Ergonomics, or the study of people’s efficiency in the workplace, is a fast-growing field of research. Part of ergonomics is designing the workplace individually for everyone’s physical status, and lowering the number of Musculoskeletal Disorders (MSDs). Currently, MSDs account for 33% of injured work claims, and $1 billion are spent on treatment every week for this pain. Here are 5 ways in which you can help yourself against MSDs and participate in ergonomics.
Learn How To Correctly Sit in an Office Chair
Sitting in an office chair all day can be exhausting and after a while, our body tends to slide into unhealthy positions. Keeping a good posture by sitting all the way back into the chair will help your back, neck, and hips.
Avoid the Bad Habit of Stretching for Things
If your workspace is spread out and you have the need to reach for frequently used items, you can be in danger of injuring important muscles in your arms and shoulders. Reorganizing your desk to keep your most-used items closer to you can save you the pain later.
Keep your Head Level
Staring at a screen all day is already unhealthy, so doing it the wrong way is even worse. Make sure you are looking at your monitor straight on to avoid your neck from unnecessary stress injuries.
Move Around!
A simple one to stick to, just moving around once an hour. This will help with stretching your legs and keeping yourself moving is a great way to avoid major back issues.
Watch your Elbows
Where you put your elbows is an important part of keeping yourself safe from MSDs. Simply having an armchair to put your elbows and stop growing discomfort is a quick fix for long-term stabilization.
Keeping up with ergonomics will keep you physically healthy and safe. Hopefully, these 5 tips will be useful for you and others in your office.
Buying Cyber Insurance Does Not Protect Your Organization From Hackers
Understand that purchasing Cyber Insurance does not protect your organization from hacking. It simply finances pieces of the loss. A recent report by cybersecurity company Barracuda reported that Google-branded Spear Phishing attacks are up significantly since the start of 2020. These attacks only accounted for 4% of the total cyber attacks in 2020 so far. Barracuda reported over 100,000 form based attacks since Jan 1. 2020, 65% of them were branded to look like a Google form. These Google-branded attacks are significantly more prevalent than other branded competitor attacks. Microsoft was the 2nd most impersonated account at 13% of the total spear-phishing attacks (1).
With 43% of all cyberattacks targeting small businesses (2), and the attacks increasing by 73% since the pandemic we encourage your company to build out a cybersecurity plan. At Metropolitan Risk we called our initiative “Operation Lockdown” after we read a Wall Street Journal article on how cybercriminals are increasingly attacking small businesses and holding their work files for ransom. Cybercriminals understand that many small and medium-sized businesses haven’t the focus, the budgets, and the staffing to defend against these cyber attacks. They are in effect low hanging fruit and easy prey.
How is your Company Vulnerable?
Further many businesses now are even more vulnerable due to the recent mobilization of the workforce from the physical office. This is because home networks aren’t secure, the data doesn’t sit behind a firewall or is not encrypted like in the office. While newly remote employees were struggling to create routines, employers focusing on this new shift in workflows, cybercriminals know the back door is unlocked.
Here are two really important concepts to understand assuming we have your rapt attention with respect to the soft underbelly of your org. Understand that locking down your company from a cyberattack doesn’t guarantee that you won’t be hacked and won’t suffer damage. What it does do is significantly lower the probability that such an attack will be successful or cause much damage. A friend of my Nick Lagalante from Tenable Cyber Security explains it this way. “Your goal is not to outrun the bear, your goal should be to outrun the slowest runners”. In essence, by making it more difficult to penetrate your systems and employees, cybercriminals should in effect move on quickly.
Here’s the second big picture item to understand; Cyber Insurance is NOT cyber risk management. Cyber insurance functions as a way to finance the loss you incurred from the hack. It’s a safety net when plan A (Operation Lockdown) fails. Cyber Insurance should NEVER BE PLAN A. Here’s more good news. If you’ve been hacked, the chances of you being hacked again are exponentially higher. Insurance carriers know this which is why the Cyber Insurance policies increase significantly in cost once you have been hacked as the carriers’ exposure to loss increases if they decide to insure you!
This is why we built this case study on how at Metropolitan Risk took this challenge on for ourselves. It’s not the holy grail of cybersecurity prevention, and we don’t want to lead you to believe it is. What our case study does do is make you a bit faster than most of your competitors who will suffer a hack and the corresponding costs that go with it. At Metropolitan Risk our goal is to keep you cost-efficient and cost consistent. When you read our Case Study it gives you an idea of how to organize the challenge, and address each item incrementally.
The last point, this is a big one. You don’t have to figure all this out on your own. As a reminder, we built a full-on Cyber Assessment built for small to medium-sized businesses that assess your current systems, protocols, and security measures. Upon completion, you get a report that gives you a green light for things you have done well, yellow for items that need to be tweaked, and red for let’s jump on this ASAP.
Then we suggest we get you a really solid cyber insurance policy as a Plan B just in case. Our cyber polices are 25% less expensive IF you execute our assessment and tackle the items in red.
