Tag Archives: cyber

The use of computers, electric technology and digital information. The cyber culture began in the 1980s and has rapidly grew in the last 15 years. Cyber’s giant growth allows for for outstanding new technology but more dangers of the online world.

Cyber Liability Insurance, HR Challenges, Risk Management

Password Security for Cyber Protection

Implementing Proper Password Security For Better Cyber Protection

Picture this: it’s the end of the month, and you sit down at your computer to check your bank account balance, there’s only one thing, you forgot your password. What is it again? qwertyuiop1? No, qwertyuiop15? Eh, I’m not sure; I’ll just reset it.

Almost 40% of people deal with issues related to forgotten passwords on a monthly basis (Entrepreneur). This doesn’t only include bank accounts, but with social media and email passwords.

I’m not the only person who struggles to remember all his passwords, and I know I can’t be the only one changing my password every week because I can’t remember if I capitalized the first letter or not. Needless to say, my passwords are lacking in complexity in part because I never realized how risky using a common password can be. Cyber criminals have endless ways to use your private information. Opening fraudulent bank accounts, shopping online, applying for loans, and identity theft are only some of the most common uses of your data. The worst part is, I feel secure after changing my password from Football3! to Football4!. This change is almost completely insignificant to a hacker and most definitely isn’t going to prevent a hacker from getting into one of my accounts.

As a result of my new cyber security paranoia, here are some tips for better password management:

  • Make sure your password is at least 12 characters; it’s better to be safe than sorry. When it comes down to it, adding four characters to your password can be the difference between security and losing your account to cyber criminals.
    • An almost random combo of letters, numbers, and symbols is your best bet for creating a password that hackers will struggle to crack. The longer your password is, the better.
  • Stay away from obvious dictionary words and combinations of dictionary words. Any word on its own is bad. Any combination of a few words, especially if they’re obvious, is also bad. For example, “house” is a terrible password. “Red House” is also very bad.
    • In other words, stay away from any passwords you think someone else may be using. Think of something original, and don’t use the passwords “123456” or “password.”
  • Another easy way to keep your passwords secure is to keep them private, as in not sharing them with your coworkers, friends, or relatives.
    • Almost 50% of Americans have shared their passwords with another person. A significant part of these shared passwords occurs on streaming sites like Netflix and Hulu. Why is that important you ask? According to the Ponemon Institute, the average person uses the same password for approximately five accounts. Make sure to remember when you’re giving your boy or girlfriend your Netflix password, you may also be giving him or her access to much more.
  • Change your passwords every month if you want to be safe from cyber-attacks. This effort may sound hard to the average person who changes passwords once a year or not at all. But putting the extra time aside to change your passwords is a great way to ensure your cyber security.
  • Multi-factor authentication is a safety method that grants access to an account after presenting two pieces of evidence to an authentication mechanism. By using two-factor authentication, you can protect yourself against almost all cyber attacks; two-factor authentication is one of the most effective ways to combat cyber criminals.
  • Keep your passwords safe and organized by using a password management application; there are plenty of apps that offer free password help. If you’re old fashioned, write passwords in a notebook and keep them in a secure location. Write dates next to your passwords to help you keep track of when to change them.

Final Thoughts

People as a whole have too many passwords: and what comes of all of them? Serious fatigue, to the point where resetting our passwords, is easier than remembering them. But you have to be careful in resetting your password, though it may make you feel safer to change your password every month or two, this still allows hackers a long period of time to get into your account if they’ve already targeted your account. The most important step to having proper password security is making the password long, with almost random strings of letters, numbers, and symbols.

As a result, people like me do dumb things, creating a few password variations to help an untenable situation. Or we do even dumber things, like use passwords such as “password” or “123456.” Or we create a “base” password and add a variation for each site. We know it’s stupid, but we’re driven to these solutions because we are lazy/our memories can’t remember all those passwords. So do yourself a favor and follow those tips to increase your password security.

 

If you have any further questions, contact a Risk Advisor or call 914-357-8444 today!

General Liability Insurance, HR Challenges, Line of Insurance, Practice Groups, Risk Management

Cybersecurity Program Checklist Help

Cyber liability insurance is a trailer to a strong cybersecurity program. The insurance portion helps your organization recover costs associated with the negative effects of a successful cyber attack. Cyber liability insurance cannot prevent you from experiencing loss. A strong cybersecurity program can help mitigate some of the potential losses by making your organization a difficult cyber target.

Cybercriminals are looking for targets with minimum cybersecurity on their systems. If your organization trains your employees to recognize potential foul cyber activity and focuses on an organization-wide goal of cybersafety, you are on the right path to a strong cybersecurity program.

