Metropolitan Risk is a risk management and insurance brokerage firm in Irvington that serves to help find insurance for small businesses in the tri-state area surrounding New York City. Met Risk is the fastest growing risk management and insurance brokerage in Westchester county and is well reviewed and received by many to all of its clients.
In our opinion, there is no better time to consider alternative risk transfer as a strategy to get more cost-efficient with respect to your current commercial property insurance, commercial liability insurance, workers compensation insurance, & commercial auto insurance.
As I write this the country and the world are about to exit the covid pandemic. If we frame the current conditions in terms of where we are in the property insurance, liability insurance & workers compensation insurance buying cycle; conditions couldn’t be more favorable to give your company a significant competitive advantage.
Taxes :
Since all 3 branches of government have changes hands in the last several years there are strong tailwinds pushing for significant tax increases which will erode corporate resources. We suggest utilizing a Captive Insurance strategy can give you significant tax efficiencies allowing you to keep the dollars inside your company to help reduce your variable cost structure. DOWNLOAD our Guide to Utilizing Captives by CLICKING HERE.
Coverage Availability & Rates :
Currently, we are in the through of a “HARD MARKET”; where conditions favor the insurance carriers as they restrict coverage and increase rates. Insurance buyers are frustrated because they have limited options. Further, they feel squeezed, and rightly so. The carriers are pointing to the “Social Inflation” of liability and commercial auto claims due to the insane jury awards. Buyers are pointing to “profits” earned and surplus growth to counter that claim. We think the buyers have a legit gripe.
Risk As Strategy :
Smart forwarding thinking CFO’s and C-Suite Executives understand that if they can leverage their balance sheets by increasing their retentions EFFICIENTLY, they can gain significant cost advantages that they can bake into their COGS (Cost of Goods & Services). If done properly they can reduce their insurance program costs by 35% which allows them to grow profits, market share, or both. Remember every dollar you save in your insurance program falls directly to the bottom line.
To understand if your company could benefit from a partial or full-on program restructuring CLICK HEREto schedule a 15-minute call. In 5 questions we can figure out if the strategy has legs for your org.
Using a common password leaves your organization at risk for cybercriminals to attack your account. Let’s add password protection as a major component in your organization’s cybersecurity plan. The risk of a common password is tremendous, and you should avoid having one at all costs.
Did you know:
4.7% of users have the password password;
8.5% use as their password : password or 123456;
9.8% use as their password : password, 123456 or 12345678;
14% have a password from the top 10 passwords used.
40% have a password from the top 100 passwords used.
79% have a password from the top 500 passwords used.
91% have a password from the top 1000 passwords used.
What does this tell you? Think twice before you make “abcdef” your next password. According to a study from SecurityCoverage Inc., if a password contains just six lowercase letters, especially if it’s a common word or combination, a cyber-thief can figure it out in 10 minutes!
However making a six-character password that has numbers AND symbols boosts complexity enough that a skilled hacker would need 16 days to break it, the study found. A task that is most likely not worth doing for that hacker.
Some sites now require a password with at least 1 uppercase letter, one number. and maybe a symbol as well. This is a step in the right direction even if it makes remembering your password just a little tougher. A simple and easy to remember example of this would be “Money17$.”
The real security of course comes from those dreaded passwords that are generated for you. They contain a longer password, of at least 8 characters, with a random order of letters, numbers, and symbols. These are nearly impossible to remember. However, an eight-character password with random letters, numbers, and symbols will take 463 years to break according to the same study. Nine random characters will take a whopping 44,530 years.
“People are careless because they don’t understand the threat said Ed Barrett, VP of marketing for SecurityCoverage.” LinkedIn was compromised in June and had 6.5 million passwords leaked. Yahoo had 6 million passwords stolen as well.
Another important consideration, don’t use the “show typing function” as you type your passwords. Many hackers don’t bother hacking at all but rather infect your employees’ computers with a virus that shows their keystrokes, thus the passwords.
The fact is you can either use strong complex passwords and have trouble remembering them or use simple, weak passwords and suffer from the risk of being hacked. We are not recommending a password of “nif$g*u3ng64dsf7” like a security expert would love as we understand the frustrations and hassle of remembering 20 passwords. We are advising that the next time you make a new password, especially for an important account, that you add some complexity to it. Go back to your most important accounts, like your bank account, and add a few numbers. It will greatly help in reducing your risk.
