Are Thieves Invited to Steal Your Data?

With insurance regulators starting to ramp up their cybersecurity regulations in earnest, it’s a good time to revisit the weakest link in technology protection — and wonder why and how nobody’s done much to improve it.

I’m talking user names and passwords, of course.

The easiest way to get locked out of your own access is to require a username and password.
I’ve been locked out of my own bank, insurance and god-knows-what-else accounts because I couldn’t remember the user name and password.

You have too, I’m sure.

You see, the user name/password rigmarole serves the institution that holds your capital, but it doesn’t serve you.

Text-based user names and passwords are the cheapest way for IT to protect your data, and the easiest way for villains to steal your identity. When you do something on the cheap, the results are bound to be less than satisfying.

Ask Yahoo or any number of retailers who’ve been robbed blind by data thieves.

But there’s the worst part of it. When an institution asks you to improve your password, they ask you for a longer name, with numbers, with special characters, with letter case changes — in other words, just more of the same.

By the time you’re done, you can’t remember the password you’ve entered and you must start all over again.

The entire user name-password paradigm is really built on technology that is several thousand years old, only transformed into electronic form. (Think of the Roman senators whispering code to gain entry into the toga-clad bacchanal.)

You want a physical world analogy? Gold bullion stored in a vault with a wooden door opened by a key, that’s essentially what we’re talking about.

But back to our insurance regulators.

New cybersecurity regulations proposed by the National Association of Insurance Commissioners and state regulators drown the industry in monitoring and documentation specifics, but there’s not a word about lowly user names and passwords.

I know, I know, user names and passwords are an IT issue, not a regulatory issue. And, yes, the industry could deliver Fort Knox-like security with chip cards and fingerprint recognition, but that would raise costs, wouldn’t it?

Here’s my point: So much time, energy and money are spent on monitoring and documenting data theft, while at the same time practically inviting thieves to break the padlock.

By now you’d think an industry so dependent on data would have worked with vendors and regulators to come up with a better way to lock the door instead.

InsuranceNewsNet Senior Writer Cyril Tuohy has covered the financial services industry for more than 15 years. Cyril may be reached at [email protected].
© Entire contents copyright 2016 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.