How a mobile VPN can help an insurance company against data breaches
Twenty years ago, employees would typically work in the office, only accessing computing resources there. In recent years, though, workforces have become more mobile and remote. Working from home is more popular, and the use of contractors also increases the need to access data and applications from outside the company firewall. This makes mobile security more important than ever. For insurance firms facing these challenges, a mobile VPN can help.
A mobile VPN creates an encrypted tunnel that protects data passing between remote users and the company they are connecting to. The encrypted connection stops malicious hackers from snooping on traffic between a remote device and a company’s central computers. These snooping attacks are easy to mount, especially in areas with public wifi.
Mobile VPN technology is especially important for insurance companies with remote users. Insurance firms may find employees sending and receiving particularly sensitive data from outside their offices. A loan adjuster using a mobile application may send sensitive information while on a site visit, including personally identifiable information and photographs of accident scenes collected on the device.
Insurance companies have a fiduciary duty to protect sensitive information under legislation. In the US, regulatory guidance from the National Association of Insurance Commissioners issued in 2015 reinforces insurance firms’ responsibilities in this area. State regulators are also taking their own actions, with New York proposing its own cybersecurity regulations for financial firms including insurance companies.
Choosing a VPN
There are two parts to a mobile VPN: the part at the office, and the part on the mobile device that lets the user communicate with it. The office part can either be hardware-based, running on its own dedicated appliance, or software-based, running on a server. The former can be more expensive to set up, involving a capital hardware cost. However, it can often scale to support more users than the latter, and the hardware typically runs on an existing server.
VPNs can use different protocols, each with its pros and cons:
- IPsec: Internet Protocol Security VPNs are used to encrypt data packets traveling along an IP network. Insurance companies will use these when a remote device wants access to computing resources as though it were on a local network, accessing files on a network drive, perhaps. The downside of an IPsec VPN is that mobile devices will need a software agent to connect with it.
- SSL/TLS: These VPNs need no such mobile agent. All modern web browsers support such certificates, create a browser-based connection that can be useful where uses are restricted to specific web-based applications. SSL VPNs are also often more flexible when it comes to access controls. If you want to dictate exactly what content remote users see on a per-person basis, SSL may be for you.
Insurance companies may overlook VPN access for several reasons. They may be unaware of staff working patterns and simply not see the need for such a service. Alternatively, they may not understand the security risks involved when staff access applications remotely from a mobile device. Regardless, secure remote access is a key part of avoiding data breaches in modern business communications.
Don’t be fooled into thinking a mobile VPN is enough to secure mobile environments, though. If an attacker gains password access to a mobile device, he or she can act as its owner, meaning everything in the encrypted communication session would be decrypted for the cybercriminal on the mobile device, just as it would be for a legitimate user.
Appropriate endpoint protection is just as important as a mobile VPN. Do one without the other, and you are only half-securing your mobile workers. In a world where attackers are pursuing corporate data more aggressively than ever, insurance firms can’t afford to make that mistake.