For a FREE comprehensive Cybersecurity evaluation, CLICK HERE.
Technology consultant firm Cognizant fell victim to cyber-attacks caused by a ransomware attack last April. The hack disrupted thousands of employees from accessing networks from their home during quarantine. Clients also disallowed Cognizant to use their networks in case of further breach, causing major revenue and clientele loss.
Cognizant losses total $50-$70 million in lost sales, higher premiums, and defense/legal costs. Without cyber insurance however, the losses would be catastrophic.
Cognizant had out extensive money into cyber insurance premiums with multiple carriers. Insurance insider reports this investment turned out to be a good decision as they earned $400 million in cash reserves from their carriers, another huge loss for carriers in the cyber market. Carriers have been hard with higher loss ratios and claims frequency in the cyber market recently.
What is the overarching message? Right now, allocating resources towards cyber protection is no longer recommended but required. Cyber insurance of some form is necessary to protect against ransomware attacks and saving your company millions. However, insurance is not the only resource that needs investment. There is no way to fully protect yourself against cyber attacks with just insurance. We recommend proper employee training, duel-factor password authentication, and data encryption software.
Stay ahead of the curve and protect your company’s invaluable data. Invest properly and do not be afraid to spend a little extra for full protection. The premiums upfront may prove cheaper in the long run.
Still have questions? Contact a risk advisor today at 914-357-8444 or visit our website here.
Heat injury and illness is a serious work-related danger that affects millions of American workers each year. Not only do heat injuries directly cause injuries/illness, but at times they are the underlying reason for mishandling of equipment, and lack of focus that leads to other work-related injuries. While federal agencies such as OSHA publish articles on measures to prevent heat-related injuries/illness, at times these cautions do little. It is on the management to provide resources, knowledge, and safety measures for workers in constant risk of heat injuries and illness. Here are some ways to prevent heat injuries and illness.
How to Avoid Heat Injury and Illness
Provide Rest Breaks:
Management should provide several work breaks other than lunch every day. These breaks should include free water and a shaded location. This well help workers stay out of the heat, cool down body temperature, and replenish fluids.
Provide Information:
Your workers need to understand the dangers of working in constant heat. Manual labor in heat will cause a slower release of body heat and less sweat. This traps more heat in the body, raising the body temperature. This is a dangerous result, as 2 degrees fahrenheit higher than normal body temperature can cause dizziness, lack of focus, and dehydration. Once you hit 5 degrees past normal body temperature you are flirting with possible fatal illnesses. The more your workers know, the safer your workers will work under intense heat.
Training:
Training workers on how to avoid what prevention is nearly impossibly. However, training project supervisors on proper safety plans and measures is beneficial to all. Having set heat prevention measures in place for your supervisors to execute can save you money in claims and injuries.
Sometimes, these precautions still are not enough. Workers may still suffer from the effects of high heat and humidity. Here are a few steps to deal with a worker with a heat injury or illness.
How to Treat Heat Injury and Illness
Immediately Bring the Worker to Shade:
Give the worker tons of water to hydrate them. Ice packs to cool down their body temperature is also recommended. The best spot to cool down a worker is the back of the neck, as it helps control your entire body’s temperature.
Bring the Worker Medical Assistance:
If their symptoms continue to worsen or remain stagnant, calling an ambulance is the best option. Make sure to call the ambulance within the hour the worker first felt symptoms.
Loosen Clothing:
Loosening the worker’s clothing can help free entrapped heat between the skin and clothing. This will help cool the workers’ internal body temperature. It will also help with quicker blood flow, which will help the worker recover quicker.
Heat injuries and illnesses are not small cast-offs when talking about workers’ injuries and workers comp. These are critical parts of worker safety and health, especially in construction and work done primarily outside. Hopefully, this article will help bring important information to project supervisors and management about proper steps and safety precautions regarding heat injuries and illnesses.
Still confused and want advice? Call a risk advisor today at 914-357-8444 or visit our website here for more information.
Safety meetings are common in the workplace, and will be almost necessary once normal work resumes post covid-19. The problem that arises from safety meetings is that sometimes they are inefficient. They are too long, planned at the wrong times, and/or not executed correctly. There are 4 simple steps to correctly have a safety meeting in a normal work setting.