Managing Devices

Device management can seem like such a small part of a strong cybersecurity program, but according to NetStandard 1 in every 3 employees do not lock their work computers when they go to lunch or leave for work (1). This leaves the computers open for every device that accesses your organization’s files. Documents can also be an access point for cybercriminals. An effective device management program encourages your employees to lock down their devices with passwords and to use better when working in public workspaces.

Password Authentication Protection

We’ve previously highlighted the importance of using multi-factor password authentication. Password authenticators vary between digital & physical authenticators, as well as options that are a combination of both. All accounts at your organization should be outfitted with a multifactor authentication process. This added layer of cybersecurity can save your organization

Email, Webpages & Social Media

Cybersecurity is more than protecting your passwords and devices. A strong cybersecurity program includes using smart practices while reading emails, entering data into unfamiliar websites, and safe social media practices. Phishing scams are one of the most common ways cybercriminals gain access to company information. These criminals pose as a safe and familiar entity and request the victim to allow them access to the account they are trying to take over.

If you have any additional concerns regarding your cybersecurity program and cyber liability coverage contact a Risk Advisor at 914-357-8444

Cyber Liability Insurance, General Liability Insurance, HR Challenges, Line of Insurance, Loss Control, Risk Management

Secure Your Organization Using Multi-Factor Authentication

In a time where most organizations have transitioned to remote work, cybercriminals have doubled down on network attacks. The FBI recently released a statement saying that cybercrime attacks are up over 300% since 2019. Cyberattacks range from ransomware baked into spam emails to phishing emails posing as trustworthy entities, to gain access to account information. One way organizations can better protect their business from these attacks is to mandate policies that direct every employee to utilize multi-factor authentication on every business account.

 

Password authenticators vary between digital & physical authenticators, as well as options that are a combination of both. Below we have listed  a few of the most commonly used authenticators:

Digital Authenticators

One of the benefits of digital verification is that users do not need an additional physical token or device for authentication.   

Email authentication

Email verification is when a user needs to click a link or obtain a code sent to their email address to verify ownership of the account they are logging into. One of the biggest problems with email authentication is a majority of people will reuse the same password for all of their important accounts.

Using email as a second method of authentication looks like this: 

  • A user logs in to a website with their username & password
  • A unique code or link is then sent to the users’ email address linked to the account
  • The user logs in to their email account, they find the code, and enter the code into the application or website or clicks the link into the email
  • If the code is valid, the user is authenticated and granted access to the account.

Cellphone authentication (SMS)

The most common authentication method is through SMS messaging on a cellular phone. This method is considered more secure than email authentication because email authentication includes the risk of the email account also being compromised.  The downside of SMS authentication is SIM-hacking can render the cellphone number useless.  

SMS Authentication will look like this for a standard user:

  • A user logs in to a website with their username & password
  • A unique code is sent to the cellular phone number linked to the users’ account
  • The user takes the 4-6 digit code off of their device and enters the code into the application or website
  • If the code is valid, the user is authenticated and granted access to the account. 

Physical  Authenticators 

A physical authenticator is more secure than digital because there is a real device that is needed to authenticate an account. This means that the user has a tangible key or an application downloaded to a physical device that is in their presence. These physical objects make it harder for cybercriminals to hack accounts.

Application-based authentication

Applications like Google Authenticator and other verification apps use a token/code to determine ownership of the account. These applications are linked to the device, not the phone number. Application-based authenticators can be as simple as a push notification going to the phone or the application, delivering a 4-6 digit code for users to enter on the website or application of the account they are attempting to access. 

  • A user logs in to a website with their user name & password
  • The website they are attempting to access will send the user credentials to the authorization server.
  • The authorization server will authenticate the user credentials and generate a token.
  • The access token is sent to the user via an application downloaded to the users’ device
  • The user inputs the time-sensitive access token into the website they are attempting to gain access to.
  • If the token is valid, the user will gain access to the website.

Physical authentication device

At Metropolitan Risk, we supply our staff with the hardware authentication device YubiKey. This ensures that our staff is using one of the safest methods of authentication. These keys are simple to deploy to everyone in your organization. These devices help promote digital security health within an organization.  

This physical device plugs into the USB port of a computer and requires a human touch to unlock the device. 

The process of using a physical authentication device looks like:

  • Launch the authenticators’ device 
  • On the account that the user wants to log into, enter the username and password as normal
  • Find the authenticator code needed in the authenticator
  • Insert the physical authenticator key into the desktop to show the credentials needed to log into the account
  • Enter the code on the website
  • If the code is valid, the user is authenticated and granted access to the account.

