Category Archives: Risk Management

Cyber Liability Insurance, Risk Management

Data Privacy Day

What is Data Privacy Day and why it’s important to your organization?

Data Privacy Day is January 28th. First, It honored the signing of convention 108 in 1981, next, it was the first permanent international treaty that is in control of the users’ personal data, then, Data privacy day occurs every year after the signing; the National Cyber Security Alliance (NCSA) pushes individuals and businesses to take part.

The National Cyber Security Alliance encourages individuals to take action and  “Own Your Privacy” by learning how to protect their important data online. Businesses are also encouraged to respect an individual’s privacy and also holding organizations responsible for keeping an individual’s information safe & ensuring fair data processing.

Businesses encouraged to “Respect Privacy”

Individual Data Privacy

Individuals are starting to feel like they are no longer in control of their own personal data.  They can learn about what kind of data they create online. For instance, how the data is being collected, shared, used and stored on the web.

Your personal data is valuable. Do you know what information you’re sharing with businesses? Sale history, IP address, your location; hence, these are a tremendous value to businesses. Make smart choices when sharing data with businesses that ask for personal data.

Keep track of what Apps are asking for access to your information. Apps ask for access when it comes to location, contact lists, photo album or connect to other apps. In other words, Be thoughtful on which apps ask for permission to personal data, when it is not required for some to do so with the services they offer. Many Apps, will ask for permission to data they don’t need for you to use their services

Manage Your Privacy Settings Across All Platforms. Check the privacy & security settings on the web and all apps. Afterward, set the privacy settings to your comfort level on how much you want to share & what.

Business Data Privacy

Businesses have to respect consumers’ privacy because it is a smart tactic for gaining trust and enhancing reputation/growth in the business. Here are some tips on respecting privacy as a business.

Protect the data you collect. An intentional/unintentional release of confidential information to an untrustworthy source leads to financial loss, a decrease in customer trust, and a loss in reputation. Make sure the private data that is being collected, is processed in a fair manner and is only to be collected for appropriate purposes.

Conduct a Cyber Risk assessment. Understand which privacy rules apply to your business and educate your employees to protect your personal information. At Metropolitan Risk we offer a comprehensive cyber risk assessment to help your organization create a strong cybersecurity plan

Maintain Data Transparency. Be open & honest on how you collect, share, and use private information from consumers’.  For instance, make sure to let your audience know that you take the proper steps in accomplishing & maintaining privacy.

Sustain oversight of what data your partners & vendors are using and how they manage it. If another partner provides services on behalf of your organization, you are also responsible for how these vendors/partners collect & use your customers’ personal data.

If you would like more information on how to keep your personal data safe and secure, contact one of our Risk Advisors today or call 914-357-8444.

 

OSHA, Workers Compensation Insurance

OSHA 2020 Workplace Injury Reports Due By March 2, 2021

The Occupational Safety and Health Administration (OSHA) reminds employers that it began collecting 2020 workplace injury data on Jan. 2, 2021.

When are OSHA 300A Reports Due?

All OSHA 300a records must be submitted electronically by March 2, 2021.

Organizations with 250 or more employees are currently required to keep OSHA injury and illness records for up to 5 years. OSHA requires that all organizations submit their injury and illness data for 2019 electronically by March 2, 2021. You can submit records electronically through the Injury Tracking Application available here.

The form to used is OSHA Form 300A Summary of Injuries. Current and former employees have the right to request further injury records via the OSHA 300 Report. It’s very important that you true up your OSHA 300 reports for the year then complete the OSHA 300A report and post it on-site or sites. Failure to do so can trigger fines and or an investigation by OSHA. OSHA can swing by and ask for evidence of your compliance at any time. Need help? Download our updated OSHA Reporting Guide for 2021 and share it with HR & or Safety Compliance.

F.A.Q.s – CLICK HERE TO VIEW OSHA’s FULL LIST OF F.A.Qs

What is a recordable incident? 

Check out this flowchart.

What is a reportable incident?

Check out this flowchart.

Do I need to fill out an OSHA 300A log for every location?

