Meeting cybersecurity risks head-on: A guide to breach preparedness

How would you manage a data breach? No company is immune to cyberattacks and data breaches. Read on to learn how you can prepare your business.


Gauging a company’s true data breach risk from the outside is a difficult endeavor for insurers, with challenges both technical and informational. But even less attention has been paid to how companies would manage a breach if it happened, which has an enormous impact on the toll of the final damage.

No organization is immune to breach. If the National Security Agency can lose data, anyone can lose data, yet the scope of the current issue is still astounding.

According to another insurance company's 2017 cyber readiness report, 72% of large U.S. businesses — nearly three out of four — and 68% of small- and mid-sized businesses — about seven in ten — reported cyber incidents in the previous year. Among these, close to half (47%) experienced two or more cyber incidents during that same time.

The largest breaches, affecting big-name companies like Equifax, Target, Home Depot and many others, drew substantial headlines because of the huge number of identities involved. But almost every business holds some sensitive information, either regarding its customers or its own intellectual property, finances or employees. In fact, smaller organizations often lack the internal resources to dedicate towards preparedness, making them very attractive targets for hackers.

Assessing the threats to your business

The first challenge with measuring a company’s risk exposure relates to the industrywide problem of tying compliance and policy to actual security. A company may have checked all the right boxes on paper, but doing so guarantees little about their actual cyber risk position.

The second issue is that people often matter much more than technology.

The public conversation focuses on high-profile hacking events, but data breaches are even more likely to be the result of internal issues, including breakdowns in training, procedure or plain old mistakes.

The overwhelming majority of all cyber attacks are successfully executed with information stolen from employees who unwittingly give away their system ID and access credentials to hackers or provide a gateway via a malware link embedded in some form of communication.

One of the most important components of an effective data breach readiness program is mandatory and frequent training to remind employees about the importance of security awareness.

Education information security best practices can help arm a team against threats such as phishing, man-in-the-middle attacks, malware, and ransomware, substantially lowering the long-term risk.

An accurate understanding of a company’s sector-specific risks is another important point of departure in corporate cybersecurity. Healthcare employees, for instance, need to be especially on guard for EHR-related attacks and RDP server breaches, like the ones instigated by the SamSam virus (which took down Allscripts last month).

Other industries are more vulnerable to loopholes in common business apps; still, others are more frequently victims of point-of-sale malware or e-mail phishing scams. Once businesses understand where and how they are most likely to be targeted, they can begin providing training that takes into account the need for added vigilance in these specific areas.

The final challenge in correctly identifying breach risk involves understanding the extent to which recovery costs can vary. Discrepancies in cost depend not only on the severity of the breach, but also on how well the organization responds. Globally, the average cost to recover from a security breach is $158 per impacted individual, but that varies from of $60 to $400 per person.

While more companies than ever before are now either considering or have taken out some form of cyber insurance, this should not be considered an unloadable risk. Smart organizations are increasingly focusing on proactively identifying data breaches and preparing to efficiently react to them in advance of a data breach crisis.

Proper preparation means more education

The most devastating impacts of a data breach can only be avoided by coupling breach awareness and prevention efforts with readiness and response planning ahead of a cybersecurity incident.

Comprehensive breach readiness plans break down both pre-emptive and retrospective action steps by department: it’s sensible, for example, to task IT personnel with monitoring cloud connectivity and identifying network loopholes while entrusting financial staff with detecting suspicious activity along company bank and credit accounts.

Customer relations experts and account managers, on the other hand, are likely the best resources for overseeing client communications during and after a data breach, helping to re-establish trust and informing their consumer-facing workforce.

Here, inter-departmental communication is paramount: all workers should understand how and to whom they are to report possible breaches or scams, and when such breaches occur, the entire company should know what to expect employees in every department to do next.

Even for the most cyber-savvy corporations, however, internal resources alone are not enough these days. Outside resources are often critical to mitigating the threat of cyber attacks; Stop them once they start and restore company functions in a breach’s aftermath.

Establishing relationships and negotiating agreements with external subject matter experts is better done far in advance of an actual data breach. Contractual terms can be negotiated without the chaos and urgency of a crisis situation. The same is true for interfacing with law enforcement and regulatory agencies.

