Stick ‘em Up!

Over the years I have written in my column about numerous ways that bad guys try to dupe us into sending them our hard earned money through the use of fictitious email scams, phishing expeditions, and spoofing amongst other methods designed solely to fraud and deceive unsuspecting or unknowing potential victims. Although their M-O’s may have evolved as technology has progressed, the intent of the crooks is always the same: “Stick ‘em up and hand over the loot!”

Well, ACT (Agents Council for Technology), sponsored by the Independent Insurance Agents and Brokers Association, has released an informative article titled “Combat Cybercrime and Protect Your Agency with Simple Security Steps”. Written byDanielle Johnson, Vice President, Director of Information Technology at InsurBanc, which IIABA and the W.R. Berkley Corporation established to assist independent agencies, businesses and consumers with their specific banking needs, I would like to share this with you in the hopes that it may aid in the prevention of someone falling prey and becoming a crime victim through the use of these almost undetectable and automated techniques.

First, let’s take a look at exactly what Cybercrime is. According to Ms. Johnson, like traditional crime cybercrime covers a broad scope of criminal activity and can occur anytime and anyplace. What makes it different is that the crime is committed using a computer and the Internet. You may recognize some of its most common forms such as identity theft, computer viruses and phishing, and at a corporate level, computer hacking of customer databases. Most people are aware of these and protect themselves and their PCs with antispyware and anti-virus software such as Norton or McAfee programs. As an agency owner, you should be alert to the fact that cybercrime is becoming more and more sophisticated and not only targets consumers and large corporations, but small to medium sized businesses as well. Single programs against these intrusions are not enough.

An alarming cybercrime now affecting small to medium sized businesses is “corporate account take over.” This involves cyber criminals penetrating the computer network of a business and spreading malicious software, such as a “keylogger” which records the words typed, Web browsing history, passwords and other private information. This in turn allows them access to programs using your log-in credentials. If they steal your password and breach your online banking system, the cyber criminal can begin an online session to initiate funds transfers, by ACH or wire transfer, to their accomplices. The accomplices withdraw the money almost immediately. Take the first steps to prevent fraud at your agency – become aware of the latest cybercrimes and how they can access a business’s computer network. An agency should also employ the most up-to-date online security practices on a pro-active basis. Agencies can also take the opportunity to present these online security practices to their clients, as many are also instituting internet-based online programs at their businesses.

Online Security Practices

While no tools or automated software is 100% effective, the best solutions to protect your agency are to be well informed and use common sense. Using a multiple vendor, multi-layer approach to system design can significantly reduce your chances of being a victim of cybercrime. To assess the risks associated with a cyber intrusion of your agency’s online systems and critical client data, ask yourself the following questions:

1. Does your agency have a hardware based firewall at the network level?

2. Does the network firewall include anti-virus, anti-spyware and antispam services along with content filtering and intrusion prevention, detection and real-time reporting?

3. At the individual PC level, does each computer have centrally updated and monitored anti-virus, anti-spyware and anti-spam software loaded?

4. Are your computers set up to automatically update your operating system and applications for the latest available security and critical updates?

5. Do you consider your browser security setting to determine how much or how little information the browser can accept from, or transmit to, a website?

6. Does your agency have a security policy in place that includes such policies as disaster recovery, use/storage of passwords, use of social media on work computers, etc.?

7. Does your agency back-up critical files in case of an issue that disables your systems?

8. Has your agency identified an individual to review security policies and practices on an ongoing basis?

9. Are you aware of the laws governing the protection of personal information in your state?

10. Do you have cybercrime insurance to protect your data and liability exposure in the event of an intrusion?

11. Does your agency have a training program to educate employees on best practices to avoid becoming a victim?

12. Does your online banking system provide multiple layers of security tools to prevent intrusions into the system such as token-based authentication? Agency principals should consider the types of transactions they conduct within online banking and check with their banking institution for available security enhancements.

These are just some of the basic steps an agency can implement to assess and protect itself from cybercrime. Your agency should have a network security assessment and review conducted by a certified information technology firm that specializes in network security. This evaluation will help you to identify the “next steps” in securing your network and data from unauthorized access and distribution.

If Your Agency Becomes a Victim

If you discover, or even suspect, your agency has fallen victim to corporate identity theft, you should proceed as follows:

• Immediately cease all online activity and contact your IT administrator.

• Remove the affected computer from the network and any other computer stations involved.

• Contact your financial institution to disable online access to the accounts and close affected accounts. You can then open new accounts and reset passwords.

• Consult your counsel and your state’s data breach notification law and regulations to ascertain the process you need to follow.

• Notify other business partners that may have been affected, such as your insurance carriers.

• File a report with the police department.

Common Online Fraud Definitions

• Malware refers to software programs designed to damage or do other unwanted actions on a computer system. Common examples of malware include spyware, keyloggers, and viruses.

• Spyware is a type of malware installed on your computer without your knowledge. It collects small to large pieces of personal information including Internet surfing habits. It can redirect web browser activity and change computer settings. Spyware is typically hidden from the user, and can be difficult to detect once installed without proper antispyware tools.

• Keyloggers, as with spyware, are installed on your computer without your knowledge. It is the action of tracking (or logging) the keys struck on a keyboard, typically in a hidden manner so that the person using the keyboard is unaware that their actions are being monitored. Keystroke logging can record the words typed, Web browsing history, passwords and other private information. This is extremely dangerous in all aspects of computer usage.

• Viruses are an ever changing and constant threat to all systems. Based on their digital makeup they can deliver malicious content to your data and systems in an effort to either collect data, destroy data, or turn your systems into a machine that spreads the virus or other malware.

• “Phishing” is the act of obtaining personal information or spreading malware using emails, calls, text messages or pop-up messages from what appear to be friends or legitimate banks, retailers, government agencies or other organizations.

Thank you ACT, IIABA, and Ms. Johnson for allowing me to share these tips with you, and I hope that this information provides you with some general knowledge and direction on how to prevent Cybercrime in the first place and what to do if a breach does occur within your organization. Please keep in mind that all of the security tips presented here are simply guidelines to aid agencies in not becoming a target for cybercriminals and of course none can be guaranteed 100% effective. For additional information please also refer to ACT’s “Security & Privacy” page for a prototype agency information security plan and recorded webinar which will help agencies fashion their written security plan and implement their security program. Please visit www.iiaba.net/act and click on “Security & Privacy” in the gray shaded area on the left side of the page. Until next time, remember not all bad guys use guns to take what doesn’t belong to them, so when reviewing your physical security systems and processes make certain to include your I/T systems as well. Ciao for now!