You must keep a separate OSHA 300 Log for each establishment that is expected to be in operation for one year or longer.

Do I need to keep OSHA injury and illness records for short-term establishments (i.e., establishments that will exist for less than a year)?

Yes, however, you do not have to keep a separate OSHA 300 Log for each such establishment. You may keep one OSHA 300 Log that covers all of your short-term establishments. You may also include the short-term establishments’ recordable injuries and illnesses on an OSHA 300 Log that covers short-term establishments for individual company divisions or geographic regions.

Some of my employees work at several different locations or do not work at any of my establishments at all. How do I record cases for these employees?

You must link each of your employees with one of your establishments, for recordkeeping purposes. You must record the injury and illness on the OSHA 300 Log of the injured or ill employee’s establishment, or on an OSHA 300 Log that covers that employee’s short-term establishment.

How do I record an injury or illness when an employee of one of my establishments is injured or becomes ill while visiting or working at another of my establishments, or while working away from any of my establishments?

If the injury or illness occurs at one of your establishments, you must record the injury or illness on the OSHA 300 Log of the establishment at which the injury or illness occurred. If the employee is injured or becomes ill and is not at one of your establishments, you must record the case on the OSHA 300 Log at the establishment at which the employee normally works.

 

General Liability Insurance, HR Challenges, Workers Compensation Insurance

Should We Require Our Employees To Be Vaccinated For Covid 19

Should my company mandate vaccinations?  Like everything Covid related, the answer is complicated. According to employment law attorney  Rich Landau of Jackson Lewis, their tentative position is that requiring employees to be vaccinated for COVID 19 is very difficult to mandate. This is primarily due to EAU (Emergency Use Status) of the vaccine, legal risks including discrimination, and employee relations challenges as you try and navigate this HR terrain.

 

For those clients less risk-averse we have a sample draft policy courtesy of Jackson Lewis. For Metropolitan Risk clients you can obtain the sample Covid vaccine policy by contacting your Account Executive. They are instructed to give you our draft sample. If you are not a Metropolitan Risk client, feel free to reach out to one of our Risk Advisors for a brief discussion.

According to our THINK HR partner and our partners at Jackson Lewis, there is an expectation that the EEOC ( Equal Employment Opportunity Commission ) will issue additional guidance with respect to ADA & Title VII issues with respect to employers mandating whether employees MUST be vaccinated.

 

Our partners in our discussions point to the influenza policies for guidance on how to proceed with the Covid vaccinations. Most employers ENCOURAGE rather than mandate which can be a safe haven should legal challenges arise. According to Rich Landau of Jackson Lewis, “even if the EEOC allows employers to mandate COVID vaccinations this will not elevate the risk of other non-discrimination, state laws, or workers compensation claims if employees suffer a serious reaction while the vaccine is in EAU status.”

There are numerous complications and challenges that may arise if you mandate the vaccine.

Potential Employer-Related Challenges With Requiring/Encouraging The Covid-19 Vaccine

  • Is getting the vaccine Mandated or voluntary – – who is mandated?  
    • The priority of recipients (Which staff members or clients should be vaccinated first?)
  • Incentives to receive it- Does your current organization offer incentives for the Flu shot? 
    • Covid-19 vaccine only or influenza as well
  • Who pays for the actual vaccine, the time needed to get the vaccine
  • Process for inoculation
  • Tracking status
  • Handling poor reactions – – paid time off
    • How are you managing employees or clients that have adverse reactions to the vaccine?
  • Ensuring confidentiality
    •   What if you run out of the vaccine
  • Covid-19 protocols while in midst of process/after the process is completed
    • What protocols will stay and what protocols will change? How will you as the employer manage these new expectations?
  • Addressing exceptions – – medical, religious, generalized fear
  • Handling non-compliance – – remote work, leaves of absence, discipline

The last point to consider beyond your Employee stakeholders maybe your customer base. As an example for those companies providing services to senior care organizations, like Home Health Care Agencies, Nursing Homes, and Assisted Living Facilities it may be suggested that you disclose to your customer base that your organization suggests, not mandates vaccinations. This disclosure should be made at either point of sale /contract, or communication piece sent out to your customer base. This may protect your organization from liability should your customer base look for damages at some future point. This can be a very sensitive topic as each business needs to arrive at its own business decisions with respect to disclosures. There is no silver bullet here, your goal as with all risk-related decisions is to manage the exposures relative to potential downside losses in BOTH columns of the decision tree.

