50 Shades of Insurance

BYOD: “Bring Your Own Device” to work.

So…how many times have you thought of doing it…by yourself… in your office…all alone? What about your employees…do they ever go at it alone in your office? Do they ever do it with other employees? Do they ever do it alone, with their own “personal devices”?

No? Are you sure? Maybe you should install cameras, as you may be surprised as to what you might discover!

In case you’re thinking something else, I’m talking about the times where employees increasingly expect to be able to use their own, personal, smart phones, tablets, and PCs, to access business applications and systems proprietary to your agency. The following is a piece written by Danielle Johnson, VP & Director of Information Technology at InsurBanc, which IIABA and the W.R. Berkley Corporation established to assist independent agencies with their specific banking needs. It addresses this latest office phenomenon, where employees are using their own personal devices (smartphones, tablets, etc.) to provide new coverage and to service existing policies of agencies that they are not a principal of.

In addition, it was also written to assist agencies in formulating their policies and security strategies when agencies authorize employees to use their own personal devices for business use. Thank you to ACT and the IIAA for allowing me to share this with you:

“Bring Your Own Device” Opportunities & Risks Employees expect it; but employers need to manage the risks The consumer ization of IT revolution — sparked by the iPhone — has shifted the IT culture so that the users are the ones getting the latest, cutting edge technologies first, and they want to bring those devices to work. PC World Magazine, Dec. 20, 2011, Tom Bradley “Pros and Cons of Bringing Your Own Device to Work” What Is BYOD?

Many workers today expect the companies they work for to allow them to use their personal mobile devices and personal computers at the office, and/or to provide remote connectivity to the office via personal devices. Technologists dub this trend “BYOD” (bring your own device).

Why is BYOD Important?

Mobile devices — along with their applications and on-the-go Internet access — provide attractive options for speed, connectivity and productivity. Many people wouldn’t think of spending their workday without a Blackberry, iPhone, Android, iPad or other device to access company systems and data. Most important, senior managers want to use these devices and are using their organization’s technology more because of them.

Many employees see their own personal devices as superior to those provided by their employers. Employees also tend to believe they are more productive if allowed to use their own devices for work and data syncing between office and home. Thus, BYOD is significant because employee-owned devices are now accessing company systems and being used for work purposes presenting security and privacy concerns to the employer.2

Employers see the inherent value in a more mobile, more connected and more productive workforce. Many employees and managers have no problem connecting and addressing work issues after hours and/or on the weekends. It can be considered a motivational strategy.

What Are the Security Risks?

BYOD mobility offers access to enterprise data, systems and corporate email. Employees can store and process data and connect to networks.

While BYOD may be considered necessary and convenient, this type of connectivity can raise significant data security and privacy concerns which lead to potential legal and liability risks.

Consider:

1. The device gets lost or stolen with access to company data and systems.

2. The device contracts a virus or has malware installed that can obtain company logins and data from that device.

3. The personal device user — however good his/her intentions are — can in effect be circumventing company security standards.

4. The company cannot control the use of the personal device should the employee allow children or friends to use the device.

5. The employee may use the device to place files in personal applications in the cloud which may not be secure.

6. The employee plugs a mobile device into the USB port of his or her office computer thereby transmitting a virus to the office desktop. Here are some facts to consider when trying to balance personal device access with security:

Employees don’t perceive the risk.

Many employees perceive the use of their own devices at work as placing no extra burden on technical support. But dealing with any data or system security issue requires know-how and technical resources.

Executives perceive the risk, but aren’t fully ready. In August of 2011, a Deloitte webcast poll of more than 1,000 U.S. information technology and business executives found that 28 percent of respondents believe there are unauthorized personal digital assistants (PDAs) and/or tablets connecting to company systems, especially to email servers. About 87 percent of respondents think their systems are at risk for a cyber attack originating from a mobile security lapse, the poll reported. The same poll found 40 percent of respondents are unaware of whether their organizations have strategies or controls to enforce mobile security. Further, it found that only 24 percent of respondents believe that “all devices connecting to my intranet are authorized.” Only 17 percent reported that they monitor for rogue connections. Malware is on the move. Malware that targets mobile devices is increasing, reported IBM Security Solutions researchers in a fall 2011 whitepaper. Citing an IBM security research report, the whitepaper presented statistics showing that mobile operating systems vulnerabilities tripled from 60 to a projected 180+ from 2009 to 2011.