How do you eat an Elephant? Piece by piece. CLICK HERE to take the Cyber Assessment.
Returning to the office has proven to be challenging for employers. Organizations of all sizes are struggling to determine which employee health screenings they can execute without infringing on their employees’ rights. From scheduled questionnaires to employee temperature checks, employers are working hard to adapt to this new normal.
Employee health screenings need to be voluntary. Hourly employees should be considered on the clock if they are waiting in line for testing and while the test is being administered. If an employee is sent home because they are ill they should be paid for the time out of work, if possible. If the employee refuses to take the test or respond to the survey, it is within your rights as an employer to send them home without pay.
Temperature Checks
Before COVID-19, temperature checks were considered to be a part of a medical exam. Employers need to follow the following rules to ensure that employee health screenings are minimally invasive and confidential.
Health screenings are voluntary but a necessary way for employers to best protect the entire workforce. Reassure your employees that these screenings are completely private and confidential. If your business does not have an on-site nurse, determine which employee will be responsible for taking the other employees’ temperatures.
Employees should be considered on the clock while waiting in line for and while the test is being administered. If an employee is sent home ill they should be paid for the time out of work if possible. If the employee refuses to take the test, it is within your rights as an employer to send them home without pay.
Additional Safety Measures
Cloth-Face Masks
Cloth Face masks are not appropriate substitutes for workers who must wear N94 respiratory masks or medical/surgical face masks. A cloth face mask should cover the nose and mouth to contain the wearer’s potentially infectious respiratory droplets. Cloth face masks will not protect the wearer from airborne transmissible infectious agents due to their lack of seal or inadequate filtration. (Click here to view the CDC Recommendations for Masks and Cloth Face Coverings)
Provide employees with guidelines of when they can and cannot take off their masks. For example, some office employees may not be required to wear their mask at their desks, but do need to wear them in common areas while food service employees may be required to wear their masks their entire shifts. Make sure to express these guidelines and requirements to your employees. Address any concerns they may have regarding the new policy. Post these new guidelines and rules throughout the business in places where employees can see them.
Keeping a minimum 6-ft distance between workers
Employees should keep a minimum of 6 ft away (two arms lengths away) from each other. Workspaces should allow employees to sit a comfortable distance away from other employees. If needed, consider rearranging the workspace and adding additional protective barriers for employees. Businesses considering to reopen should consult the“Reopening the workplace during a pandemic” decision chart released by the CDC.
Keep Common Areas and Surfaces Clean
While returning to your office space, be aware of how often you’re cleaning. You might be questioning if you’re cleaning enough. Wiping down shared areas multiple times a day with the proper cleaning products is one way to help prevent the spread of the coronavirus.
Clean AND disinfectfrequently touched surfaces daily. This includes common areas, tables, doorknobs, light switches, countertops, handles, desks, phones, keyboards, toilets, faucets, and sinks.
If these surfaces appear to be dirty, wash them with soap and water before using chemical disinfectants. The EPA releasedthis list of common household disinfectantsthat will help prevent the spread of COVID-19
Still want more info on how to carefully reopen your business in a Post-COVID19 world? Contact A Risk Advisor at 914-357-8444.
As businesses of all sizes and industries are reevaluating how they plan on doing business moving forward, many small businesses have shifted from physical retail locations to online and home delivery services. This is to keep up with customer demand and social distancing guidelines. With this shift in the way businesses are run, they also face new risks. A smaller business may not be able to afford to hire a fleet of vehicles for their employees to drive and may rely on their employees to deliver goods using a vehicle not provided by the company. A hired and non-owned auto policy is one way these organizations can better protect themselves for the auto-exposure.
For example, hospitals and pharmacies may now rely on nurses to do more routine care through home care. This may be instead of outpatient treatment and offer home delivery of pharmacy items and prescriptions. To save money, these businesses may rely on their staff members to drive their own vehicles around the state.
Restaurants & Insurance
The restaurant industry is another industry affected by these new lifestyle changes. Restaurants who were previously dine-in only are now offering the service of having orders available for take-out and may forgo using UberEats and Grubhub in favor of using their own staff as delivery drivers to keep more of their profits in house.
If you have a sales team that is always on the road you have exposure. Do you have attorneys that go to court or accountants that go and see clients? How about estimators that go to look at new work, or safety personnel, inspectors that go from job to job?
We encourage you to think about how you execute your day to day business to assess whether you have exposure. Of note, the commute to and from work is NOT an exposure. If they stop off to execute a task for the business, then go to work. This drive turns into an exposure because it’s no longer a commute.
These are a few examples where Hired/Owned Auto Liability insurance might be of use to fund a potential liability exposure.
If you do not own a car but frequently borrow other people’s cars, rent cars or use a car-sharing service, non-owner auto insurance offers you coverage if you cause an accident. Non-owned automobile liability can be extremely severe in many cases.