Step 1: Prepare and Plan
This is the first part when setting up a safety meeting. Know who will be attending, who will be leading the safety meeting, location, etc. Making sure everyone that needs to be at the meeting is informed and reminded in proper time. Have a general outline of the main goal/statement you want your employees to hear. From there, you can create the safety meeting around that information.
The worst thing for a safety meeting is to show unpreparedness with nothing but as a topic for your safety meeting and ramble. No one is given helpful information. Employees feel you have wasted their time and morale lowers. Make sure you plan ahead.
Step 2: Timing your Safety Meetings
How long your meeting will last and what time and day the meeting occurs is crucial. Picking a time when employees are most attentive is best. That happens to be at the start of the work day/shift.
The day is also important. Mondays seems to be when employees are most tired and least focused. Friday seems to be when workers are out the most and their mind is not fully focused on work.
Routine is the last part that is important to plan. Planning for a safety meeting one Tuesday is perfectly fine. We do not suggest you plan your next meeting next Thursday. Have a routine time and day. Once a month, every other week, or something along those lines is perfect.
Wait until 4 and the only thing on your workers’ mind is what bar has a happy hour. Try the first Wednesday of every month at 9:30.
Step 3: Delivery in your Safety Meetings
Let’s face it, your employees are most likely doing something more important. They want to get back to work to meet deadlines. The safety meeting should be a routine quick “check-up” on guidelines. For us, quick may be 15-20 minutes, 30 at the max.
Don’t just read off a piece of paper. Have some slides or graphics ready! People are more attentive when they can visually see the information. That can include images, facts, or important statements.
Allow for employees to ask 5 minutes worth of questions. How do you know what you said made complete sense to them? If they have questions, make sure to give them the floor.
Step 4: Following Up After the Safety Meeting
Try and get some interaction with your audience either at the end of some of your meetings or through a reply email. Your employees are the ones who witnessed the safety meeting. They have the best opinions on whether or not it was executed well. Try asking a question on how to improve.
Also follow-up to make sure they understood the message. Possibly leaving an email with a “quiz question” attached to answer in a sentence. These are a few ways to engage with your audience.
Still have a question? Consult a risk advisor today at 914-357-8444 or visit us here at our website
The New York workers’ compensation insurance law requires the majority of employers to have appropriate workers comp insurance coverage in place. However, there are three key exemptions.
Sole Ownership
If you run your business alone and don’t have any employees, you may not need to have workers’ compensation coverage. You should note, however, that in order
not to inadvertently break the law, you must not use the services of volunteers, such as family or friends.
Partnership
Partnerships set up under New York laws may also be exempt, but only where they comply with the provisions applicable to businesses in sole ownership outlined above.
Small Corporation
Where one or two people have set themselves up as a corporation, hold all the offices and own all the stock, they might also be exempt, as long as they have no employees of any kind, as per the other two exempt categories above.
Sub-Contractors
It is important to note that should your otherwise exempt business use the services of sub-contractors, you should make sure they have their own insurance coverage. Otherwise, the New York Workers Compensation Board may rule that they are employees. Similarly, when a sole owner, partner, or small corporation owner works as a sub-contractor, he or she is required to hold personal New York workers compensation insurance.
There is no such thing as infallible cybersecurity. No matter how many millions of dollars an organization spends on online security, some hacker, somewhere, at some time, may successfully break-in. A common example is JPMorgan Chase, who spent close to $100 million to shore up their systems only find their systems hacked and sensitive data at risk. Just because hackers may have the ability to continuously overcome firewalls does not mean that individuals and organizations should just sit around and wait for the inevitable. There are steps to minimize risk and thus potentially circumvent a data breach.
Below you will find current methods hackers utilize, along with best-practice preventive measures to protect your systems from such hacks. In addition, a case study illustrates both the risk and lessons learned, stressing the importance of education and developing a culture of security surrounding your organization.
Prevention Is the Best Defense with Cybersecurity
While it is the optimal solution, preventing a data breach is neither simple nor easy (when sufficient safeguards are enabled). In being proactive organization find themselves addressing the difficult situation of having to be prepared for something that has not yet happened; they have to forecast the future risks of cyber and privacy threats. Doing so often entails poring through mountains of data to find a needle in the haystack – a piece of malware or a threat that can compromise critical data.