As you can see invoking a set vaccine policy to benefit all stakeholders is vexing, to say the least.

We will continue to provide updates to this new landscape as we receive them. We encourage you to speak with a Risk Advisors for further guidance on the matter BEFORE invoking a set policy. Please mindful that this is a very dynamic and fluid landscape, changing almost weekly. Contact a Risk Advisor at 914-357-8444. Thank you

Construction Practice Group Content, Food & Beverage Practice Group Content, HR Challenges, Human Services Practice Group Content, New York, Risk Management, State Law, Transportation Practice Group Content, Workers Compensation Insurance, Workers Compensation Premium Audits

New York State’s Updated Sick Leave Law

New York State’s Paid Sick Leave policies were introduced on April 3, 2020, and went into effect on Sept. 30, 2020.

On January 1, 2021, employees may start using their accrued leave. 

The number of sick leave hours required is based on the number of employees that work within your organization:

0-4 Employees:

If your net income is $1 Million or less, employers must up to 40 hours of unpaid sick leave. If net income is greater than $1 Million, employers must provide up to 40 hours of paid sick leave 

5-99 Employees: 

Employers must provide 40 hours of paid sick leave per calendar year.

100+ Employees:

Employers must provide up to 56 hours of paid sick leave in a calendar year. 

How sick leave is accrued 

Employees begin accruing leave on September 30, 2020. Leave must be accrued at the rate not less than one hour of leave accrued for every thirty hours worked. 

An alternative to the accrual of sick leave by hours, employers may choose to provide the full amount of sick leave at the beginning of each calendar year (ex. An employer with 50 employees may choose to provide 40 hours of sick leave starting Jan.1 of yea year or at the beginning of a 12-month period determined by the employer. NOTE: Upfront sick leave cannot be subject to later revocation or reduction if the employee works fewer hours than anticipated by the employer.). 

Who is eligible

All private-sector employees in New York State are covered, regardless of industry, occupation, part-time status, and overtime-exempt status. Federal, state, local, and government employees are NOT covered, but employees of charter schools, private schools, and not-for-profit corporates are covered.

Permitted Usage of Sick Leave 

After Jan 1, 2021 employees may use accrued leave following a verbal or written request to their employers for the following reasons impacting the employee or a member of their family for whom they are providing care or assistance with care. 

Sick Leave: 

  • For Mental or physical illness, injury or health conditions, regardless of whether it has been diagnosed or requires medical care at the time of request for leave
  • For the diagnosis, care, or treatment of a mental or physical illness, injury or health condition, or need for medical diagnosis or preventative care.

 

Safe Leave:

  • For an absence from work when the employee or employee’s family member has been the victim of domestic violence as defined by the State Human Rights Law, a family offense, sexual offense, stalking, or human trafficking due to any of the following as it relates to the domestic violence, family offense, sexual offense, stalking, or human trafficking: 
    • to obtain services from a domestic violence shelter, rape crisis center, or other services program; 
    • to participate in safety planning, temporarily or permanently relocate, or take other actions to increase the safety of the employee or employee’s family members; 
    • to meet with an attorney or other social services provider to obtain information and advice on, and prepare for or participate in any criminal or civil proceeding; 
    • to file a complaint or domestic incident report with law enforcement; 
    • to meet with a district attorney’s office; 
    • to enroll children in a new school; or 
    • to take any other actions necessary to ensure the health or safety of the employee or the employee’s family member or to protect those who associate or work with the employee. 

Leave Increments 

Employers are permitted to require that leave be used in increments (e.g., 15 minutes, 1 hour, etc.) but may not set the minimum increment at more than 4 hours.