Knowing whom to contact and having an established communication chain can pay off when trying to execute an urgent data breach response.

Both internally and externally, the human element of cybersecurity remains a business’s best defense across an ever-widening threat landscape. With the right planning and a rapid response team, companies should be able to withstand a breach with the least damage possible, limiting losses – and claims.

SOURCE: Thompson, J. (2 March 2018) "Meeting cybersecurity risks head-on: A guide to breach preparedness" (Web Blog Post). Retrieved from https://www.propertycasualty360.com/2018/03/02/meeting-cybersecurity-risks-head-on-a-guide-to-bre/


Construction Risk Advisor - July 2018 Edition

DATA SCIENCE TO BOOST EFFICIENCY AND SAFETY


In order to improve worker safety and boost efficiency, about 20 construction companies have launched data science initiatives over the past few years.

One of those pioneers is a Boston-based company whose data scientists have developed an algorithm that analyzes photos from its job sites and then scans them for safety hazards. The algorithm then correlates those images with its accident records.

Although the technology still needs some fine-tuning, the company hopes to use the algorithm to rate project risks. As a result, the technology could prove extremely helpful in detecting elevated threats and then intervening with safety briefings.

Combining the data collected from these efforts could also be used to forecast project delays. Although data science is somewhat new to construction, a recent McKinsey report said that firms could boost productivity by as much as 50 percent through real- time analysis of data.

Newsletter Provided by: Hierl's Property & Casualty Experts

Download Full Newsletter

AVOIDABLE ESTIMATION MISTAKES IN CONSTRUCTION


In the past three years, only 31 percent of construction projects came within 10 percent of their budgets, according to RSMeans, a provider of construction cost information. Completing projects within budget is a constant challenge for many contractors. Here are five estimating mistakes to be aware of, along with best practices to combat them.

1. Unrealistic expectations—Don’t rely on ideal orworst-case scenarios, which can lead to impractical estimates. Find the middle ground to avoid setting expectations too high and blowing timelines.

2. Flying solo—Don’t be afraid to use outside data sources from a credible third party. Create a realistic estimate by including a combination of your own historical data and their custom data.

3. Lack of or wrong permits—If you lack permits or have the wrong type, work can come to a standstill. Factor proper permits into your estimate, as well as their corresponding costs.

4. Unclear parameters—Parameters must be established clearly at the onset of each project.Make sure you clearly understand your clients’limitations and restrictions before creating an estimate to avoid unnecessary change orders.

5. Missing details—A lack of knowledge, missing items or generalized task descriptions can lead to estimates that are too low. Take the time to account for all necessary materials, labor and equipment by referencing similar work done in the past or detailed cost data from a third party.


Cyber Risks and Liabilities July/August 2018

Training Staff to Guard Against Cyber Attacks


Using mobile devices to work remotely is becoming the new norm. But when your employees use phones, tablets and laptops to access your networkand do their jobs, they’re essentially providinghackers with more entry points, leaving your organization highly vulnerable to attacks.

No matter how many security measures you take,they’re useless if you don’t supplement them withemployee training. Here are five ways to help employees protect your company from cyber attacks:

  1. Offer training on phishing and spam. Show your employees what to look for so they can alert IT if they receive a suspicious email. You can also use phishing simulator training tools, which attempt to trick your employees into opening the wrong types of email. The employees who click on those emails can then be flagged for additional training.
  2. Provide strong password training. Passwords should be changed on a regular basis and contain more than seven characters, an uppercase letter, a number and a symbol.
  3. Teach employees to report problems. Even if your employees clicked on something they shouldn’t have, it’s important that they feel comfortable reporting their infractions so any potential threat can be addressed immediately.
  4. Insist that your employees update all software when new updates become available.Vulnerabilities spread like wildfire among hackers. If employees fail to perform updates,they’re allowing hackers access to the device and possibly your entire network.
  5. Give remote access and Wi-Fi training and set up a virtual private network (VPN). Any employee that works remotely should use that VPN at all times for all activities.

Businesses Need Both Cyber Threat Intelligence and Business Risk Intelligence


Devising an all-encompassing strategy that protects your organization from cyber criminals, data breaches and other cyber security threats is no easy task. You need to ensure protection from not only hackers, but also the actions of your own staff.