Sometimes, as is clearly evidenced by the recent breaches made public, these threats can get lost in the noise. Furthermore, the tech industry’s greatest advantage is also its Achilles heel – their rapid updates. Product cycles move fast, but tech mainstays like software updates and patches move even faster. It takes dedicated personnel for organizations to keep up.
Nowadays, security is not just a locked shop door. Digital breaches are robberies that happen at any hour, without any warning, and with little to no immediate evidence, which is why you need a good cybersecurity system. If network configuration and employee education program is lacking, exposure to serious risk and liability is heightened. The potential loss of valuable digital assets, especially client information, can result. This thought may scare you, but do not despair! Being informed of these issues is the greatest defense an organization can have.
I. Conduct a CyberSecurity Assessment
The prevention and detection stages of security (those before a breach occurs) are typically informed by a digital security assessment, which goes beyond simply testing an organization’s network for vulnerabilities. An assessment allows for a more complete picture of an organization’s security posture focusing on policy, controls and procedures, as well as the effectiveness of their implementation.
Tech infrastructure is often a “set-it-and-forget-it” affair. How often do you click “remember me” while logging into a commonly visited site so save yourself the hassle of the sign-in process next time? Essentially, digital infrastructure is installed, configured, and then never touched again. To maintain a secure digital environment, it’s imperative to test, test, and test some more.
II. Assess the Human Element in Cybersecurity
When it comes to issues of information cybersecurity, the human element is just as important as the technology itself. Perhaps even more so. Hardware and software require regular human input to make sure the devices have the latest updates, security patches, etc. Therefore, the human element of cybersecurity is the single most important aspect of an organization’s security posture. It can only be achieved by fostering a culture of security achieved through education and implementation of a written digital use policy.
Consider the psychology of a hacker when assessing the role of human vulnerabilities in determining the viability of an organization’s cybersecurity practices. The term “hacker” is interesting in its ability to conjure up a vague, though widely held notion, of the cyber-criminal. The vision is fairly common: a scruffy socially challenged individual, slouched in a swivel chair, speedily typing on a keyboard as indecipherable streams of digits race down the computer screen. Cue The Matrix.
Compared to other criminals, the hacker largely remains an unknown, impersonal entity, tied intrinsically to a modern era of technological advancement. However, what is often forgotten is that although hackers are primarily recognized for their abilities to manipulate technology, they can be equally adept at manipulating people. Cybersecurity procedures rely heavily on human participation and interactions. The first step of a hacking scheme, the crucial point at which the probability of a data breach is determined, can (and often does) start at the human level. Unsuspecting personnel may encounter a hacker without even realizing it, giving them access to sensitive data simply by offering a Wi-Fi password or log-in credentials.
It is important to recognize that, similar to technology, individuals can be prone to trusting disreputable sources. A hacker is willing to take advantage of the breadth of an organization’s vulnerabilities; consequently, employees are just as vulnerable to attack as technological data sources.
On the flip side, employees can download malware without realizing it, such as through illegal downloads or torrents of movies and applications. These unsafe browsing habits can and often do lead to a malware infection. Don’t trust an e-mail scanning application or spam folder to stop the messages from getting to the inbox. A hacker’s job goes beyond exploiting strictly digital vulnerabilities; the successful ones look for human vulnerabilities.
III. Watch Out for Phishing Aggression
To assess and react to the danger humans pose to digital security, it is important to know what the “bad guys” are doing. While external hackers have a diverse arsenal of techniques there are a few that are more pertinent considering they can affect any employee within an organization. Hackers are often referred to as “social engineers,” as they try to manipulate and trick their targets to give them access.
One of the most prominent hacking examples is “phishing.” Phishing is the process by which cyber thieves are able to lure unsuspecting victims to a malicious link that then executes malware. These malicious links present themselves to a user through an e-mail message. This is when a user unknowingly initiates the malware by accessing the malicious web server.
Even more unsettling, though similar, is a “spear-phishing” attack. Unlike a phishing attack, spear-phishing is a directed attack. Cybercriminals gather information about a victim, which is then used to construct a fraudulent e-mail intended to trick the victim. Rather than being obviously nefarious, these e-mails are very realistic and tailored to the person hackers are trying to trick.