Employers must notify employees of these leave increment policies in writing or by posting a notice in the worksite prior to leave being acured, any restrictions in their leave policy affecting the employees’ use of leave, including any limitations on leave increments 

Rate Of Pay

Employees must be paid their normal rate of pay for any paid leave time under this law, or the applicable minimum wage rate, whichever is greater. No allowances or credits may be claimed for paid leave hours, and employers are prohibited from reducing an employee’s rate of pay for sick leave hours only. 

An employer cannot retaliate against an employee in any way for exercising their rights to use sick leave. Furthermore, employees must be restored to their position of employment as it had been prior to any sick leave taken. Employees who believe they have been retaliated against for exercising their sick leave rights should contact the department of labor’s anti-retaliation unit.

Record Keeping

Employers are required to keep payroll records for 6 years, which must include the amount of sick leave accrued and used by each employee on a weekly basis.

Employers are required to provide within three business days a summary of the amount of sick leave accrued and used by the employee in a current calendar year or any previous calendar year, at the request of the employee.

 

Employees who believe that they have been retaliated against for exercising their sick leave rights should contact the Department of Labor’s Anti-Retaliation Unit at 888-52-LABOR or LSAsk@labor.ny.gov

 

If you still have questions, contact a Risk Advisor at 914-357-8444. If they cannot help you they’ll direct you to an employment lawyer that can. 

Construction Practice Group Content, Food & Beverage Practice Group Content, Human Services Practice Group Content, Marketplace News, Risk Financing, Risk Management, Transportation Practice Group Content, Workers Compensation Insurance, Workers Compensation Premium Audits

How Workers’ Compensation Class Code #8873 “Telecommuter Reassigned Employees” Can Help You Save Money On Your Insurance Premium

The New York Workers’ Compensation Insurance Rating Board (NYCIRB) has released a new class code for ‘Telecommuter Reassigned Employees’.

If you are a business owner you might be wondering how do I adjust my workers’ compensation rates for employees that we kept on the payroll, but did not actually perform their duties? It doesn’t make sense to pay workers comp premiums for an expensive labor class during a workers comp audit when those employees were essentially paid to sit home. 

 

Over the past eight months, we have experienced difficult and trying times due to the pandemic. One critical aspect of the first few months of the pandemic was the ability of employers to keep their employees on the payroll whether or not they were actually performing their duties. The PPP program went a long way in helping employers achieve that important concession. 

 

The question that has come up recently with many employers is how do we properly account for that portion of payroll we paid our workers when they actually didn’t perform their actual duties. In industries like construction or healthcare, the insurance costs basis can generate a lot of insurance premiums because the class codes for those labor components have a high insurance rate tied to it. 

Now there is a relief for workers compensation premiums for these “reclassified” employees.

The New York Workers’ Compensation Insurance Rating Board (NYCIRB) has released a new class code for ‘Telecommuter Reassigned Employees’.

Temporarily Reassigned Employees, which establishes new classification code 8873, Telecommuter Reassigned Employees, requires that it be applied to the payroll of employees who, during New York’s stay-at-home order related to the COVID-19 pandemic (and future stay-at-home orders), are reassigned to either (a) not perform any work duties (idle), or (b) perform clerical work duties at home that they otherwise would not perform. The rate per $100 of payroll for Classification 8873 will mirror the rate for Classification 8810 (clerical office employees).

Further, this provision is applicable at the start of New York’s stay-at-home order and for up to 30 days after its conclusion. Employees who are classified to code 8871, Telecommuter Clerical Employees, are to remain classified as 8871.

In other words, the new 8873 classification only applies to employees who are reassigned and meet one of the two conditions described above. These amendments are effective for all new and renewal policies effective May 1, 2020, as well as to all in-force policies as of March 16, 2020.

We have provided the NYSIF Q&A sheet of commonly asked questions about this new workers’ compensation class code.

We would be happy to review the parameters of the new class codes and the impact it may have on your business. Please contact one of our Risk Advisory to discuss further.