This type of insurance covers you for damage you cause to someone else’s car in an accident. It also covers liability for injuries to the occupants of the other car or to pedestrians.
You should also consider the coverage if you do not currently own a car but will in the future. Having continuous insurance coverage will help keep your premiums low when you purchase a policy for a new car.
Why does my business need this Liability Policy?
Many personal auto policies have exclusions on them regarding driving for businesses. This means the loss that occurs is the responsibility of the business and not the driver.
If your business is putting drivers on the road during business hours, you are still responsible for their actions. This means that if your driver is in a car accident while driving from one client to another your business would fund the loss and pay the insurance claims before their personal auto coverage.
Pairing your Hired & Non-Owned Auto Liability Policy with a strong safe driver’s agreement
Insurance is important, but it is a trailer for all risk management processes. Having a safe driver policy that all of your employees must adhere to is one way to help manage the risks that come with employees driving their own vehicles for work.
A safe driver’s agreement is an agreement all of your employees should sign stating that they will practice safe driving behavior while driving on company time. This agreement includes discipline for drivers who get tickets or have points on their licenses and can include safe driver incentives for their employees. Safe driver incentives can be a great way to help motivate your employees to be better drivers.
If your organization lacks a hired and non-owned auto policy you are leaving yourself exposed to the risk of having to fund the entirety of a loss if a loss occurs. If your business is now looking to purchase a hired and non-owned insurance policy,contact a Risk Advisor at 914-357-8444 for more information on how.
There is no such thing as infallible cybersecurity. No matter how many millions of dollars an organization spends on online security, some hacker, somewhere, at some time, may successfully break-in. A common example is JPMorgan Chase, who spent close to $100 million to shore up their systems only find their systems hacked and sensitive data at risk. Just because hackers may have the ability to continuously overcome firewalls does not mean that individuals and organizations should just sit around and wait for the inevitable. There are steps to minimize risk and thus potentially circumvent a data breach.
Below you will find current methods hackers utilize, along with best-practice preventive measures to protect your systems from such hacks. In addition, a case study illustrates both the risk and lessons learned, stressing the importance of education and developing a culture of security surrounding your organization.
Prevention Is the Best Defense with Cybersecurity
While it is the optimal solution, preventing a data breach is neither simple nor easy (when sufficient safeguards are enabled). In being proactive organization find themselves addressing the difficult situation of having to be prepared for something that has not yet happened; they have to forecast the future risks of cyber and privacy threats. Doing so often entails poring through mountains of data to find a needle in the haystack – a piece of malware or a threat that can compromise critical data.
Sometimes, as is clearly evidenced by the recent breaches made public, these threats can get lost in the noise. Furthermore, the tech industry’s greatest advantage is also its Achilles heel – their rapid updates. Product cycles move fast, but tech mainstays like software updates and patches move even faster. It takes dedicated personnel for organizations to keep up.
Nowadays, security is not just a locked shop door. Digital breaches are robberies that happen at any hour, without any warning, and with little to no immediate evidence, which is why you need a good cybersecurity system. If network configuration and employee education program is lacking, exposure to serious risk and liability is heightened. The potential loss of valuable digital assets, especially client information, can result. This thought may scare you, but do not despair! Being informed of these issues is the greatest defense an organization can have.
I. Conduct a CyberSecurity Assessment
The prevention and detection stages of security (those before a breach occurs) are typically informed by a digital security assessment, which goes beyond simply testing an organization’s network for vulnerabilities. An assessment allows for a more complete picture of an organization’s security posture focusing on policy, controls and procedures, as well as the effectiveness of their implementation.
Tech infrastructure is often a “set-it-and-forget-it” affair. How often do you click “remember me” while logging into a commonly visited site so save yourself the hassle of the sign-in process next time? Essentially, digital infrastructure is installed, configured, and then never touched again. To maintain a secure digital environment, it’s imperative to test, test, and test some more.
II. Assess the Human Element in Cybersecurity
When it comes to issues of information cybersecurity, the human element is just as important as the technology itself. Perhaps even more so. Hardware and software require regular human input to make sure the devices have the latest updates, security patches, etc. Therefore, the human element of cybersecurity is the single most important aspect of an organization’s security posture. It can only be achieved by fostering a culture of security achieved through education and implementation of a written digital use policy.
Consider the psychology of a hacker when assessing the role of human vulnerabilities in determining the viability of an organization’s cybersecurity practices. The term “hacker” is interesting in its ability to conjure up a vague, though widely held notion, of the cyber-criminal. The vision is fairly common: a scruffy socially challenged individual, slouched in a swivel chair, speedily typing on a keyboard as indecipherable streams of digits race down the computer screen. Cue The Matrix.