For example, in the banking industry, a hacker may use an e-mail message cloaked as a communication from the Federal Deposit Insurance Corporation (FDIC). Due to their nature, phishing attacks are not problematic unless a user physically clicks the link to the malicious web server. To prevent this within an organization, personnel need to be trained to identify false links. Before clicking the link, “hover” over it to see the true URL or, even better, train employees to manually type in the Web address they need to access in a Web browser.
IV. Provide the IT Department with Useful Tools
While a universal training program aimed at informing all employees of their role in the security posture is critical, it is also important to ensure that the information technology (IT) team is staying on top of current advancements in security and has the resources to minimize vulnerabilities. Often IT people are more concerned with making sure technology is being implemented for productivity, not necessarily for security. Digital assets vary for every organization, making specific preventive measures hard to define. In general, the prevention of attacks and threats should be consistently audited so that a specific information security policy can be created and carried out within the specific context of an organization.
As one general example, outdated and unpatched software applications pose a serious risk. Cybercriminals often target older outdated software because of its longevity. That is, the longer a piece of software is around, the more time cybercriminals have to develop malware based on an established exploit that will not be, or has not yet been, fixed by the developer.
In many industries, including healthcare, legacy technology is becoming a serious problem as an avenue for data theft. Furthermore, preventive measures can become expensive. An organization’s IT team or information security team, however, has a serious leg up on outside threats – they know where the valuable data is. Thorough knowledge of an organization’s infrastructure is a considerable advantage against outside threats. Consequently, it is worth investing in the people who know most about it. The avenues by which data can fall victim to a remote attack are as innumerable as the unique software and hardware contexts of companies all over the world. Keeping a team well equipped is key to a strong security posture.
V. Limit Access to Critical Information
An often under-analyzed piece of the preventive data security puzzle is data access controls. More simply put, not every employee of an organization should have full access to all data. Even in the case of IT, many recommend that members of the team use non-privileged credentials for daily activities. This is a central step to minimizing risk as it inherently reduces the number of access points for data to leave the confines of an organization’s network. More privileged credentials mean more credentials that elevate the threat of external hacking.
In line with this, it is also crucial to consider internal threats. For example, a disgruntled employee gains access to sensitive data, steals it, and posts its publicly online. Limiting access to critical data on an as-needed basis can, in some cases, preemptively eliminate this risk altogether. People are a company’s biggest asset but also the biggest liability as respects information security. Awareness and implementation of policy is key to maintaining that “culture of security.”
VI. Recognize the Risks of BYOD
Practicing and applying security and data access controls is crucial outside as well as inside of an office. Mobile computing revolutionized everything, from the maintenance of cybersecurity to reasonable policies. It is becoming increasingly common for employees to take sensitive data home with them (on thumb drives, laptops, phones, e-mails, cloud services, etc.).
With respect to policy, many organizations and their agents alike favor the cost benefits and choice of bring-your-own-device (BYOD) permission, which allows employees to use their personal devices, particularly mobile devices, to store and access company data. Unfortunately, in most instances, this policy relinquishes some defined, universal security strategy and inherently gives an organization less in the way of data control. Standard mobile device management tools are not typically applied and installed on employees’ personal devices.
BYOD can also invite unauthorized connections from an organization to the Internet. Many smartphones offer device tethering, whereby other devices share the phone’s cellular data connection. This type of network activity is not part of an organization’s network, and thus cannot be monitored for suspicious connections.
Before simply accepting BYOD as a cost-effective and desired approach, ensure that the organization understands the rules, risks, and rewards of the new policy. If the organization implements BYOD, do so in such a way that the organization maintains a modicum of control. Also, take legal ramifications under consideration and determine whether there are special regulatory concerns particular to a certain industry that need to be worked into BYOD and mobile computing policies. In some industries, such as health care, a lack of central data security policy and control opens up serious liability risks.
VII. Look Beyond Your Employees
Data control goes beyond just employees. Rather, it extends to include any entity that can store, access, or use a company’s sensitive data, including third-party vendors. Develop contracts that protect the organization, particularly those that use third-party vendors. Third-party vendors can introduce security lapses and vulnerabilities, but not hold themselves to the proper and necessary digital risk standards. Not doing so can result in a digital catastrophe.