Developing An Organization-Wide Plan To Implement Multi-Factor Authentication 

Once you’ve decided on a method of multi-factor authentication, your next step is execution. The size of your organization will determine how you implement this plan. While working on a plan, consult your IT department, your HR department, and various managers throughout your organization. Having your entire management staff on board with a plan helps convey the agenda to lower-level employees. 

  • Have a meeting with your supervisors, managers, and IT team about your organization’s cybersecurity efforts. 
    • Discuss how you feel you’re currently doing as an organization with cybersecurity to determine weak spots in your plans. 
  • If your organization is not currently using any method of multifactor authentication, determine which method would be best for your organization. At Metropolitan Risk we always suggest a physical key device.
    • Create a list of pros and cons for each authentication method and determine which is the best fit for your organization.
  • If you’ve decided to use a physical authentication device, determine which physical device is best for your organization.
  • Distribute the authentication devices and instructions to your employees
    • Make sure all employees are on the same page with how to manage this new software. 
    • Include additional information on how to install the authentication devices and how to better manage passwords and other important digital assets
  • Provide additional training to any employees who are struggling with updating their accounts with the new cybersecurity measures. 

Remember, cybersecurity only works if the entire organization is working towards the same goals. 

Metropolitan Risk is here to help your organization overcome obstacles that can affect your organizations’ operations. Contact A Risk Advisor to book a meeting to discuss cybersecurity challenges that may be affecting your business’s insurance coverage or Call 914-357-8444.

OSHA, Risk Management, Workers Compensation Insurance

OSHA Proposes Delay to Electronic Reporting

Under the electronic reporting rule of the Occupational Safety and Health Administration (OSHA), certain establishments must report information electronically from their OSHA Forms 300, 300A and 301. In addition, OSHA is required to create a website that can be used to submit the required information.

The original deadline for first reports was July 1st, 2017. However, on a recent update to its webpage, OSHA explained it won’t receive reports by July 1st. This is due to lack of readiness. It has also proposed an extended deadline of December 1st, 2017.

Affected establishments expectedly continue to record and report workplace injuries. Monitor these developments until you officially adopt a new reporting date. The fines for not recording or reporting workplace injuries can be substantial. Further there were recent updates to when a workplace injury is directly REPORTABLE to OSHA which means you must pick up the phone and call them to report you had a workplace injury. To understand that bit of nuance a little better we suggest you refer back to a previous article that highlights that significant change to avoid substantial fines and penalties. CLICK HERE to read the 2017 OSHA Reporting Revisions.

If you have any questions about the OSHA electronic reporting rule, give us a call at (914) 357-8444. You can also click here!

Other, Risk Management

Cyber Security Regulation

New York State is implementing a new Cyber Security Regulation effective March 1st, 2017.

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever-increasing threat of cyber-attacks,” Gov. Andrew Cuomo said February 16, 2017 in a statement.

Today’s marketplace continues to transition towards the way of the key stroke. It seems you can’t conduct a business transaction without a multitude of emails, electronically signed documents, or a cloud storing the most vital of information. These amenities have streamlined the means in which we conduct business, but have they left our information exposed? New York state seems to think so, and thus, has passed what appears to be the “first-in-nation” cyber security regulation.

Governor Cuomo continue in his above statement “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber crimes.”

The finalized cyber security regulation, which takes effect March 1, 2017, sets mandated standards for financial institutions (including treasurers and insurers) to continue the on-going battle with risk of cyber-attacks.

The regulation requires “regulated companies” to implement a cyber security plan, including requirements for a program that is adequately funded, staffed, overseen by qualified management, and reported periodically to the most senior governing body of the organization. Additionally, the new regulation calls on banks to scrutinize security at third-party vendors which are providing them services. In 2015, the New York Department of Financial Services found that a third of 40 banks polled did not require outside vendors to notify them of breaches that could compromise data.

“Throughout the regulatory review period, we emphasized how critical it is for insurers to have the ability to tailor and implement their cyber-security programs in a risk-based manner,” Alison Cooper, Albany, New York-based Northeast region vice president for the American Insurance Association, said in a statement. “While some challenges remain, overall the final cyber security regulation provides greater flexibility so insurers are able to better adapt to an evolving threat landscape.”

“With this landmark regulation, (the department) is ensuring that New York consumers can trust that their financial institutions have protocols in place to protect the security and privacy of their sensitive personal information,” Department of Financial Services Superintendent Maria Vullo said in a statement. “As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber attacks.”

At this point you’re probably thinking to yourself  “We’re not a bank, and we’re not a large corporation. So how does this affect my business?”