Cyber Liability Insurance, Loss Control, Risk Financing, Risk Management

Buying Cyber Insurance Does Not Protect Your Organization From Hackers

Understand that purchasing Cyber Insurance does not protect your organization from hacking. It simply finances some, not all components of the loss. A recent report by cybersecurity company Barracuda reported that Google-branded Spear Phishing attacks are up significantly since the start of 2020. These attacks only accounted for 4% of the total cyber attacks in 2020 so far. Barracuda reported over 100,000 form based attacks since Jan 1. 2020, 65% of them were branded to look like a Google form. These Google-branded attacks are significantly more prevalent than other branded competitor attacks.  Microsoft was the 2nd most impersonated account at 13% of the total spear-phishing attacks (2)

With 43% of all cyberattacks targeting small businesses (1), and the attacks increasing by 73% since the pandemic we encourage your company to build out “Operation Lockdown”. That’s what we called it at Metropolitan Risk after we read a Wall Street Journal article on how cybercriminals are increasingly attacking small businesses and holding their work files for ransom. Cybercriminals understand that many small and medium-sized businesses haven’t the focus, the budgets, and the staffing to defend against these cyber attacks. They are in effect low hanging fruit and easy prey. 

Further many businesses now are even more vulnerable due to the recent mobilization of the workforce from the physical office. This is because home networks aren’t secure, the data doesn’t sit behind a firewall or is not encrypted like in the office.  While newly remote employees were struggling to create routines, employers focusing on this new shift in workflows, cybercriminals know the back door is unlocked.

 

Here are two really important concepts to understand assuming we have your rapt attention with respect to the soft underbelly of your org. Understand that locking down your company from a cyberattack doesn’t guarantee that you won’t be hacked and won’t suffer damage. What it does do is significantly lower the probability that such an attack will be successful or cause much damage. A friend of mine Nick Lagalante from Tenable Cyber Security explains it this way. “Your goal is not to outrun the bear, your goal should be to outrun the slowest runners”. In essence, by making it more difficult to penetrate your systems and employees, cybercriminals should in effect move on quickly and find a softer target. 

Here’s the second big picture item to understand; Cyber Insurance is NOT cyber risk management. Cyber insurance functions as a way to finance the loss you incurred from the hack. It’s a safety net when plan A (Operation Lockdown) fails. It should NEVER BE PLAN A. Here’s more good news. Once you have been hacked the chances of you being hacked again goes up exponentially. Insurance carriers know this which is why the Cyber Insurance policies increase significantly in cost once you have been hacked as the carriers’ exposure to loss increases if they decide to insure you! 

 

This is why we built this case study on how at Metropolitan Risk took this challenge on for ourselves. It’s not the holy grail of cybersecurity prevention, and we don’t want to lead you to believe it is. What our case study does is make you a bit faster than most of your competitors who will suffer a hack and the corresponding costs that go with it. At Metropolitan Risk our goal is to keep you cost-efficient and cost consistent. When you read our Case Study it gives you an idea of how to organize the challenge, and address each item incrementally. The case study is only available to current Metropolitan Risk clients or potential prospects. 

 

Last point, this is a big one. You don’t have to figure all this out on your own. As a reminder, we actually built a Cyber Assessment built for small to medium-sized businesses that assess your current systems, protocols, and security measures. Upon completion, you get a report that gives you a green light for things you have done well, yellow for items that need to be tweaked, and red for let’s jump on this ASAP.

 

Then we suggest we get you a really solid cyber insurance policy as a Plan B just in case. Our Cyber polices are 25% less expensive IF you execute our assessment and tackle the items in red. 

 

How do you eat an Elephant? Piece by piece. CLICK HERE to sign up for our Cyber Assessment. 

 

Claims Management, Cyber Liability Insurance, Line of Insurance, Loss Control, Risk Management

Social Engineering: Meaning and Impact

Definition

Social Engineering is the means of deception to extract sensitive, personal information that can then be used for further purposes, such as bank fraud, account takeovers, or identity theft. Cyber hackers primarily use social engineering when attempting to steal information of online users unaware of a hack currently happening. The main type will include phishing which fraudulently fishing for people’s information online through malicious contact.