This is best evidenced by the example of the devastating credit card breach Target experienced in late 2013. Target seemed to have the appropriate controls in place with dedicated IT and security appliances. Thinking that everything was fine with its security practices, management overlooked one critical issue. Target allowed outside heating, ventilation, and air-conditioning (HVAC) service vendor to connect to the same network responsible for point-of-sale device Internet traffic. This is an example of where the lapses in human execution renders good technical security measures ineffective.
Like Target, there have been other breaches where larger companies fail to audit third-party vendors, such as the Boston Medical Center and Goodwill. Often, smaller third-party vendors are a sort of hacking “stepping-stone” – compromise their information to get to their larger clients that have more valuable data. This is especially true today, as even the smallest companies have a digital presence. Once again, a company can have all the proper controls in its own offices, but sensitive information with its vendors could be compromised.
To mitigate third-party risk, ensure that appropriate parties, especially legal departments, communicate with the outside vendor hiring process and that contracts guarantee and protect audit rights. That means including audit clauses to contracts that allow the organization to regularly monitor and check that vendors are in compliance with any generally accepted or necessary standards. Including cybersecurity in the outside contracting process is now imperative.
VIII. Don’t Overlook the Importance of Data Backups
In addition to the risk of compromising data, loss of data entirely can be even more devastating. While most large corporations can afford to keep their sensitive data in multiple locations, others cannot. Irrespective of the size of an organization, individual workstations can contain important client data that should be regularly backed up. No matter how many backups an organization maintains, it is important to not get bogged down by the sheer volume and prepare for the absolute worst—a hurricane, tornado, or some other natural disaster that could destroy an entire organization’s data in one fell swoop.
Data loss can happen in other ways most people don’t expect.
A couple of months ago, I got a call from a local government agency that had horrible “ransomware. ” Ransomware is malware that seeks to exploit victims by encrypting their files. Clicking a link in a pop-up accidentally downloads it; or through a “phishing” e-mail. Once executed, the hacker notifies the user that they locked the files because they committed a crime, and that they must send money for the decryption key within a certain amount of time or their files will forever be inaccessible.
Unfortunately, paying the “ransom” usually will not unlock the files, but only serves to line the pockets of the extortionists. In this particular case, the local agency did not consistently keep a backup of its data, and lost months of work. This new ransomware infection prompts reflection on something overlooked as a serious risk to daily business activity—data backups, off site or otherwise.
IX. Develop a Security Culture
It is important to audit all controls to prevent attacks incurred from external and internal threats. Make sure that these controls are in place, effective, and attempt to penetrate your organization’s digital infrastructure. There should be a layered approach to information security. In other words, organizations should not only have a digital fence, but also a locked front door. In addition to simply having “locks” and “fences,” make sure there is a policy information session. This session should effectively teach people how to keep the gate closed and the door locked.
Incorporating these provisions into policy and executing that policy through employee training programs, moves organizations to a stronger security posture. Creating an atmosphere for effective security is just as important as the security practices themselves.
“Hope for the Best, Prepare for the Worst.”
The key balance between costs and preparation is something to consider and is much cheaper than the fallout of a breach. When it comes to security, prevention certainly is the first choice.
What happens if an organization takes all the preventive measures, but they still lose data? Technology constantly updates with new security measures, yet cybercriminals stay one step ahead of the latest preventive security measures. One of the primary reasons for their persistence is because a targeted organization’s data is exceedingly valuable. In recent history, credit cards have been an obvious target for the clear monetary value they carry. These breaches have dominated the headlines and are an unfortunate side effect of our increased reliance on credit technology’s conveniences.
X. Recognize the Value of Data
Not dissimilar from the recent credit card breaches, hackers consistently and target health data because health data is valuable—either to gather intel about specific people or as a tool for identity theft. It has also historically not been the most secure. Patient names, birth dates, billing information, and health histories have the potential for complex identity theft and medical fraud schemes.
More importantly, though, this data has a market on the “Dark Web” outside of those who are responsible for stealing it. To illustrate the Dark Web, Google indexes approximately 17 percent of websites where most people typically dwell online and do their browsing, shopping, and other online activities. But, below the Internet’s surface lurks the Dark Web, where criminals market a variety of different goods and services, from passports and drugs to “rent-a-hacker” services for the purposes of messing up someone’s life. Thanks to the Dark Web, stolen client data of all kinds has a market, therefore increasing its appeal.