Compared to other criminals, the hacker largely remains an unknown, impersonal entity, tied intrinsically to a modern era of technological advancement. However, what is often forgotten is that although hackers are primarily recognized for their abilities to manipulate technology, they can be equally adept at manipulating people. Cybersecurity procedures rely heavily on human participation and interactions. The first step of a hacking scheme, the crucial point at which the probability of a data breach is determined, can (and often does) start at the human level. Unsuspecting personnel may encounter a hacker without even realizing it, giving them access to sensitive data simply by offering a Wi-Fi password or log-in credentials.
It is important to recognize that, similar to technology, individuals can be prone to trusting disreputable sources. A hacker is willing to take advantage of the breadth of an organization’s vulnerabilities; consequently, employees are just as vulnerable to attack as technological data sources.
On the flip side, employees can download malware without realizing it, such as through illegal downloads or torrents of movies and applications. These unsafe browsing habits can and often do lead to a malware infection. Don’t trust an e-mail scanning application or spam folder to stop the messages from getting to the inbox. A hacker’s job goes beyond exploiting strictly digital vulnerabilities; the successful ones look for human vulnerabilities.
III. Watch Out for Phishing Aggression
To assess and react to the danger humans pose to digital security, it is important to know what the “bad guys” are doing. While external hackers have a diverse arsenal of techniques there are a few that are more pertinent considering they can affect any employee within an organization. Hackers are often referred to as “social engineers,” as they try to manipulate and trick their targets to give them access.
One of the most prominent hacking examples is “phishing.” Phishing is the process by which cyber thieves are able to lure unsuspecting victims to a malicious link that then executes malware. These malicious links present themselves to a user through an e-mail message. This is when a user unknowingly initiates the malware by accessing the malicious web server.
Even more unsettling, though similar, is a “spear-phishing” attack. Unlike a phishing attack, spear-phishing is a directed attack. Cybercriminals gather information about a victim, which is then used to construct a fraudulent e-mail intended to trick the victim. Rather than being obviously nefarious, these e-mails are very realistic and tailored to the person hackers are trying to trick.
For example, in the banking industry, a hacker may use an e-mail message cloaked as a communication from the Federal Deposit Insurance Corporation (FDIC). Due to their nature, phishing attacks are not problematic unless a user physically clicks the link to the malicious web server. To prevent this within an organization, personnel need to be trained to identify false links. Before clicking the link, “hover” over it to see the true URL or, even better, train employees to manually type in the Web address they need to access in a Web browser.
IV. Provide the IT Department with Useful Tools
While a universal training program aimed at informing all employees of their role in the security posture is critical, it is also important to ensure that the information technology (IT) team is staying on top of current advancements in security and has the resources to minimize vulnerabilities. Often IT people are more concerned with making sure technology is being implemented for productivity, not necessarily for security. Digital assets vary for every organization, making specific preventive measures hard to define. In general, the prevention of attacks and threats should be consistently audited so that a specific information security policy can be created and carried out within the specific context of an organization.
As one general example, outdated and unpatched software applications pose a serious risk. Cybercriminals often target older outdated software because of its longevity. That is, the longer a piece of software is around, the more time cybercriminals have to develop malware based on an established exploit that will not be, or has not yet been, fixed by the developer.
In many industries, including healthcare, legacy technology is becoming a serious problem as an avenue for data theft. Furthermore, preventive measures can become expensive. An organization’s IT team or information security team, however, has a serious leg up on outside threats – they know where the valuable data is. Thorough knowledge of an organization’s infrastructure is a considerable advantage against outside threats. Consequently, it is worth investing in the people who know most about it. The avenues by which data can fall victim to a remote attack are as innumerable as the unique software and hardware contexts of companies all over the world. Keeping a team well equipped is key to a strong security posture.
V. Limit Access to Critical Information
An often under-analyzed piece of the preventive data security puzzle is data access controls. More simply put, not every employee of an organization should have full access to all data. Even in the case of IT, many recommend that members of the team use non-privileged credentials for daily activities. This is a central step to minimizing risk as it inherently reduces the number of access points for data to leave the confines of an organization’s network. More privileged credentials mean more credentials that elevate the threat of external hacking.
In line with this, it is also crucial to consider internal threats. For example, a disgruntled employee gains access to sensitive data, steals it, and posts its publicly online. Limiting access to critical data on an as-needed basis can, in some cases, preemptively eliminate this risk altogether. People are a company’s biggest asset but also the biggest liability as respects information security. Awareness and implementation of policy is key to maintaining that “culture of security.”
VI. Recognize the Risks of BYOD
Practicing and applying security and data access controls is crucial outside as well as inside of an office. Mobile computing revolutionized everything, from the maintenance of cybersecurity to reasonable policies. It is becoming increasingly common for employees to take sensitive data home with them (on thumb drives, laptops, phones, e-mails, cloud services, etc.).
With respect to policy, many organizations and their agents alike favor the cost benefits and choice of bring-your-own-device (BYOD) permission, which allows employees to use their personal devices, particularly mobile devices, to store and access company data. Unfortunately, in most instances, this policy relinquishes some defined, universal security strategy and inherently gives an organization less in the way of data control. Standard mobile device management tools are not typically applied and installed on employees’ personal devices.
