Agencys Digital Security A Business Issue, Not A Technical One

Some independent agencies aren't taking the most fundamental steps to protect their computer systems and the critical information they contain their “digital assets” from hackers and other threats.

In the office, most agency principals look to the most technically savvy person, their agency's technical expert, to secure their computer systems. Technical experts can put your computer systems back in working order, but what they are not directed to do is enforce rules when it comes to your company's digital security, and they shouldn't be doing that. The agency principal should develop and enforce basic procedures and strategies designed to deter anyone from leaking information out of your computer systems and ultimately shutting the systems down.

Thus, independent agency principals should look at digital security challenges as a business issue, not a technical one. A number of large-scale factors are contributing to the seriousness of digital security threats, including:

An increase in the number of electronic transactions.

Increases in connectivity, typically business-to-business and business-to-consumer connections, using the Internet.

Criminals' use of more sophisticated tools. In the past, hackers used password guessing or password cracking. Today, with the click of a mouse, they can launch a sophisticated attack.

Determining security requirements is a lot like determining adequate insurance needs. You need to consider the risk, which involves understanding the business impact and probability of an adverse event. You also need to evaluate the cost for protection versus the cost of incurring the outage.

The starting place for digital security is to create a plan that considers business needs, identifies areas of exposure and defines security policies. These policies will form the foundation for the agency's security architecture.

The policy also should include accountability to monitor and audit, define consequences for non-compliance, identify an exception process, and provide for periodic re-evaluation of the policy.

Securing the agency's digital assets involves these major areas:

Addressing perimeter risk by building a secure barrier between external networks and internal computer systems. This includes use of a firewall to block and regulate access, a virtual private network (VPN) to hide internal resources and provide for secure remote access, and virus scanning to prevent inbound viruses.

Securing computers to prevent unauthorized resource access, regulating installation of new software, keeping current on security updates, and maintaining regular and current virus scanning.

o Communicating and monitoring your security policies perhaps the most important step of all. This should include regular communication to employees about security risks and external threats, and keeping track of security bulletins from vendors.

Finally, an easily accomplished but often-forgotten action is to delete or change IDs and passwords when an employee leaves the agency.

On the positive side, the typical independent insurance agency is not a high-profile target. However, if your system is easy to gain access to, a problem could develop. Thats why it's so important for agency principals to make the time to take charge of the firm's digital assets.

Alvito Vaz is responsible for Progressive's agency-dedicated Web site, ForAgentsOnly.com (FAO), and agency automation efforts. He is also chair of the ACT Password Work Group for IIABA's Agents Council for Technology (ACT).

Reproduced from National Underwriter Edition, May 10, 2004. Copyright 2004 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.

Special Reports /

Agencys Digital Security A Business Issue, Not A Technical One

Related Stories

Recommended For You