Even if an organization conducts an audit of all security controls and policies, a new exploit could be found the next day, rendering a clean bill of security health void.
Case Study Illustrates the Risk of Not Participating in Cybersecurity
The following case study illustrates the point that employee education is key. About a year ago, a large corporation contacted me claiming they had compromised systems. They mentioned that an unauthorized $1 million wire transfer to Russia. Management suspected an inside job carried out by one of their employees. They had spent hundreds of thousands of dollars on security appliances, thinking this could not possibly happen to them. However, a review of their infrastructure revealed a lapse. They adopted a “set-it-and-forget-it” attitude. There was no “culture of security.”
Thinking their appliances would not allow such a thing, spam e-mail got to an employee’s workstation. That individual clicked a link and initiated “Zeus” malware. While the hacker’s toolbox is expansive and variable, there are certain tools worth mentioning, one being Zeus. Zeus, when executed, monitors an infected computer for certain types of user activity, including online banking. In some cases, it often remains dormant until a user accesses a financial service or banking website.
Once Zeus identifies the targeted activity (such as banking), it will then collect confidential data to include a log of all keystrokes and screenshots. This transmits the compromised data to the hacker. In this case, someone inadvertently left a security token plugged in. Hackers had everything they needed and set the software to wait for banking credentials. After that, all they had to do was log in and initiate the transfer.
This story teaches us that these lapses do happen, even when the victims think they have a great security posture. Fortunately, that company made the right choices in handling its breach of security. Management acted quickly, hired professionals, and assembled the narrative to recoup their money. They carried out reasonable steps for the safety of their customers’ information.
Lessons Learned about Cybersecurity
More often than not, though, incidents come unexpectedly and organizations have little preparation for the worst. Officers and employees often don’t have a clear picture of the chain of command, nor the roles and responsibilities in the face of a breach. This can lead to increased exposure to media and public relations fallout and executive meltdown.
While designing a preventive policy, try to design a policy or incident response manual. This should effectively prevent an operational shutdown in the case of a breach and allows for quick, decisive action. And be sure you have the right contacts to respond to such an incident. Be ready for the inevitable, even if it seems impossible.
Specialists can assemble the narrative, from the initial exploit, threat elevation, and context of data that was ultimately compromised. An organization is better able to prevent a similar attack from happening in the future and have a clear picture of how to handle other tasks related to the breach, such as client notification.
Breach Notification
Breach notification often goes undisclosed. The responsibility of organizations to notify their clients, partners and other parties about a breach varies from different situations. In certain industries, federal and state regulations are the rule, but others are solely up to the discretion of executives. In responding to the public, or proactively notifying clients, it’s best to wait until a full investigation is complete. It is important to know there is a huge difference between an infection (abnormal Web traffic) and a data breach. Evidence of a possibly data breach attempt does not mean these people were successful. Moreover, even if hackers steal data, the type of data is central to the notification procedure.
Oftentimes, organizations that suspect a breach will jump the gun and notify their clients before an investigation is complete. In the end, sometimes nothing serious happened—no confidential data was lost or stolen. Notifying clients before knowing there is a legitimate problem is, in and of itself, a huge risk. Understand that some clients might not be comfortable continuing business with a company that disclosed a breach. Organizations need to do themselves a favor and rule out the possibility of a false alarm first. That said, it is important to incorporate client notification as part of the defined incident response plan. It is always best to be proactive but don’t inform clients or authorities until a serious breach definitively happened.
Complete a Thorough Investigation
In the unfortunate case that personally identifiable information was stolen, it is important to work closely with legal professionals. Cybersecurity is very much a legal issue, with unique legal considerations. As previously alluded to, there are regulatory considerations that vary greatly between industries and states—for now. Until there is an overarching federal regulation that applies the same requirements of all industries and defines the type of data that must be stolen to report, the current compliance and digital security laws remain the law, and it is a patchwork.
Similarly, after an incident, education is still the most important aspect of preventing another breach. Take an incident or a breach and use it as a valuable learning opportunity. After a security breach investigation, walk employees through every detail of what happened. Pinpoint what the failures were and most importantly learn from the event and prevent the same thing from happening again. Hold the entire team responsible for a breach in security; not just one employee.
