Four in 10 customers will consider leaving a company if their information is lost or stolen, according to a recent Applied Systems webinar.

Considering 26% of 2014 Future One Agency Universe Study participants report agency ID and password management as well as confidentiality in transmitted data as top technological challenges, your agency may need to invest more time in understanding appropriate data protection measures.

The webinar, Data Security and the Cloud, discussed the various methods agencies should implement and practice when it comes to data security. Between sensitive company and non-public client information, an agency is responsible for protecting its data—and could seriously suffer in the event of an attack.

“Focus on the CIA triad—the confidentiality, integrity and availability of the information you’re trying to protect for your business, customers and employees,” said David Gerlach, director of the office of information security at Applied Systems. “Security control is no more than a safeguard to minimize risk to your environment. That can be a physical environment, the data or information itself or a computing resource like a tablet or laptop.”

What controls do you currently have in place when it comes to protecting your agency and client data? Here are a few to consider implementing:

Administrative Security

The foundation of any secure agency starts with basic policies and standards that focus on how the agency or brokerage manages security.

“You really need to create an acceptable use policy for your employees,” Gerlach said. “They need to understand what they can and can’t do with the information your business has, owns and maintains, as well as the computing resources that they use.”

Start with the procedures you already have in place and go from there. They don’t have to be complex—the consistency and comfort administrative controls provide will change how your agency addresses data security. Consider writing and implementing these four procedures to begin:

1. Risk management: Run a risk analysis and identify security risks within your agency to determine the probability and magnitude of occurrence and how you’re going to offset that risk.
2. Workforce clearance: For new hires, decide who gets access to what. And ensure you’re disabling accounts when an employee leaves the agency.
3. Security incident: Know how you’re going to handle a breach or hack so you can quickly respond. Gerlach encouraged agencies to start by developing a plan for the loss or theft of a computing asset.
4. Business continuity plan: Understand how vendors are handling business continuity and recovery after losing office space to an unanticipated fire, tornado or environmental hazard. Where are your employees going to work? What minimum applications do they need to continue business?

“Don’t think you need to implement all of them, but if you start to look at these administrative controls and the best practices around them, you will begin to mature your security program,” Gerlach said.

And don’t stop after development. John Gage, systems administrator at Knight Insurance Group, said his agency has a security awareness and training program to remind employees of standards and policies. “It’s important for them to know what type of security controls we have in place, such as antivirus and things of that nature, to help better protect the information,” he said.

Physical Security

Consider all physical access to information. There may be more touch points and potential for unauthorized access than you think.

Start with your agency’s physical office space. Keep tabs on your facility’s access points with locks, signs, surveillance cameras and even ID badges, depending on your agency’s size. On an individual level, consider workstation security such as computers, laptops and smartphones.

“You need to know every type of computer resource that is connecting to your company’s information,” Gerlach said. “Look at those physical controls and reassess. You’re going to write out standards and processes, but those will change over time just based on risk. Implement common sense physical security controls such as password management.”

One commonly overlooked security checkpoint? Employee departures. You must ensure that employee cannot use or access assets and facilities. “Any information that hits the public refuge is there for the viewing, whether it’s a physical form or physical hard drive,” Gerlach said. “If you’re going to re-issue that asset to somebody else that might join your company, ensure that it’s properly sanitized. Remove all information previously stored on the media prior to re-deployment.”

One easy procedure to implement immediately: a clean desk policy. “At the end of the day, we should ensure that all sensitive information is put away and locked up,” Gerlach said. “Sensitive information needs to be put away and it’s something agencies can easily account for and adjust to.”

Technical Security

Things can get complicated in this third layer, but it’s essential to implement some sort of access control so you can answer: “Who has access to what and what are they doing?”

User ID and password combinations can prove individuals and identities, but Gerlach said “they’re just not secure enough anymore—they’re easily group forced and compromised.” Consider alternatives that involve two layers, like an ATM card: something you have—the card—and something you know—the code.

A key tool for technical protection is encryption—a solution for a number of things, including data integrity to ensure data hasn’t been modified in an unauthorized manner and transmission security for online data transfers. But it’s a control that is “difficult to implement, manage and maintain,” Gerlach said. “If you don’t do one thing right in encrypting, decrypting and management, you’re really going to struggle with encryption and how effective it is.”

“If you are sending things out over the Internet, there is a very good possibility that information will not only be intercepted, but will be read by unauthorized users,” Gage agreed. “That’s why we apply encryption. Decide where it’s appropriate or deemed required by law and then enforce it.”

For example, Gage cited attacks at the application layer. “Viruses have a tendency to infect machines that aren’t appropriately attached and they exploit that software to give them the attacker a toll hold in your environment,” he explained. “Once they have a toll hold onto a computer resource, they will move lateral and parallel and ultimately compromise every device you have on your network.”

To combat this risk, Gage encouraged agents to consider vulnerability management on both software and hardware. But a quick and easy solution is to simply run antivirus software—and keep it up to date.

“Your software running on the hardware is now looking for new variances of viruses or malware that may exist on your environment,” Gage said. “You want to ensure you’re always looking out for the latest variant of it.”

Cutting corners just won’t work when it comes to your agency’s antivirus or anti-malware tools. “Have a plan, write it down and document what you’re doing and where your thoughts are,” Gage said. “If you get too deep into the weeds, your network protection isn’t something you should figure out on a Sunday night.”

Morgan Smith is IA assistant editor.