BYOD can also invite unauthorized connections from an organization to the Internet. Many smartphones offer device tethering, whereby other devices share the phone’s cellular data connection. This type of network activity is not part of an organization’s network, and thus cannot be monitored for suspicious connections.
Before simply accepting BYOD as a cost-effective and desired approach, ensure that the organization understands the rules, risks, and rewards of the new policy. If the organization implements BYOD, do so in such a way that the organization maintains a modicum of control. Also, take legal ramifications under consideration and determine whether there are special regulatory concerns particular to a certain industry that need to be worked into BYOD and mobile computing policies. In some industries, such as health care, a lack of central data security policy and control opens up serious liability risks.
VII. Look Beyond Your Employees
Data control goes beyond just employees. Rather, it extends to include any entity that can store, access, or use a company’s sensitive data, including third-party vendors. Develop contracts that protect the organization, particularly those that use third-party vendors. Third-party vendors can introduce security lapses and vulnerabilities, but not hold themselves to the proper and necessary digital risk standards. Not doing so can result in a digital catastrophe.
This is best evidenced by the example of the devastating credit card breach Target experienced in late 2013. Target seemed to have the appropriate controls in place with dedicated IT and security appliances. Thinking that everything was fine with its security practices, management overlooked one critical issue. Target allowed outside heating, ventilation, and air-conditioning (HVAC) service vendor to connect to the same network responsible for point-of-sale device Internet traffic. This is an example of where the lapses in human execution renders good technical security measures ineffective.
Like Target, there have been other breaches where larger companies fail to audit third-party vendors, such as the Boston Medical Center and Goodwill. Often, smaller third-party vendors are a sort of hacking “stepping-stone” – compromise their information to get to their larger clients that have more valuable data. This is especially true today, as even the smallest companies have a digital presence. Once again, a company can have all the proper controls in its own offices, but sensitive information with its vendors could be compromised.
To mitigate third-party risk, ensure that appropriate parties, especially legal departments, communicate with the outside vendor hiring process and that contracts guarantee and protect audit rights. That means including audit clauses to contracts that allow the organization to regularly monitor and check that vendors are in compliance with any generally accepted or necessary standards. Including cybersecurity in the outside contracting process is now imperative.
VIII. Don’t Overlook the Importance of Data Backups
In addition to the risk of compromising data, loss of data entirely can be even more devastating. While most large corporations can afford to keep their sensitive data in multiple locations, others cannot. Irrespective of the size of an organization, individual workstations can contain important client data that should be regularly backed up. No matter how many backups an organization maintains, it is important to not get bogged down by the sheer volume and prepare for the absolute worst—a hurricane, tornado, or some other natural disaster that could destroy an entire organization’s data in one fell swoop.
Data loss can happen in other ways most people don’t expect.
A couple of months ago, I got a call from a local government agency that had horrible “ransomware. ” Ransomware is malware that seeks to exploit victims by encrypting their files. Clicking a link in a pop-up accidentally downloads it; or through a “phishing” e-mail. Once executed, the hacker notifies the user that they locked the files because they committed a crime, and that they must send money for the decryption key within a certain amount of time or their files will forever be inaccessible.
Unfortunately, paying the “ransom” usually will not unlock the files, but only serves to line the pockets of the extortionists. In this particular case, the local agency did not consistently keep a backup of its data, and lost months of work. This new ransomware infection prompts reflection on something overlooked as a serious risk to daily business activity—data backups, off site or otherwise.
IX. Develop a Security Culture
It is important to audit all controls to prevent attacks incurred from external and internal threats. Make sure that these controls are in place, effective, and attempt to penetrate your organization’s digital infrastructure. There should be a layered approach to information security. In other words, organizations should not only have a digital fence, but also a locked front door. In addition to simply having “locks” and “fences,” make sure there is a policy information session. This session should effectively teach people how to keep the gate closed and the door locked.
Incorporating these provisions into policy and executing that policy through employee training programs, moves organizations to a stronger security posture. Creating an atmosphere for effective security is just as important as the security practices themselves.
“Hope for the Best, Prepare for the Worst.”
The key balance between costs and preparation is something to consider and is much cheaper than the fallout of a breach. When it comes to security, prevention certainly is the first choice.
What happens if an organization takes all the preventive measures, but they still lose data? Technology constantly updates with new security measures, yet cybercriminals stay one step ahead of the latest preventive security measures. One of the primary reasons for their persistence is because a targeted organization’s data is exceedingly valuable. In recent history, credit cards have been an obvious target for the clear monetary value they carry. These breaches have dominated the headlines and are an unfortunate side effect of our increased reliance on credit technology’s conveniences.
X. Recognize the Value of Data
Not dissimilar from the recent credit card breaches, hackers consistently and target health data because health data is valuable—either to gather intel about specific people or as a tool for identity theft. It has also historically not been the most secure. Patient names, birth dates, billing information, and health histories have the potential for complex identity theft and medical fraud schemes.
