Fear and comfort: Why businesses should care about data security
As technology advances and we make more and more personal information vulnerable to cyber breaches, it’s difficult not to feel fear or anxiety about cyber security. According to the FBI’s Internet Crime Complaint Center, the FBI receives an average of 284,000 complaints each year of cybercrimes ranging from identity theft to phishing scams.
When businesses are on the line, the stakes are high. But that doesn’t mean you can’t find peace of mind when conducting business with other organizations. To find some comfort, ensure your clients are asking the right questions beforethey trust their information with a third party, including software vendors, hosting service providers and even insurers. As an insurer, Delta Dental handles both personally identifiable information (PII) and personal health information (PHI), so we take cybersecurity extremely seriously.
To point your clients in the right direction, we asked our security experts on staff to list some categories and questions to begin. Here are some of their suggestions.
Questions about baseline security considerations
- What policies does your organization have in place to safeguard information?
- How often do organizations review and update their security posture?
- What measures has the organization taken to prevent security breaches and/or threats?
Delta Dental uses both our enterprise code of conduct and federal regulations to guide our information security practices, and we regularly update our policies.
Questions about physical security safeguards
- Does the organization employ multi-factor authentication? Are any of these combined for two-factor authentication? Here are three ways to authenticate:
- Something you know (pin, password or similar codes)
- Something you are (a biometric verification)
- Something you have (a smart card, badge or chip)
At Delta Dental we use a variety of physical safeguards, including limiting physical and cyber access to PII and PHI. We are proud to employ a “principal of least privilege.” This means staff should only have a level of access that is absolutely necessary.Delta Dental offers insights from their information security team on how businesses can evaluate third-party vendors’ cyber security measures.
Questions about technical safeguards
- How does your organization secure data in transit?
- Does your organization use encryption for data at rest?
- Does your organization conduct regular vulnerability scans?
- How does your organization evaluate third parties who may have access to PII or PHI?
For instance, we use secure file transfer processes (SFTPs) for data in transit to and from Delta Dental. We use encryption for any sensitive information — in transit and at rest.
We also use a vendor evaluation matrix to determine what information our vendor partners have access to, and compare access to the level of risk they pose. We then categorize vendors as high-, medium- or low-impact vendors and assess them accordingly.
Questions about incident reporting protocol
- What is your process for reporting a cyber security incident?
- What is your timeline for reporting a cyber security incident?
These questions are crucial for building trust with an organization. At Delta Dental, we have four ways for employees to report any information breaches and three mandatory training programs to educate and encourage our employees on best practices in information security.
For more thought leadership from Delta Dental, subscribe to Insider Update, our newsletter for brokers, agents and consultants.
If you’re a benefits decision maker, administrator or HR professional, subscribe to our group newsletter, Word of Mouth.