Avoiding A Victim Mentality: How to Protect Your Agency from Spam and Viruses

June 6, 2005

Small and mid-sized businesses (SMBs) are bigger targets for spam and viruses than they think-and the insurance industry is more at risk than most. For an act to be deemed malicious or damaging, there has to be a perpetrator and a victim. Where the Internet is concerned, however, most organizations don’t protect themselves against the former until they’ve become the latter.

Why? Well, mainly because security is not considered a strategic purchase that adds to productivity and impacts the bottom line positively-especially for smaller companies like insurance agencies that can’t afford to spend without returns and immediate benefits. Therefore it’s usually an insurance purchase or a reactive buy: to guard against clear and present threats, or in response to a disaster.

We’re all aware of the dangers posed by spam and viruses, and we’re conscious that there are shadowy forces out there in cyberspace looking to phish, spam, hack or attack us, or even steal our identities. We know this because it’s a regular feature in the news, or we’ve been exposed to the negative consequences such attacks can cause-ranging from inconvenience to total meltdown. However, smaller companies are fairly complacent about it, putting up token defenses and keeping their fingers crossed that they’ll continue unscathed.

So let me pose a simple question: who do you suppose are the most common victims of spam and viruses?

Big companies. Household names. Organizations with power and money. Those who could be a lucrative and high-profile target.

Wrong.

Big companies have big defenses, dedicated IT/security staff with policies and protection coming out of their ears. So while they may be targeted, they’re often not the real victims. As with all crime, the more vulnerable elements of society are generally left most exposed.

The problem is, insurance agencies and brokers aren’t big news if they’re hacked, cracked, infected or spammed to a standstill. AIG or Farmers would make the front pages, but a small firm wouldn’t even get onto page 27, under the horoscopes and next to the crossword.

There’s consequently a risk-taking mentality amongst SMBs. They’ll install some anti-virus software on the desktop, maybe put in a firewall, sit back and assume that that’s sufficient. After all, they’re not a multi-national organization with 50 offices, thousands of staff and billions in the bank. Who’d want to attack them?

With this comes the supposition that a small amount of spam and the odd viral infection is par for the course. Everybody experiences it. We just have to deal with the inconvenience occasionally.

So let’s debunk a few myths here, and get rid of this victim mentality.

Viruses and spam are generally disseminated in a scattergun manner, via the random generation of an e-mail address or by hijacking names from other people’s address books. As a result, you’re just as likely to be a victim as any large organization. Or more so if you don’t have the equivalent defenses in place.

Anti-virus software and firewalls alone aren’t enough to stop threats. Hackers and spammers are intelligent and realize that, to get onto a corporate network, they will have to get past a few rudimentary defenses. They have even generated intelligent viruses that circumvent increasingly sophisticated barriers. So doing the basics is like putting up a “beware of the dog” sign. It really won’t deter or deflect anyone with the determination, know-how or luck to get through.

It takes time between a virus or other threat being unleashed into the wild, a “vaccine” or a patch being developed, and then to be administered to those at risk. Equally, it’s nearly impossible for in-house resources to monitor the internet cloud and work out where spam is coming from (and hence which addresses to block). It’s no good nowadays just trying to filter out phrases like “get rich,” “discount” or “toner cartridge.” Perpetrators are too clever for this. They hijack machines, use them to send their messages, and disguise the real content behind innocuous phrases.

So in short, doing the bare minimum is playing into the perpetrator’s hands. That’s what they expect, and that’s what keeps them at large. Companies are so intent on keeping out the wolf at the door that they miss the one in sheep’s clothing sneaking in undetected.

Now, before I get accused of scaremongering, let me explain; it pays to take a pragmatic, almost pessimistic view where security is concerned. Why? Well, the figures speak for themselves:

• Smaller companies, i.e. those with fewer

than 100 users, receive 10 times more

spam per user than large businesses;

• Insurance agency employees receive

at least 10 spams per user per day,

which makes it the 10th highest

recipient out of any industry.

So, rest assured, whether intended or not, you are a target. In fact we all are-it’s just that industries such as insurance that are perceived to hold more valuable data than others, can be seen as bastions of capitalism and globalization, or are just a satisfying nut to crack. They are therefore, even more at risk.

Any of these motives could ring true, but in truth it’s not the “whys” that matters. It’s the “whats.”

• What threats are you exposed to?

• What are the potential consequences of

inaction?

• What do you have in place already?

• What can you do to ensure you’re

protected?

Well, to start with you have to accept that there’s no such thing as 100 percent security, unless you disconnect yourself from the Internet, fence your network and stop staff from using computers. But with that scenario you may as well pack up and go home. What any organization has to do is not the bare minimum-it’s to quantify what constitutes “acceptable risk.” If any organization recognizes this concept, it’s insurance. The figures mentioned previously however show that many firms still aren’t practicing what they preach.

The solution should move you beyond the standard anti-virus/firewall combination into some degree of connection and content filtering-scanning all mail before it gets through the corporate boundaries and to recipients’ machines. This is proven to reduce instances of malicious content getting to the user without blocking out those communications and content which are essential for business.

Typically there are two options: buying a dedicated product, or employing a managed service.

Option one is buying software that allows you to control scanning and management in house. While it offers control, it requires real in-house expertise to make it work. It’s also a risky business, as you’re letting possible threats and spam onto the network and then making a decision on their status.

Option two is employing a third-party to carry out the scanning and filtering outside the network. You get the benefit of their expertise combined with a service tailored to your requirements. What’s more, the service sits outside your network, meaning that undesirable mails are quarantined before they get anywhere near your business.

But while this may seem an ideal option, particularly for the smaller business, it pays to remember that not all managed services are created equally.

The problem for SMBs is that there are a multitude of solutions out there that can do a job, but that are created for the needs of large businesses. This applies to both of the options above. Specifically this means:

• They take a large amount of time and

resource to configure and manage;

• They need to be managed closely to get

any real benefit;

• They are difficult to customize for small

business needs;

• They are priced for big business.

So effectively organizations are buying “make do” solutions that provide some benefit, but eat up time and money-and that’s assuming you can afford to employ somebody with the appropriate skills to look after the area for you.

When buying a managed service (where you’re paying a third party to look after the problem), this makes no commercial sense. It is therefore imperative that, when weighing the options, you look only at those that are designed specifically with your needs and size in mind. In effect, a dedicated SMB service offering that is easy to configure, manage, change and control.

If not, you may end up with a management headache that turns into a money pit, rather than the effective defense you were looking for.

In the insurance business particularly, where integrity, privacy and reputation are paramount, no agency can afford to be without effective virus and spam filtering. But unless companies make the decision to bolster their defenses, then they will inevitably become victims of malicious operators. And with the number of viruses and spam mails growing daily, it’s more a case of when than if.

Andrew Lochart is senior director of Marketing at Redwood City, Calif.-based Postini Inc., a provider of e-mail security and management solutions. He can be reached at lochart@postini.com.

Topics Cyber

Was this article valuable?

Here are more articles you may enjoy.

From This Issue

Insurance Journal

Insurance Journal Magazine