Importance of Social Engineering

So why is cyber engineering important? Well, it can impact any of us at any time. Think about this. Currently, hackers have software applications designed to override firewalls and cybersecurity worth millions of dollars. However, hackers know technology is strict; a firewall will not listen give up information easily, but humans will. However, in a world of technology and hacking, hackers use human emotion and volatility as its main weapon. Hackers can sue the main target or those who directly know them to get any sliver of personal information that can help them in their quest. This is why every cyber user (which is most to all of us) needs to be aware of social engineering and its extreme dangers.

/p>

Impact of Social Engineering

Every day, cyber-attacks occur on users without them ever having the proper protection against the attack. Then, they lose precious financial or personal information to hackers. Social engineering will continue to happen and impact us as long as certain things remain constant. If users are still inputting too much personal info into websites that can be hacked at any time. If people remain unaware of releasing personal info of themselves or others to a hacker. Or if their cyber liability coverage does not protect themselves or their company against social engineering.

An Example

The scariest part of social engineering is sometimes the hackers never need to come in contact with the targeted account’s user. Once you give your personal information to a website like Facebook or Twitter, the social media company and all its employees with high-level access can access your data and sell it for profit.

In late July 2020, there was an aggressive twitter hack, According to a WSJ article, a user named “Kirk” on a hacking forum claimed he was a twitter employee who had gained access to many twitter accounts and was selling them from $500-$10,000 an account, including Joe Biden, Elon Musk, and others.

The problem with these social media companies is due to the employees’ level of cyber knowledge they will give everyday employees who make normal amounts of money way too much access to the internal networks of its website. These employees can take this information used for large-scheme hacks like that seen a week ago. Or, they can give bits and information to hackers of different user’s accounts, without the user ever knowing.

Social Engineering is a component of cyber liability coverage that is often overlooked by businesses in any ndustry. However, it should be a crucial component of any written policy regarding cyber liability protection, individually or company-wide. For more information, click here.

Claims Management, Cyber Liability Insurance, Line of Insurance, Loss Control, Risk Management

Why Passphrases are the Future of Logins

Every so often, whether it be for a company software program like MOZ, a school database like blackboard, or even a personal social media account on twitter, you get one of the two ominous messages.

The Unwanted Messages

You get the “time to reset your password” right after you slowly got used to your new password. Now you have to create a new password that’s memorable but is also hard to crack. Yes, it is a measure of security and caution from the website that is admirable. It is a pain at best for the user.

Then there’s the other message: “oops, you forgot your password too many times. Let’s reset it!” This one is arguably worse because of two things. One, you have to create a whole new password just like the mandatory reset times. But, you have to make it easier to remember than your last one, since you just forgot it. That makes hacking for these passwords so easy.

Where we are with Passwords

While there are some awesome dual-factor authentication apps and tricks as well as new biometric security measures, hacking password details could not be easier right now. Soon, we’ll be strictly using biometric passwords like eye scanning and finger pad touch. Or just using dual-factor using an app like duomobile. But for now, passwords are becoming ever so easy to hack for cyber criminals. They have more advanced technology that can run dictionary hacks and algorithm checks at 1,000,000,000 searches a second. And the only thing standing between your account with credit card info and their supercomputer is the password “qwerty12345.” All jokes aside, that password is extremely common, and there’s simpler derivatives of that password that make the 25 most common passwords of 2020.

Passphrases

While waiting for that futuristic physical password technology, allow me to introduce you to a better password type: pass-phrases. Pass-phrases are exactly what it sounds like. It’s not a word with numbers and symbols, it is a whole phrase that may include further numbers and symbols. While some say it is only a small step of improvement over passwords, let me tell you why they are much more protected.

Benefits of Passphrases

First, the guideline check is simple. They’re just as protected against password guidelines on the vast majority of sites. They are also supported by many sites as well, meaning you will be able to use these wherever you can use your normal pass-word.

