Reframing the Question: Cybersecurity
Back in March, ACT launched their IMPACT partner video series. This program gives industry experts a chance to share their insights on trends and topics that affect the independent insurance community. Their first prompt for the series was to share “an example of an agency technology decision that could have gone better if the agency just asked a different question.”
At Rhodian Group, we love “reframing the question” and helping our clients see things in a new light, and our thoughts immediately went to the rich world of cybersecurity. Naturally, we selected Aaron Wagner, Rhodian’s Director of Cybersecurity Solutions, to submit our response to the prompt.
What is the Question?
You can see Aaron’s full video on the IMPACT series webpage, but here’s the gist of his argument: When looking at your business’s cybersecurity strategy and/ or when engaging with a cybersecurity vendor, instead of asking…
What software or tools can I purchase to keep my agency secure?
Reframe the question to…
What are the risks my agency faces, both from a technology and a business perspective?
Why is that the Question?
Great question! So, stepping back a bit, Aaron (and Rhodian) practices what is known as risk-based cybersecurity. In a nutshell, risk-based cybersecurity is an approach to cybersecurity wherein the first goal is to identify and understand the risks that your business faces. This understanding then allows you to make more informed decisions on the policies and procedures that will help keep your business secure, stay compliant with evolving regulations, and use your resources more appropriately to achieve your cybersecurity goals.
Within risk-based cybersecurity, risk itself can be measured as a product of Likelihood (the probability of a negative cybersecurity event) and Impact (the potential cost of that event if it were to occur), or: Risk = Likelihood x Impact
Risk-based cybersecurity follows two key concepts that are often ignored and misunderstood:
- Not all risks are equal; and
- There will always be some amount of risk present; you cannot eliminate risk
On Point #1, risks come in all shapes and sizes. Keeping your login password on a sticky note in your desk drawer isn’t secure, but how does that compare to an agency that does not have antivirus or anti-malware software set up with their endpoint devices? Both risks should certainly be addressed, but the second situation exposes that agency to much broader risk than the password sticky note situation. Assuming reasonable countermeasures, a bad actor would need to bypass security cameras and locked doors in order to access the sticky note. In the second scenario, any of the agency’s employees – even agency principals – are completely exposed to viruses or malware, increasing the likelihood of a potential cyberattack and breach. After identifying your risks and considering your limited resources, prioritizing the resolution of the second situation will save your business some significant headaches (read: notifying clients, regulatory fines, reputational damage, etc.) if an incident occurs.
Point #2 is equally important to understand. If you’re in business, there will always be risks involved. And for the insurance industry, those risks chiefly revolve around the sensitive data you gather, use, and store as part of your daily operations. That data will never be risk-free to handle – which is part of why there are so many regulations concerning the protection of that data. As that volume of data grows, so too does the likelihood and impact of a potential cybersecurity incident, which in turn increases the overall risk you are exposed to.
(Of course, risk-based cybersecurity involves far more than what we can cover in this short article, but you can learn more about concepts like vulnerability analysis, the CIA Triad of Information Security, and much more in Rhodian’s free Cybersecurity Handbook.)
Now that we understand Aaron’s reasoning behind his response, the question still remains…
So, What Now?
By far, the best tool to thoroughly examine your risks and start addressing them is a Risk Assessment.
With a risk assessment, a cybersecurity expert facilitates a detailed examination of the risks your agency faces. Together, you and the expert will survey your business environment, including systems, personnel, risk acceptance, and more. This is not a cookie-cutter process. Each business carries their own unique risks and ability to address them. By the end of the assessment, your report should have an actionable, distinct list of risks that are scored and prioritized to help you make informed choices on how best to improve your cybersecurity posture.
In one form or another, many states have made risks assessments mandatory under their cybersecurity regulations for industries that handle Personally Identifiable Information (PII), such as insurance. Whether your state specifies annual or “regular” risk assessments, the important point is to conduct them frequently enough to detect and address new risks. Remember: as your business grows and evolves, so too do the risks it faces.
(You can find a sample Risk Assessment Report on our resources webpage.)
A few more notes from Aaron himself regarding risk assessments:
- Vulnerability scans are not the same as risk assessments. It’s important to know the difference when choosing a vendor and making sure you’re staying compliant with your state’s cybersecurity regulations.
- Risk assessments need to be conducted in line with the guidelines in the National Institute of Standards and Technology (NIST) SP 800-30, Guide for Conducting Risk Assessments. It’s a fun read!
- Risk assessments should inventory the systems you manage as well as third-party systems, and this level of due diligence is also becoming mandatory under many state regulations.
Any More Questions?
Understanding risk and how to make better technology decisions from that is a complicated topic. Don’t feel alone if a lot of this information is going over your head – it’s a lot to handle! ACT provides great resources for cybersecurity support, including work groups, guides, and access to experts. As always, all ACT members can reach out to Rhodian Group at [email protected] with any questions they may have, cybersecurity, IT, or otherwise. We’re here to help!
Also, as of the date this article is published, we are holding a joint Rhodian x ACT webinar (July 17, 2024, at 2:00 pm ET.) You can register now if you are reading this with your morning coffee! Or look for the on-demand version on ACT’s webinars page within a few days. We have plenty to share with the community!
Lastly, if you feel like you’re having trouble making the right decisions when it comes to technology, sometimes the best thing to do is reframe the question!
Rhodian Group extends a special thanks to ACT for creating the IMPACT video series and giving us a space to share our expertise and another special thanks to Aaron Wagner for lending his expertise for this article.
ACT Supporting Partner, Rhodian Group, helps businesses build and manage their network environments with predictably priced managed IT services so they can focus on their core strengths and growth initiatives. They also help businesses identify and reduce cybersecurity and non-compliance risks. Learn more about Rhodian Group here. Contact Rhodian Group at [email protected].