Directly it doesn’t, YET!  However  this new regulation should be viewed as a notice to all businesses, regardless of industry: cyber-attacks are an ever-increasing risk, and a potentially devastating exposure if left unacknowledged. It seems as though we’re constantly reading about the large corporations being hacked, leaving the small and mid-sized business owner to think “This can’t happen to us. Why would we be attacked?” The truth is, it can and it does happen to small and mid-sized businesses. Unfortunately, unlike the Home Depots and Targets of the world, one cyber-attack could be enough to force a business to close its doors.

Now is the time to evaluate your risk.  Do you have a contingency plan in force if an employee accidentally opens a link from a person they thought they knew, only to find out it’s ransomware? Is there an action plan in force in the event hackers use your company email to send out spam or a virus to your contacts? Do employees know the steps to take if somehow all of your clients’ or employees’ data are stolen? Worse if one of these events occurred what would be the cost implications to your business? IF you would like to take a deeper dive into this issue contact a Risk Advisor today by CLICKING HERE. They can help you take steps to protect your business that cost nothing. Further you can transfer the cost implications of many of these challenges to an insurance carrier through the purchase of a cyber liability policy. The world has become much more complicated and it continues to do so with the passing of each month. We are here to help.

 

Claims Management, Risk Management

The One App That Could Lower Your Insurance Costs By 30 Percent

Mobile App Insurance

If you are still using paper forms to report claims, you are on the losing end of the cost battle. Every company struggles with lowering their costs. The winners understand that lower costs equal greater market share or higher profits – often both. We have maintained for years that the “Cost of Risk” is a significant expense variable that can be a huge differentiator as the white hot battle for organic growth becomes even more acute. Our main point: lower your cost of claims and the cost of your insurance will follow. Mobile app insurance can help!


Here are 5 reasons we think this simple app could be a huge game changer for most businesses. Not for simply what it does, but the insight and ability to manage and execute one of the most thorny and costly issues facing many companies today.  

    1. Decreasing Incident Notification Time Lowers Costs:  

      A Mobile App for claims allows you to report both claims and incidents on the fly. Lag time reporting is a critical benchmark if your goal is to reduce the cost of claims. Hartford Insurance Company analyzed millions of claims and determined that for the exact same injury costs increased by multiples each day the incident went unreported. Thus the same knee injury costs the employer up to 38% more if the incident went unreported for 3 weeks. A mobile app like this one cuts lag time reporting from days to minutes delivering huge value.

    2. Tracking Incidents NOT Claims is a Game Changer:

       Incidents show patterns of behavior and or failures in your means and methods as your company goes about its business. By tracking incidents and NOT simply claims, we can find patterns BEFORE they become an employee injury. Essentially by being very proactive you should be able to get to answers quicker and modify your methods to avoid or lower future claims.

    3. Data Becomes ExecutableThe biggest issue we see with how companies use paper forms is that they simply throw them in a file. All the data points contained on that form are never collected and rolled up into a database to be culled for future insight to benchmark and compare periods, shifts, locations, supervisors e.t.c. Without this important step how do you gain enough insight that ultimately leads to lower injury rates and thus lower costs?

    4. Easy Way to Capture Important Safety Data:

      With a well designed mobile app, you can capture and record relevant safety information right at the scene of accident. You will be able to take photos, record audio, record videos, take witness statements, and even rate the severity of the accident. At the leadership level, the data a mobile app provides becomes actionable, curtailing risk at its source, lowering or preventing future occurrences.  

    5. Emergency Response:  

      By utilizing a well designed mobile app the goal is to gain a much quicker response time. Statistics show that you can lower claims by up to 48% for the same exact injury if you respond quicker. The mobile app should notify “ALL” stakeholders of an event . Then your response protocol kicks in so you gain control of the injury and the response and not leave it in the hands of your employees, the attorney’s and the doctors.

Concluding Our Mobile App Insurance

There are advancements and tools out there for proactive organizations to manage significant pain points like employee injuries and claims. Knowing the technology exists is the first step. Second step is to talk to a Risk Advisor to see how you could deploy this powerful technology in your organization.

While your competition is trying to lower their insurance costs by shopping their policies out with 3 brokers. They are trying to cram their claims challenged account into a market with exceptionally high insurance premiums. However, you take a different tact.

By focusing on your incidents AND claims you have positioned your company to receive the best quotes the marketplace provides. You knew the price you get from the insurance marketplace is a function of how well you manage your losses. This is why your unit cost structure is significantly less than your competition. Thus you stopped chasing markets for the best rates, and focused on your own internal results knowing the rest follows.

Still have questions? Still want mote info? Contact one of our risk advisors at 914-357-8444. Or, visit our website here.