They’re more secure. It’s that simple. The more characters and difference in the change of characters, the better. As in, if your password is football10!, that is a password a hacker can crack manually, it’s so straightforward. Now imagine it being “Mile High Miracle 512!” That’s 21 characters compared to 11, which makes the computers check for 10 factorial more possibilities. Simply, that means “football10!” Is a mid-sized fish in a river, “Mile High Miracle 512!” Is a krill in the Pacific.

Example of good Passphrases

Also, football is too simple, and there’s no change after football. Being as specific as possible is best. Take Mile High Miracle 512! Mile High Miracle is a nickname for a specific famous game that my favorite team, the Baltimore Ravens won (it’s a reference to them beating the Denver Broncos in Denver). Next, the 512 part. The game is mostly famous because of one play. The Baltimore quarterback, number 5, threw a last-gasp touchdown to Baltimore wide receiver number 12, to tie the game. 512 is incredibly more random than 10, yet feels more memorable. See how easy that was?

Concluding Thoughts

My point is that passphrases are easier to remember than those one word and 2 number passwords. Especially if they’re close to your heart and mean something. That could mean a song lyric/title/album, or a movie phrase, or a famous sports moment. So if you are a big music fan, next time you are resetting your Chase account, take a minute before you rush to put “RockFan12345.” Think about passphrases, and try something more along the lines of “St41rway 2 Heav3n” instead. Trust me, the time it’ll take to remember which e becomes a 3 is the difference between a bank account compromise and having your financial records safe.

Still confused? Want to learn more about passphrase protection? Or just about cyber security in general? Contact a risk advisor today at 914-357-8444 or visit our website here.

Cyber Liability Insurance, HR Challenges, Risk Management

Cybercriminals Are Targeting HR Depts. With This Resume Scheme

Trojan malware attacks are resurfacing since businesses are starting to return to work embracing a new normal in a post-COVID-19 world. Organizations have started to resume their hiring practices by posting job opportunities on their website, across job boards, and on LinkedIn to reach as many potential candidates as possible.

Some of these businesses are streamlining their hiring process by requesting that resumes are directly emailed to their HR department. Streamlining this process is creating new exposures in cybersecurity due to a cybercriminal’s ability to socially engineer the situation. 

 

 

Cybercriminals are sending emails with attachments posing as resumes to HR departments. The premise of these attacks is a modern-day Trojan Horse.  A threat posing as a harmless gift. Trojan malware is not a new cyberattack, but it is one of the most unsuspecting. 

If your HR Department fields dozens of resumes a day, there is a significant chance that one of the resumes they open could contain malware. If the file does contain malware, your organization could be allowing keylogging software or ransomware onto your server to attack unencrypted files. 

Without the HR department’s knowledge, a cybercriminal can attach a malicious file to an email that mirrors any other job seekers’ resume. The cyberattack can download ransomware or keylogging software onto the HR department’s computer or infect the entire network. 

 

Ways to Avoid A Potential Trojan Malware In Your inbox.

 

  1. Avoid Resumes sent as Word documents. Have job candidates submit their resumes as plain text within an email or as a PDF. Word Documents are the 2nd most likely file type to contain malware. ZIP and program files are the most likely. 
  2. Do not click social media links embedded into the email. If an applicant shares a link to their social media accounts, don’t click the link. Type out the full URL to ensure the social media account exists. Or search the social media website for the user name your applicant has given you.
  3. Use a recruiter. Working with a trusted recruiter is one way to reduce the number of random emails with attachments that end up in your HR department’s inbox. A trusted recruiter will share only the resumes that are the best fit for your organization.
  4. Have resumes submitted as plain text files instead of as an attachment. If you’re using a web form, have applicants upload their resume as plain text right into a response box instead of having applicants attach a document to an email or upload a document.
  5. Have applicants fax or mail their resumes. Paper wins against malware every time. Submitting a resume through Fax or the regular mail, this ensures there is no way that the submitted resume can contain malware.

These are a few ways to negate the risk of Trojan malware attacking your organization. For more information on how to protect your organization from cyber risks Contact a Risk Advisor at 914-357-8444.

Source Article: Hackers  Targeting Employers- Forbes