As technology advances and we make more and more personal information vulnerable to cyber breaches, it’s difficult not to feel fear or anxiety about cyber security. According to the FBI’s Internet Crime Complaint Center, the FBI receives an average of 284,000 complaints each year of cybercrimes ranging from identity theft to phishing scams.
When businesses are on the line, the stakes are high. But that doesn’t mean you can’t find peace of mind when conducting business with other organizations. To find some comfort, ensure you are asking the right questions before you trust your information with a third party, including software vendors, hosting service providers and even insurers. As an insurer, Delta Dental handles both personally identifiable information (PII) and personal health information (PHI), so we take cybersecurity extremely seriously.
To point you in the right direction, we asked our security experts on staff to list some categories and questions to begin. Here are some of their suggestions.
Questions about baseline security considerations
- What policies does your organization have in place to safeguard information?
- How often do organizations review and update their security posture?
- What measures has the organization taken to prevent security breaches and/or threats?
Delta Dental uses both our enterprise code of conduct and federal regulations to guide our information security practices, and we regularly update our policies.
Questions about physical security safeguards
- Does the organization employ multi-factor authentication? Are any of these combined for two-factor authentication? Here are three ways to authenticate:
- Something you know (pin, password or similar codes)
- Something you are (a biometric verification)
- Something you have (a smart card, badge or chip)
At Delta Dental we use a variety of physical safeguards, including limiting physical and cyber access to PII and PHI. We are proud to employ a “principal of least privilege.” This means staff should only have a level of access that is absolutely necessary.
Questions about technical safeguards
- How does your organization secure data in transit?
- Does your organization use encryption for data at rest?
- Does your organization conduct regular vulnerability scans?
- How does your organization evaluate third parties who may have access to PII or PHI?
For instance, we use secure file transfer processes (SFTPs) for data in transit to and from Delta Dental. We use encryption for any sensitive information — in transit and at rest.
We also use a vendor evaluation matrix to determine what information our vendor partners have access to, and compare access to the level of risk they pose. We then categorize vendors as high-, medium- or low-impact vendors and assess them accordingly.
Questions about incident reporting protocol
- What is your process for reporting a cyber security incident?
- What is your timeline for reporting a cyber security incident?
These questions are crucial for building trust with an organization. At Delta Dental, we have four ways for employees to report any information breaches and three mandatory training programs to educate and encourage our employees on best practices in information security.
Want more tips like these? Subscribe to Word of Mouth, our newsletter for benefits administrators, human resources professionals and businesses.
Are you a broker, agent or consultant? Subscribe to Insider Update, our newsletter for benefits producers.