Your employees may not intentionally threaten your organization, but without proper training and policies on using, storing and transferring data, there will always be a chance of them inadvertently putting your business at risk. In order to protect against such threats and react accordingly, businesses need to two types of intelligence: cyber threat intelligence and business risk intelligence.

Cyber Threat Intelligence

Cyber threat intelligence is information that has been collected, evaluated and analyzed. It involves looking outward, always being on the defense for potential cyber threats and turning unknown threats into well-known, mitigated threats. Cyber threat intelligence helps organizations understand the threat landscape they face and improve the effectiveness of their defense.

Cyber security analysts can use the data from their own internal security systems and outside vendors to build an understanding of the threats they face. They may also enlist the help of outside providers who understand the behavior of cyber criminals, as well as the long-term trends and short-term risks that might affect a particular sector.

Business Risk Intelligence

Business risk intelligence addresses the broader risks facing a business, including the digital risks. Due to the connected nature of the “internet of things,” business risk intelligence can also include cyber threat intelligence. But unlike cyber threat intelligence—which primarily affects the day-to-day operations of a company’s chief information security officer—the impact of business risk intelligence is likely to be felt across the entire executive suite.

A company with business risk intelligence is aware of the broad risks it faces. That may include insider threats to the physical security of staff or the risk of engaging with third-party vendors in the supply chain. Any type of activity that can alter business operations can be combatted with business risk intelligence.

Save Your Website from ADA Lawsuits


The Americans with Disabilities Act (ADA) of 1990 prohibits discrimination based on disability, which involves ensuring that everyone has reasonable access to all areas of public life. Although the ADA doesn’t explicitly mention the internet, the federalgovernment has taken the position that Title III of the ADA covers access to websites of public accommodations, including service and rental establishments, retail stores, educational institutions and recreational facilities.

Currently, ADA website compliance is only mandatory for government-managed websites. However, the absence of laws enforcing ADA compliance for websites ofpublic accommodations hasn’t prevented people from filing lawsuits againstcompanies that don’t meet the suggested guidelines.

Businesses in health care, government and education have been the most common targets of these lawsuits. Attorneys looking for easy money typically target small businesses’ websites by offering a low settlement fee. If your business is targeted by an ADA website compliance grievance, consider taking the following steps in response:

  1. Review the grievance for credibility. A lawsuit may likely begin by citing“violations of the Americans with Disabilities Act, Title 42 U.S.C. 12101 and12181.” It may also include an inexpensive settlement option—a prime indicator that the lawsuit has no legs to stand on and is likely a scam.
  2. Consult a lawyer. Doing so will help determine the credibility of the threat and stop future threats to your business.
  3. Respond to the plaintiff. Ask your attorney to draft something explaining thatyou’ve reviewed their grievance and consulted a lawyer. Realizing that you’vesought legal help may scare away anyone trying to file a lawsuit.
  4. Update your website. Do this regardless of whether there is a legal need. If your site is easily accessible by people with disabilities, you may see beneficial returns from those users.

Newsletter Provided by: Hierl's Property & Casualty Experts

Download Full Newsletter


Safety Focused Newsletter - July 2018

Back Strain: A Workplace Risk for Every Employee


Back injuries are common in the workplace and are typically the result of a strain or sprain to back ligaments or muscles, the spinal cord, thoracic spine, lumbar spine, sacrum or coccyx. What’s more, you don’t need to work in a manual labor-intensive job to experience back problems. Employees of all kinds can maintain back health by keeping these tips in mind during their workday:

  • Take small breaks throughout your workday and stretch regularly.
  • Manage your stress level to reduce discomfort and back pain.
  • Exercise and stay active to reduce your chances of developing back pain.
  • Adjust your posture frequently.
  • Position your desk chair so your feet are flat on the floor.
  • Lift with your knees, and keep what you are lifting close to your body. Ask a co-worker to assist you when performing tasks that require heavy lifting, pushing, pulling or throwing.
  • Drink enough water and eat a healthy diet. This helps keep your spinal discs hydrated and healthy.
  • Watch where you walk. Many back strain injuries are the result of involuntary motion, like an attempt to recover from a slip.It may also be a good idea to work with your manager to plan your working hours in a way that helps you avoid long periods of repetitive work.