More importantly, though, this data has a market on the “Dark Web” outside of those who are responsible for stealing it. To illustrate the Dark Web, Google indexes approximately 17 percent of websites where most people typically dwell online and do their browsing, shopping, and other online activities. But, below the Internet’s surface lurks the Dark Web, where criminals market a variety of different goods and services, from passports and drugs to “rent-a-hacker” services for the purposes of messing up someone’s life. Thanks to the Dark Web, stolen client data of all kinds has a market, therefore increasing its appeal.
Even if an organization conducts an audit of all security controls and policies, a new exploit could be found the next day, rendering a clean bill of security health void.
Case Study Illustrates the Risk of Not Participating in Cybersecurity
The following case study illustrates the point that employee education is key. About a year ago, a large corporation contacted me claiming they had compromised systems. They mentioned that an unauthorized $1 million wire transfer to Russia. Management suspected an inside job carried out by one of their employees. They had spent hundreds of thousands of dollars on security appliances, thinking this could not possibly happen to them. However, a review of their infrastructure revealed a lapse. They adopted a “set-it-and-forget-it” attitude. There was no “culture of security.”
Thinking their appliances would not allow such a thing, spam e-mail got to an employee’s workstation. That individual clicked a link and initiated “Zeus” malware. While the hacker’s toolbox is expansive and variable, there are certain tools worth mentioning, one being Zeus. Zeus, when executed, monitors an infected computer for certain types of user activity, including online banking. In some cases, it often remains dormant until a user accesses a financial service or banking website.
Once Zeus identifies the targeted activity (such as banking), it will then collect confidential data to include a log of all keystrokes and screenshots. This transmits the compromised data to the hacker. In this case, someone inadvertently left a security token plugged in. Hackers had everything they needed and set the software to wait for banking credentials. After that, all they had to do was log in and initiate the transfer.
This story teaches us that these lapses do happen, even when the victims think they have a great security posture. Fortunately, that company made the right choices in handling its breach of security. Management acted quickly, hired professionals, and assembled the narrative to recoup their money. They carried out reasonable steps for the safety of their customers’ information.
Lessons Learned about Cybersecurity
More often than not, though, incidents come unexpectedly and organizations have little preparation for the worst. Officers and employees often don’t have a clear picture of the chain of command, nor the roles and responsibilities in the face of a breach. This can lead to increased exposure to media and public relations fallout and executive meltdown.
While designing a preventive policy, try to design a policy or incident response manual. This should effectively prevent an operational shutdown in the case of a breach and allows for quick, decisive action. And be sure you have the right contacts to respond to such an incident. Be ready for the inevitable, even if it seems impossible.
Specialists can assemble the narrative, from the initial exploit, threat elevation, and context of data that was ultimately compromised. An organization is better able to prevent a similar attack from happening in the future and have a clear picture of how to handle other tasks related to the breach, such as client notification.
Breach Notification
Breach notification often goes undisclosed. The responsibility of organizations to notify their clients, partners and other parties about a breach varies from different situations. In certain industries, federal and state regulations are the rule, but others are solely up to the discretion of executives. In responding to the public, or proactively notifying clients, it’s best to wait until a full investigation is complete. It is important to know there is a huge difference between an infection (abnormal Web traffic) and a data breach. Evidence of a possibly data breach attempt does not mean these people were successful. Moreover, even if hackers steal data, the type of data is central to the notification procedure.
Oftentimes, organizations that suspect a breach will jump the gun and notify their clients before an investigation is complete. In the end, sometimes nothing serious happened—no confidential data was lost or stolen. Notifying clients before knowing there is a legitimate problem is, in and of itself, a huge risk. Understand that some clients might not be comfortable continuing business with a company that disclosed a breach. Organizations need to do themselves a favor and rule out the possibility of a false alarm first. That said, it is important to incorporate client notification as part of the defined incident response plan. It is always best to be proactive but don’t inform clients or authorities until a serious breach definitively happened.
Complete a Thorough Investigation
In the unfortunate case that personally identifiable information was stolen, it is important to work closely with legal professionals. Cybersecurity is very much a legal issue, with unique legal considerations. As previously alluded to, there are regulatory considerations that vary greatly between industries and states—for now. Until there is an overarching federal regulation that applies the same requirements of all industries and defines the type of data that must be stolen to report, the current compliance and digital security laws remain the law, and it is a patchwork.
Similarly, after an incident, education is still the most important aspect of preventing another breach. Take an incident or a breach and use it as a valuable learning opportunity. After a security breach investigation, walk employees through every detail of what happened. Pinpoint what the failures were and most importantly learn from the event and prevent the same thing from happening again. Hold the entire team responsible for a breach in security; not just one employee.
