. Professionalincident response teams could get attackers out in hours or dayscompared to weeks. Security companies offer retainer contracts thatguarantee experts onsite within 24 hours for breach remediation,and that you get discounted rates, usually saving you about $100 anhour. Without a retainer, it could take an organization a few daysto select a response team and for one to become available.

The sooner you get the attackers out, the overall less cost.Results from Ponemon's U.S. cybercrime study show a positiverelationship between the time to contain an attack andorganizational costs incurring from business disruption, data loss,recovery costs and legal costs. The total annualized cost ofcybercrime in 2014 ranges from a low of $1.6 million to a high of$60.5 million.

(Shutterstock)

Function 5: Recover

Recovering from an attack takes planning long before yournetwork is breached. You should have a Business Continuity Plan inplace, as well as policies and plans in place to run your websiteand network from another offsite location. A security consultantcan work with you to help you decide how much and what data needsto be backed up, as well as what critical systems and componentsare essential to your organization's success. The recovery functionhelps you restore capabilities and services that were impaired. Allthese decisions need to be made before a crisis.

Although independent agents probably won't have a network toprotect, at the very least, they should take applicable steps tosecure their computers. They need to ensure privacy of theirprospects' and clients' personally identifiable informationincluding addresses, dates of birth, Social Security numbers,health data and insurance policy information. They should ensuretheir computers are password protected so an intruder would beunable to access data on it.

Use a private network at home and a virtual private networkwhenever connecting to a public network. Using a public network ata coffee shop or restaurant makes you easy prey for attackers tosnoop and see everything you are doing on the network. They can seeall the sites you visit and everything you type on an online site,such as your login credentials. The right VPN will encrypt alltraffic so even if attackers manage to snoop on your onlineactivity, all they would see would be intelligible gibberish.

Dan Bonnet serves as sales director, small and mediumbusiness – North America at Dell SecureWorks, aglobal information services security company that helpsorganizations of all sizes reduce risk and improve regulatorycompliance.