EMPLOYEES DO NOT NEED TO WORK IN THE CONSTRUCTION INDUSTRY OR A MANUAL LABOR- INTENSIVE JOB TO EXPERIENCE BACK PROBLEMS.

5 WAYS TO IMPROVE COMMUNICATION

  1. AVOID CLICHÉS
  2. BE BRIEF
  3. BE SINCERE
  4. AVOID ARGUMENTS
  5. ALLOW OTHERS TO RESPOND WITHOUT INTERRUPTION

How Employees Can Improve Workplace Communication


Communication is key in all aspects of life, but especially in the workplace. Without good communication, employees and productivity can suffer.

However, there are things you can do to establish better communication and improve the way things are done at your workplace. When it comes to interacting with your co-workers, keep in mind the following:

Make sure you are being clear and concise.

This applies not only to face-to-face conversations, but also to emails and all other types of communication. Your messages should be complete and include everything you want to convey.

Listen carefully. Don’t respond to what someone has said—aloud or in your head—until they have finished speaking. If you start thinking about a response before your co- worker has gotten their message across, you could miss important pieces of information and derail the conversation.

Summarize what you’ve said. After you’vegiven a long-winded speech or written an extensive email, go over the basic, most important points. This will help refresh yourlistener’s memory and potentially weed outopportunities for miscommunication.

Make meetings meaningful. Schedule a meeting to elaborate on complex tasks and make the most of scheduled time. Don’tstray from the topic, and keep conversations productive.

Follow up in writing. No matter how compelling a meeting or conversation was, it’s likely that people will not remember everything that was shared. For important matters, follow up with an email that highlights key takeaways from the conversation or meeting.

Above all, it’s important to be mindful ofyour body language and tone when you communicate. Together, these strategies ensure clear, effective correspondence.

Newsletter Provided by: Hierl's Property & Casualty Experts

Download Full Newsletter


Agriculture Risk Advisor- July/August 2018

FARM BILL UPDATE


On June 13, in a 20-1 vote, a Senate panel approved a modest, bipartisan rewrite of federal farm and nutrition programs. The sole vote against the bill was by Sen. Chuck Grassley, R-Iowa, because his amendment to limit subsidy payments was omitted.

If passed, the legislation would renew farm programs that include subsidies for crop insurance, farm credit and land conservation. It would also extend the Supplemental Nutrition Assistance Program (SNAP)—formerly known as the Food Stamp Program—which helps feed more than 40 million people.

The House failed to pass a version of this bill in May due to a still unresolved immigration debate. Contrary to the Senate farm bill, the House is asking for greater job training opportunities for SNAP recipients. However, the bill has been heavily criticized for what some call a poor design and the possibility that it could exclude 2 million people from SNAP.

The current food and farm bill expires at the end of September. Although enacting the legislation this year is unlikely, a short-term extension is expected when the bill is brought back to the floor.

NEW WEB TOOLS FOR CATTLE MARKET


Two new web tools created by the Noble Research Institute will allow cattle producers to easily access Oklahoma cattle auction data. The tools include a price slide table and market charts.

PRICE SLIDE TABLE

The first web tool is a breakdown of the price slide (PS) and value of gain (VOG) for the reported markets. The PS and VOG tool looks at the sales receipts for the selected market, as well as frame size, gender, yield grade and the sale date to give producers a glimpse at the type of cattle buyers are looking for.

Cattle with notes about their features aren’t included in the table in order to prevent the PS and VOG from being affected. However, a link to the original USDA- AMS report is provided near the top of the page for producers who want more details and to see where the original data was taken from.

MARKET CHARTS

The second web tool is a set of charts for slaughter, feeder and replacement cattle. The tool offers an option to compare each group across whichever markets the user selects, either during a specific year or across years.

The auction comparison tool was designed to provide producers with information to help them in their marketing and purchasing options. By comparing years, producers can better evaluate how the current year is stacking up against previous years for a particular market.

Newsletter Provided by: Hierl's Property & Casualty Experts

Download Full Newsletter


Construction Risk Advisor - June 2018 Edition

ARE SIGNING BONUSES ENOUGH TO KEEP WORKERS?