Enterprise systems and mobile systems are catching up with each other.

While many corporations have for years allowed Blackberry-based access to email and other company systems, users are now demanding that iPhone/Android-based smartphones and tablet computers be provided access to these same services. How do you proceed once BYOD is determined necessary?

Since there are risks to the mingling of personal devices and work systems, companies must take the lead in assessing and managing the risks so as to safeguard their systems and data. Some simple steps include:

1. Institute a strong written BYOD Policy that is consistent with the organization’s Employee Handbook policies such as the IT Policy and Acceptable Use Policy.

2. Determine which data to protect.

3. Define what devices will be supported.

4. Determine which employees need remote access via personal devices. Do not open BYOD participation beyond those employees that have a strong business reason for mobile access.

5. Define security requirements.

6. Train and educate employees concerning policy and BYOD use.

7. Monitor employee mobile devices for compliance with your organization’s policy.

8. Secure employee’s authorization to “wipe” the employee’s mobile device remotely (restore to the original factory state), as a condition of giving access to any of the business’s systems.

9. Place controls over access to and use of the company’s wireless internet. For example: do not broadcast your wireless SSID, restrict access to employees only using MAC address filtering in the router and invoke WPA 2 on the router.

Security Solutions

If an enterprise is allowing employees to use their own mobile devices, the following security measures should be implemented.

1. Require strong phone startup PIN which is at least 6 – 8 characters long. If not supported, use the maximum allowed. Reduce the PIN required timeout setting to no longer than 10 minutes.

2. Require specified encryption and anti-malware software on each device.

3. Require and install mobile tracking software/applications which allow online access to track the location of a lost/stolen phone and the ability to perform a lock/scream and/or remote data wipe. Secure employee’s authorization to take these actions on the device if the device is misplaced, lost or stolen, as a condition to giving the employee access to the business’s systems and data.

4. Do not allow “broken”/”rooted”/ “jailbroken” devices on your network. These phones have removed limitations installed on the phone by the carrier allowing the user to run apps and files not approved by carriers. This process opens the device up to security risks.

5. Large enterprises monitoring multiple devices and platforms should consider Mobile Device Management (MDM) software. MDM software centrally controls and protects the data and configuration settings for all mobile devices in the network. MDM can also provide a secure document delivery platform and end to end data transmission encryption.

The opportunities of BYOD are present — and here to stay. As an analogy, home security is more complex for a bigger house with more entrances and windows. So too is systems security more complicated as smartphones and other remote devices present new entry points to be analyzed and protected.

Please understand that all of the security tips presented here are simply guidelines to aid agencies in diminishing security and privacy risks and managing them. However, none can be guaranteed 100% effective.

Recently the Professional Insurance Agents of NY and NJ had their annual conference at the Trump Taj Mahal in Atlantic City, NJ. Among a sold out trade show and a conference of 2000 attendees, a number of awards were presented that I would be remiss if I did not mention. In New Jersey, Natalie Bruno, of The D’Agostino Agency in Hammonton, N.J. was named Young Insurance Professional of the Year. Donald F. LaPenna Jr., of Cranford, N.J. was named the Professional Insurance Agents of New Jersey Inc. Director of the Year.

The New York Young Insurance Professionals named my dear friend and fellow YIP Dina “imagine you’re a deer” Bruno, the NY-YIP Insurance Professional of the Year. Dina is Regional Sales Manager for MetLife Auto & Home, in Wantagh, NY, and is so very deserving of this award! Thanks for ALL that you do! In addition, I was totally surprised and incredibly shocked when presented with a NY-YIP Lifetime Achievement Award at the PIA of NY & NJ conference…so shocked that I forgot to give an acceptance speech when I went up to the stage to collect my plaque! Those of you who know me well, know that I am never at a loss for words, although when my dear friend and President of The New York Young Insurance Professionals, Michael Plafker, of Member Brokerage in Queens, NY, presented me with the award, I didn’t even say anything other than, “Thank You!”…which is all that I could say behind the emotion that I felt from receiving an award from my friends and peers…thank you so VERY much!

Well, that’s what’s happening around town, and to all the fathers out there in this thing of ours, “Happy Father’s Day!” Ciao for now!