Conclusion & Takeaways of Cybersecurity
Preparation is key in any prevention strategy, and optimal security always starts at the human level, especially with cybersecurity. Best cybersecurity practices are just that—practices. Cybersecurity measures are always a work in progress and reflect the constant stream of new technology. It takes time to discover, learn, and implement the best methods. Ongoing education within this “culture of security” is imperative in trying to implement the best possible procedures. In this case, knowledge truly is power.
A common cause for New York workers compensationinsurance claims can be overexertion. In fact, the Bureau of Labor Statistics recently published 2017-2018 overexertion statistics. They found that 295,000 in 2017 and 282,000 overexertion injuries in 2018 caused days off from work, and naturally, WC claims. These take up 31% of the non-fatal; work injuries that cause work days lost. This could result from a wide range of activities, such as lifting, carrying, throwing, pushing, or pulling. Although it is easy to overexert muscles, there are a few simple tips you could give your employees to help prevent such injuries. These near 600,000 days lost are all preventable by doing simple daily routines differently. Here are a few of these examples.
Start Easy
Many people have a tendency try to do too much when first starting a project. The result is that they end up injuring themselves, which means their work has to be put on hold until they heal.
Pace Yourself
Some make it a point to work as fast as possible. Unfortunately, they do not seem to realize that they could easily injure themselves while working at such a quick pace.
Know Your Limits
Regardless of the activity that a person is doing, it is always a good thing to know when to ask for help. Many people injure themselves by overdoing an activity, such as lifting a box that is clearly too large for one individual.
Set Obtainable Goals
Many times a person sets goals that he or she has no hope of actually reaching. By being reasonable with their workload, employees reduce the risk of injuries while still earning a sense of accomplishment.
Overexertion could happen regardless of how physically fit a worker is. This is why it is important to train your employees in the proper way to perform their job functions. Otherwise, you may be facing a New York workers compensation insurance claim and staff shortages.
June is National Safety Month. While safety should be at the forefront year-round, let us use this time to highlight workplace safety. Effective risk management strategies, which include claims management and timely claim reporting can help organizations mitigate losses, and also identify weaknesses in their own safety program.
NSC created National Safety Month to increase the awareness of workplace safety and to promote safety culture. It was organized by the National Safety Council and has occurred every June since 1996. This year the safety council are focusing on these topics as well as many others:
Mental Health
Ergonomics
Building A Safety Culture
Driving
Creating A Culture Focused on Safety
Does your organization have a safety committee?
Creating a safety committee is one of the many ways an organization control frequency and severity of workplace accidents. Taking a proactive approach by establishing a well-developed safety program promotes the idea that workplace safety is a top priority or the entire organization.
Falls are the #1 cause of fatalities in the construction industry. Additionally, falling objects contribute to a high incident rate. Every worker should be trained on the proper setup and safe use of fall protection equipment: this includes the use of ladders. Implementing a “Ladders Last” program is one way your organization can help protect employees from falling. A ladder’s last program is based on the idea of prevention versus protection.
Ergonomics is a great way to reduce the number of workers’ compensation claims due to overexertion. Overexertion contributes to 35% of all work-related injuries and is also one of the largest contributors to workers’ comp costs. Prevent overexertion by: regular exercise and should a doctor’s visit if an injury occurs.
Work with groups of employees to create an ergonomic training program that works for your organization. Employee participation is a great way to promote ergonomic safety. Stretches led by employees are one way to promote safety in the workplace. Ergonomics isn’t just for employees who move heavy objects. Sedentary employees may also benefit from these same practices.
Driver Safety
How’s my driving? If your organization is relying on drivers for day-to-day operations, you are already aware of the risk of the situation. A focus on driver safety is one way to help keep costs down and protect your workforce. Identify your high-risk driver who is constantly racking up points on their driver’s license. Consider pulling them off the road or even enroll them in a driver safety course. Identify trends: is one employee always involved in rear-end collisions as if he was not paying attention? Has another driver been involved in more than 2 vehicle-damage accidents in the same year? Identify the trends and take action. Learn how to identify high-risk drivers and help correct their behavior.
Additional Safety Resources From Metropolitan Risk
Incident Investigation Guide – Identifying the root cause of a workplace injury through thorough accident investigation allows the employer to take corrective action to prevent it from happening again.
Download our infographic on the leading causes of workplace accidents.