As the shortage of skilled labor in construction continues, it’s becoming more common for contractors to offer one-time bonuses to attract skilled workers. In fact, according to the Associated General Contractors of America, close to one-quarter of contractors reported using bonuses to attract employees, ranging between a few hundred dollars to over $1,500 per worker.

What employers like about bonuses is that they’re one-time payments that don’t affect employees’ base pay. However, there is a drawback to offering an incentive for getting skilled workers in the door—there’s no proof that they’ll stay, especially if they can easily find another job elsewhere. Workers can stay long enough to collect the bonus but then leave for another opportunity, and yet another bonus.

According to the Bureau of Labor Statistics, construction pay in the U.S. only rose by a meager 2.4 percent in 2017, even though construction costs are increasing. Unless employers offer competitive pay, it may be difficult to keep workers.

TIME TO GET ON THE CLOUD


By using the cloud, construction companies have been able to completely overhaul the way they interact with each other and with their workers. In a nutshell, the cloud consists of multiple networks of servers that allow apps to be accessed anywhere through the internet instead of confined to a particular computer or network.

Contractors that have projects and crews in multiple locations especially appreciate the benefits of the cloud, since it is efficient and allows for the seamless transfer of information.

What’s more, the cloud allows construction companies to utilize software-as-a-service solutions that are updated automatically as opposed to using traditional products that need to be manually installed and periodically replaced with newer versions.

SMALL CONTRACTORS BENEFIT TOO

Small contractors tend to be under the assumption that using the cloud is either too complicated, too expensive or intended for large construction firms. However, smaller firms may actually benefit most from using the cloud. In fact, the cloud has helped small contractors develop smarter work practices that have allowed them to become more profitable.

The smarter work practices made possible by the cloud can eliminate time- and money-wasting redundancies traditionally caused by the disorganized flow of paperwork and emails.

The overall lower cost of using the cloud also puts small contractors in a better position to compete with their larger competitors for projects.


Safety Focus Newsletter - June 2018 Edition

Your Role During Safety Meetings


One of the most effective ways to promote a healthy working environment is to get involved in company safety meetings. These informal, brief meetings allow you the opportunity to stay up to date on potential workplace hazards and safe workplace practices, such as machinery use, tool handling and equipment use.

When it comes to workplace safety meetings, you should keep the following in mind:

  • Attending safety meetings is mandatory. Be aware of what days your employer holds meetings, and plan accordingly.
  • Actively participating is important. Some of the best safety ideas come from workers, often because they know what and where the dangers are.If you have something to add during safety meetings, don’t hesitate to speak up.
  • If you have an idea for a safety topic, chances are others will find it of interest as well. Feel empowered to share safety concerns and improvements with your supervisor.

Above all, it’s important to take safety training seriously. Together with the help of your peers, employers can use safety meetings, training and hazard identification practices to ensure workplace health and safety.

4 Ways Employees Can Supplement Wellness Programs


Workplace wellness refers to the education and activities that a worksite may do to promote healthy lifestyles for employees and their families. Workplace wellness programs can increase productivity, decrease absenteeism and raise employee morale.

Because employees like you spend many of their waking hours at work, the workplace is an ideal setting to address health and wellness issues. While it is an employer’s job to implement general wellness policies, there are a number of things employees can do to supplement health initiatives.

Specifically, to improve physical and mental health and to enhance their employer’s wellness programs, you should do the following:

  1. Eat sensibly.It’s easy to snack at work, particularly if your office is equipped with vending machines. When it comes to healthy eating, moderation is key. Eat a healthy,filling breakfast and substitute greasy food with salads.
  2. Drink plenty of water.Dehydration can cause ill effects, such as drowsiness and sluggishness. Aim to drink between six and eight glasses of water every day. Doing so can even reduce hunger.
  3. Stop smoking.Tobacco use increases your risk for heart disease, cancer, stroke and chronic obstructive pulmonary disease. Abstaining from tobacco is one of the best ways to protect your health and get the most out of wellness programs you participate in.
  4. Manage your stress.Too much stress can lead to insomnia, anxiety, depression, low morale, short temper, headaches and back problems. Finding ways to manage stress will not only improve your physical and mental health, but it can also help you approach wellness initiatives with a positive mindset.

