How Life & Health Insurance Agencies Can Create Stronger Passwords & More Secure Accounts
We hosted a webinar about security: The Nitty Gritty Security Questions You Must Ask + Security Best Practices. During this webinar, our in-house security experts shared their wisdom about security terms, the information you need to know, questions to ask software vendors, and, most importantly, best practices that you can implement today.
This blog will focus on our top nine tips for life and health insurance agencies to practice security vigilance and sustainability. These tips are designed to help you introduce more security best practices at work and within your regular day-to-day life.
9 Security Best Practices for Life & Health Insurance Agencies
Tip #1: Create Complex Passwords
We’ve all experienced it at one time or another. You start a new account and have to create a password—a complex one. But what does that actually mean?
According to Microsoft, “complex passwords consist of at least seven characters, including three of the following four character types: uppercase letters, lowercase letters, numeric digits, and non-alphanumeric characters such as &$* and !.”
Another term you may have heard is passphrase. A passphrase is a longer, more elaborate form of a password. Passphrases that are complex and include a variety of character types are generally more secure. For example, a password may be moneypenny, whereas a passphrase could be I Have M0ney and P3nnies!
Here are guidelines to follow per The National Institute of Standards and Technology’s (NIST) 2021 Password Recommendations:
- Password length is more important than password complexity
- Screen all new passwords against lists of commonly used and compromised passwords
- Implement two-factor/two-step authentication (more on this shortly!)
Tip #2: Do NOT Use the Same Password Twice
We’re all guilty of this, right? I know that my past complex passwords were impossible to remember. So, the ones that I could remember, I wanted to use time and time again. Research shows that 51% of people reuse passwords across business and personal accounts.
This is NOT a best practice.
Instead, each system you use should have a unique password/passphrase. If one of your passwords is compromised, and it just so happens to be your password for everything, then every login that uses that password could also be compromised.
What this means is if you use the same login credentials for Target, your bank, your health app, Facebook, and your grocery app, then all of those logins could be compromised. One compromised password extends out quickly when you reuse login information repeatedly.
Curious about your password's integrity? Visit www.haveibeenpwned.com to see if your favorite password has been compromised.
Tip #3: Change Your Passwords Often
Password best practices change, and it’s good to keep your passwords fresh, so you’re always one step ahead of hackers. The best way to do that is to change your passwords regularly.
It may seem like a chore, but you can set yourself a schedule, or your apps may require you to do it based on their own security principles. Tip #4 can also help with this!
Tip #4: Use a Password Manager
The final password-specific tip is all about a password manager. A password manager is “a software application designed to store and manage online credentials.”
According to Haxxess Enterprise Corporation, these are the seven advantages to using a password manager for companies:
- Removes one of the main risks of a data breach as they generate passwords for user logins that are designed to be strong and difficult to hack.
- Sets security standards for logins throughout your organization.
- Passwords are accessible on all devices as long as you have your credentials for the password manager.
- Increases productivity.
- Secures company credit cards.
- Provides usage reports and activity logs.
- Helps you avoid being locked out if someone leaves the agency.
A password manager provides an additional layer of protection for your personal and professional accounts. Do your due diligence and research the available options to find the right fit for your needs.
Tip #5: Use Multi-Factor Authentication Whenever Possible
According to OneLogin: “Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN.”
You may also be familiar with the terms two-step authentication or two-factor authentication.
All of these relate to the same idea of creating multiple steps that must be completed before you’re allowed to access something. Some common MFA processes include:
- A text message with a specific code
- An email with a specific code
- A phone call with a specific code
- Connecting your phone and selecting a specific answer (like yes or 22)
The MFA comes into play after you’ve entered your credentials. You already know your username and password, but the MFA provides extra security by forcing you to enter a code sent to you by another system or press something that correlates directly with the specific app. For example, when I log into my email, I enter my username and password. Then, it asks me to select a specific number, like 22, on my smartphone when prompted.
This can prevent hackers from compromising your account because they likely won’t have access to both your username and password PLUS the third-party systems (like your phone or email).
Tip #6: Lock Your Devices
Another tip that can feel annoying but will help you stay significantly more secure is locking your device. It sounds easy, but with how the world has changed over the last few years, it’s become increasingly more important.
Your computer holds a significant amount of sensitive data. Whether it's your data or your clients' and prospects' data, you want to ensure that data is as safe as possible. That means locking your device.
Even if you’re just stepping away for a quick call or a bathroom break, getting into the habit of always locking your device will help you continuously work towards best practices and give you more peace of mind.
Tip #7: Use an Antivirus Program
You may be most familiar with this tip as antivirus programs are fairly common.
An antivirus program helps you stay secure without you having to do much. Like implementing a password manager, do your due diligence and research the options available to you and your staff.
Tip #8: Train Your Team on Internal Security
Quite simply, you don’t know what you don’t know. And it’s not everyone’s job to be a security expert. Instead, equip your team with the knowledge they need to operate safely and securely during the day.
A great way to achieve this is to have internal training sessions on security.
This training levels the playing field for all involved and allows your team to learn what they should be doing and which processes they need to retire. Here at AgencyBloc, we hold regular internal security training sessions to help ensure our team is equipped and implementing best practices.
Tip #9: Partner with Software Vendors That Take Security Seriously
When looking for an agency management system (AMS) to manage your growing book of business, ensure the vendor is practicing security best practices, too. Be sure to ask critical questions like:
- How is my data protected?
- Do you protect data in transit and at rest?
- Who owns my data?
- Who has access to my data?
- How do you ensure my data is protected from newly found vulnerabilities?
Another area to cover is the SOC 2 Type II Report. “The goal of a SOC 2 Type II audit is to prove that the organization at hand, and its data, are secure. The report focuses on the five Trust Service criteria:
- Processing integrity
The SOC 2 Type II Report is a report that is completed by a third-party firm and reports on the state of the company’s security measures. It’s a lengthy and costly process that is highly respected in the security industry and is a differentiator for companies with the report. AgencyBloc completed its SOC 2 Type II Audit and received its report.
Want to learn more? Here are some additional security-related resources you can peruse:
by Allison Babberl on Tuesday, March 8, 2022
Data Management & Security