Conclusion & Takeaways of Cybersecurity
Preparation is key in any prevention strategy, and optimal security always starts at the human level, especially with cybersecurity. Best cybersecurity practices are just that—practices. Cybersecurity measures are always a work in progress and reflect the constant stream of new technology. It takes time to discover, learn, and implement the best methods. Ongoing education within this “culture of security” is imperative in trying to implement the best possible procedures. In this case, knowledge truly is power.
Cyber liability insurance is a trailer to a strong cybersecurity program. The insurance portion helps your organization recover costs associated with the negative effects of a successful cyber attack. Cyber liability insurance cannot prevent you from experiencing loss. A strong cybersecurity program can help mitigate some of the potential losses by making your organization a difficult cyber target.
Cybercriminals are looking for targets with minimum cybersecurity on their systems. If your organization trains your employees to recognize potential foul cyber activity and focuses on an organization-wide goal of cybersafety, you are on the right path to a strong cybersecurity program.
Managing Devices
Device management can seem like such a small part of a strong cybersecurity program, but according to NetStandard 1 in every 3 employees do not lock their work computers when they go to lunch or leave for work (1). This leaves the computers open for every device that accesses your organization’s files. Documents can also be an access point for cybercriminals. An effective device management program encourages your employees to lock down their devices with passwords and to use better when working in public workspaces.
Password Authentication Protection
We’ve previously highlighted the importance of using multi-factor password authentication. Password authenticators vary between digital & physical authenticators, as well as options that are a combination of both. All accounts at your organization should be outfitted with a multifactor authentication process. This added layer of cybersecurity can save your organization
Email, Webpages & Social Media
Cybersecurity is more than protecting your passwords and devices. A strong cybersecurity program includes using smart practices while reading emails, entering data into unfamiliar websites, and safe social media practices. Phishing scamsare one of the most common ways cybercriminals gain access to company information. These criminals pose as a safe and familiar entity and request the victim to allow them access to the account they are trying to take over.
If you have any additional concerns regarding your cybersecurity program and cyber liability coverage contact a Risk Advisor at 914-357-8444
Most business owners view the whole insurance purchase and claims process as a black art, which this writer completely understands. After 25 years in the business, I too scratch my head at some of the “spells” insurance carriers concoct.
Let me try and be as succinct as possible as I will focus on three main considerations:
Purpose of business income coverage
Coverage triggers
A brief paragraph on valuations
Purpose of Business Income Coverage:
The main purpose of business interruption insurance coverage is for business continuity. It provides funds to pay for continuing expenses that remain even though the business is not operational at the moment. These necessary expenses keep the business viable for its eventual return. One example would be key staff, such as an executive chef. You wouldn’t want to lose their talents which are intrinsic to the success of your business, thus their compensation remains even though the kitchen is inoperable. There are very specific loss formulas and calculation variables that are used by insurance carriers contained in your policy that determines the amounts. See Item 3 for more information on valuations.
There are essentially three levels of business interruption coverage:
Standard Business Interruption Insurance coverage –
Intended to compensate the insured for income lost during the period of restoration. Continue until owner bring the operations and or facilities back online and fully functioning.
Extended Business Interruption –
Provides additional coverage augmenting the standard business interruption coverage for a specific period of time once the facility or operation has been brought back online. An example of which might be a restaurant that re-opens after 6 months of restoration. It may take time for the public to return, which means their sales will be off until word gets out. Extended Business Interruption would help bridge that sales gap for 30, 60, or 90 days contingent on how much you purchase at the outset.
Contingent Business Interruption –
Provides coverage above and beyond the standard business interruption insurance for damage or loss of income due to a loss for a key supplier, or a key tenant. I’ll give an example. Years ago Corning had a fire at their factory which supplied the majority of the screens for Samsung’s flat panels. Samsung had a significant drop in sales as they could not fill orders. Those customers bought from other manufacturers resulting in a net income loss for Samsung.
These are the three many levels of business interruption coverage. Most businesses have the Standard level. If your business might suffer losses from a time perspective, contingent supplier, or an anchor tenant, consider these enhancements.
What Triggers Business Interruption Insurance?
Great question, glad I asked. Coverage triggers are one of the most important features or mechanisms contained in all insurance policies. When a claim is presented insurance carriers ask two questions: what clause in the insurance contract “triggers” coverage, and what exclusions or limitations contained in the insurance contract “trigger” a claim denial. It’s either one or the other; guess which one they focus on most?
Essentially it comes down to a few critical answers:
Is the event that caused the loss, a “covered peril” as defined in the insurance policy? Hint, fire is a covered peril, flood is typically not.
Did the business suffer a loss of business income as a result of suspension of operations resulting from that loss?
Did the business suffer property damage from a covered location on the policy?
Is the business being made whole for continuity purposes or is there an economic gain resulting from the coverage?
Examples
These are the main coverage triggers we look at from the outset. There are other more nuanced considerations in certain cases however I didn’t want this to turn into a doctoral thesis.
During Hurricane Sandy, many businesses suffered the loss of business income because their business had shut down for a period of time resulting in a potential net income loss. We fielded hundreds of questions in this vein. Sadly most of the losses were a result of flooding which was not a “covered peril” thus business income was NOT triggered.