5 BENEFITS OF WORKPLACE WELLNESS PROGRAMS


1. IMPROVED PRODUCTIVITY

2. LOWER HEALTH CARE COSTS

3. A STRONG SENSE OF ACCOMPLISHMENT

4. WEIGHT LOSS

5. LESS STRESS


FBI Urges Consumers to Reset Their Routers to Prevent a Malware Attack

Your cyber security is important to us. Consider protecting yourself from the recent growing malware attacks and keep your data safe with these recommendations.


Recently, researchers at Talos—a cyber intelligence unit of Cisco—warned consumers of malware (malicious software) that specifically targets networking devices. The malware, which is known as VPNFilter, impacts an estimated 500,000 routers worldwide, particularly targeting devices from the following manufacturers:

VPNFilter Could Collect Your Information Without Your Knowledge

Once on your equipment, the malware could stop your router from working, collect information from any systems that run through it and even block network traffic. Experts are concerned over the scope of the attack, as anyone owning a router from the affected manufacturers could be at risk, including businesses and individuals.

Agencies like the FBI have also expressed concern over VPNFilter, as this particular brand of malware can be used in espionage attacks on military, security and other government organizations.

Reduce Your Risk by Resetting Your Router

Unfortunately, there’s no simple way to tell if your router is infected. To protect yourself, it is recommended that you:

  • Reset your router to disrupt the malware. This can be done by simply turning the router off and on or holding the reset button down on your device. For further protection, you may want to consider doing a factory reset of your router.
  • Install any firmware updates. These updates are typically found on the manufacturer’s website. You may need to search by your router’s model number, which can be found on the back of the device.
  • Create a new, secure password for your router.
  • Disable remote management settings.

For help performing any of the above steps, contact your router manufacturer or click the links provided in this News Brief.


Protect Yourself From Cyber Attacks

In today's world, a day does not pass without a large company being featured on the news because they are suffering from a data breach or hacking incident that has threatened personal information.

Cyber security is a concept that has become a high priority in the past five years. Since this issue is fairly new, demand for cyber insurance is emerging, since most cyber related claims are currently not covered under a standard insurance program. The questions that arise the most regarding cyber security and liability are about understanding the level of exposure a company's data faces and knowing what cyber coverage encompasses.

VP, Property & Casualty

Large companies are not the only ones at risk, it is often small businesses that are most vulnerable simply because they are not prepared. Most small (under 250 employees) businesses do not have the IT staff necessary to help protect a business. Even manufacturing companies are at risk because while credit card information is a large component, it is not the only type of attack. can you afford the risk of not protecting your employee, client and company data?

With 10+ years of experience addressing cyber risks, Hierl's process of approaching cyber security begins with an assessment of client's risk and exposure. This involves knowing what data a client has, who has access to it, how it's stored and how they are backing it up. Hierl can expertly evaluate the coverage that is necessary to keep an organization secure. 

Because it is an emerging coverage, cyber insurance plans are not standard. Hierl advises a three-fold type of coverage including:

  • Business coverage for customers and employees
  • Protection for your company and the data it houses
  • PR assistance of a security breach occurs 

The best policies offer assistance to help you to work through things if something was to ever happen, as well as forensic and technical assistance to determine how the breach occurred.

"Many Organizations that have suffered cyber-crime are sophisticated, big businesses. If they can't stop these attacks from happening, most other businesses can't either."

If it determined quickly that a breach has happened and a good backup exists a company can recover quickly and the attack is much less damaging. However, when a company's data gets out in the wild is when attacks become most expensive.

The 2016 Ponemon Institute Cost of Data Breach study reported that the average cost of a los record rose form $154 in 2015 to $158 in 2016. Even if, you only have 20 employees now and that doesn't seem all that bad... you need to think about how many employee records do you have from the past 10 years? Cyber-attacks don't just affect current records nor do they only target employee data  but client and company data too. This type of insurance is becoming a must have coverage for businesses because of how sophisticated these attacks have become.

Three reasons to explore cyber coverage for your business:

  1. There is a higher incidence of cyber crime
  2. The longer it takes to detect an contain a data breach, the costlier it becomes
  3. Effects of a cyber-attack extend beyond monetary and data losses to losing businesses and customers 

If you'd like to know more about protecting your company from a cyber breach, please reach out to Cathleen at 920.921.5921 or send her an email via cchristensen@hierl.com.

To download the full PDF click here.