In other situations, we made a case that a pre-emptive utility shut down by civil authority or landlord to protect their electrical infrastructure resulted in the loss, and not the flood. This argument only works if you also have the proper utility interruption coverage endorsement on the policy which triggers coverage. In absence of that endorsement, coverage would not apply to business income as losses didn’t result from a covered peril. Some folks call this confusing, I call it job security. If you are unsure if coverage is triggered or not we suggest you speak to a Risk Advisor for a second opinion on your specific situation.
Business Interruption Valuations:
Here’s where the weeds get really deep. In the vast majority of policies that include business interruption coverage there usually is contained deep in the policy pages a standard formula or calculation that brings certain income and expenses in, and carves certain expenses and income out. An example of such might be utilities or rent that ceases during the period of restoration. Since the expense no longer occurs while the business is dormant the carriers pull this item out of their calculation. Within the methodology, both income and expenses brought in and out contingent on how necessary they are to continue business.
Another example is key staff versus line staff. It’s critical for certain businesses to maintain payroll for key management or staff, but not for everyone. Thus the calculation for payroll reimbursement usually only contemplates critical staff. The rest are furloughed thus the expense does not perpetuate and is not in the calculation.
One of the most valuable services we provide clients is a Pre Loss Analysis whereby we do the business interruption calculation prior to a loss to test the coverage limits and triggers to ascertain how accurate it is if a sizable loss truly occurred. We have found that 98% of businesses are vastly underinsured for business interruption when we actually did the pre-loss calculations.
Why MetRisk
Industries that are susceptible to being underinsured for business interruption are Real Estate (Commercial & Residential), Manufacturing, Hospitality (Restaurants, Hotels), Retail & Wholesale Operations, and Healthcare.
We suggest you contact a Risk Advisorto do a Business Interruption Pre Loss Calculation, or simply order our free worksheet to do the calculation yourself. We believe it’s an enormously important exercise to do preemptively before a loss occurs. The survival of your business may depend on simple math.
CLICK HERE for the slides from the May 29, COVID-19 Town Hall: NY’s Safety Guidance for the Construction Industry. This PowerPoint touches on everything that deals with safety in the workplace for construction employers.
Further, it seems to make decent sense from a work safety standpoint. We suggest you forward this to your P.M.’s and your safety personnel to make sure your construction firm is thinking about these issues these next few months.
Unfortunately, this problem does not seem to be going away anytime soon. Especially in the workplace, we need to demonstrate safety precautions for our workers in the midst of a global pandemic. Addressing safety measures can be a good review for the post-pandemic workplace. Hopefully, this event will create safer work sites for the construction industry, as well as all the other workplaces around New York.
Welcome to the “abnormal”, at least for the next few months.
Still have a few questions? Contact a risk advisor today at 914-357-8444. Or, visit us at our website here.
If you have jobs, locations, work, or employees who are now working from home and you are covered by the NY State Insurance Fund you need to make adjustments to your workers’ compensation insurance policy. Understanding the out of state exposure NYSIF compensation policy can be beneficial to keep your insurance and claims costs down.
Two Quick Points :
Point # 1: If you are covered under an NYSIF workers compensation policy and you now have employees working from home in other states we suggest you add endorsement # 127 extraterritorial to your NYSIF workers’ compensation policy.
The language on the endorsement is as follows:
The policy covers bodily injury to all your employees while performing work within the State of New York and to your regular New York employees while performing work of a temporary nature outside the State of New York. The policy covers claims for benefits by these regular New York employees only if they are filed under the jurisdiction of the New York State Workers’ Compensation law. The policy does not cover claims for benefits filed under any other state’s laws.
The policy does not cover bodily injury to your employees who work solely outside the State of New York except salespersons controlled and directed from New York regardless of where such salespersons were hired.
Given the “temporary nature” of the work at home allowances many companies have made during COVID 19 we suggest New York State Fund policyholders should add this endorsement just as a precaution. Please keep in mind a gap still exists if the employee chooses to file a workers’ compensation insurance claim in their home state as the NYSIF will only pay the NY State benefit. If the employee files in New Jersey which has a higher monthly indemnity limit the gap between the higher NJ rate and the lower NY rate would be self-funded by the employer.
Point # 2: If in fact the work is not “temporary in nature” and more substantive you need to find worker’s compensation coverage for that out of state work elsewhere. The New York State Insurance Fund, NYSIF will not endorse another state under section 3(A) of their New York State Workers Compensation insurance policy. This creates a substantial gap in coverage. Should an employee be injured outside of New York State at another company site, or work location coverage for that injured employee will be denied. Beyond funding the workers’ compensation claim with your own money, the fines levied can be significant adding insult to injury; pardon the pun.
We suggest you speak with a Risk Advisor to bridge this critical coverage gap. Back to your regularly scheduled programming.
