Risk Management Bulletin

Hackers breach dozens of business web sites every day – and too many of these break-ins remain undetected due to the sophistication of the attacks and/or a lack of cybersecurity awareness among the victims.

Once you realize that bad guys have hacked into your site and stolen customer data, here’s what you should do, advises Ilia Kolochenko, CEO of internet security firm High-Tech Bridge SA (Geneva, Switzerland):

First, as soon as you learn how your site was compromised, patch the vulnerability or weakness hackers used to get in – otherwise you’re leaving yourself wide open to more hacks.

Next, notify all customers whose personal data was stolen to change their passwords immediately. Assure them that you’re investigating the breach and will do your best to make sure it will never happen again. Although this notification is essential for the security of your customers (as well as a legal obligation), let them know individually; do not publicize the incident. Hackers often carry out break-ins in order to harm a company’s reputation for providing a secure site.

Finally, file a criminal complaint against the attackers, even if they’re hidden behind a chain of proxy servers. It’s the job of law enforcement and security companies to identify and prosecute hackers. Don’t be too optimistic; many of these cybercrimes go unsolved. However, reporting the break-in might well bring results – and will show customers you’re committed to keeping their data safe.

The bottom line: do all you can to protect your web site against hackers – and be sure to invest in comprehensive cyber liability insurance coverage that can minimize losses to your business.

We’d be glad to review your exposure to cybercrime and recommend the policy that’s best for you.

Reducing the risks your business faces should be the business of everyone in the organization. Unfortunately when employees and managers see a potentially risky or unsafe situation, they often fail to speak up – thus endangering fellow workers, not to mention the potential loss of productivity, revenue, and profits due to workplace accidents.

The reasons for this reluctance aren’t hard to find:

1. Overemphasis on productivity. Many managers turn a blind eye to hazards because they’re focused on increasing production. Whether they’re making widgets or constructing a building, they perceive anything that might slow this process, such as safety control measures, as an obstacle.
2. Personal experience of taking frequent risks without harm. A homeowner who has been climbing on his roof every fall for years to clean out the chimney with nothing but experience between him and the driveway will be unlikely to report potentially risks.
3. Continuing risky behavior despite close calls. Think of repeat drunk drivers or skiers who won’t wear a helmet because they believe that they’re immortal.
4. Workplace machismo. The ironworker who refuses to tie off at 28 feet up because “it takes away my manhood” remains the classic example.
5. Fear of unemployment. An employee who refuses his supervisor’s order to operate a dangerous machine without proper safety precaution is likely to be out of a job.
6. “System Creep.” Over the years, every safety system shifts inevitably from what’s right to what’s allowed. This phenomenon led directly to the Columbia shuttle disaster.

Because there had been several previous incidents of foam striking orbiters during launch, NASA came to accept these anomalies as the “new normal,” and the missions all went well – until they didn’t.

Educating all your employees to get beyond these attitudes should play a key role in creating a comprehensive risk management “culture” in your business.

Even though your business uses the latest cyber-security systems to protect confidential client data, low-tech thieves might well be tapping into this information without your knowledge: “Dumpster divers” rummage through company trash for discarded passwords and records. ATM cardholders often write their PIN code on the card itself. People hold loud “confidential” conversations in coffeehouses or walking down the street.

Have you ever considered how much of your customers’ private information might be left lying around the office? Fellow employees, cleaning crews, other customers, and repair people can easily walk by an absent employee’s desk and see confidential information scattered about or left on the computer screen. While you’ve invested in software to protect files against hackers, those same files could be sitting open in your office for all to see – and don’t overlook the most obvious and massive security breach in any organization – human error.

Walk through your business after hours or while employees are at lunch and see how much information is left openly accessible. Sit in the middle of the office or at the next booth or table at lunch, and listen for how much of your employee’s conversations (and possible confidential customer information) you can overhear.

Then decide what you can do to minimize this risk. Make sure that desktops are clear at night; add password-protected screen savers to your computers (and change the passwords often); and remind employees to be sensitive about what they reveal in public conversations.

It’s far better to clean up this problem now than to have it clean you out later.

Our agency’s risk management specialists stand ready to offer their advice at any time.

The nation’s record-breaking “polar vortex” cold snap last month reinforces the need for businesses to reduce the risk of injuries or accidents to employees working out of doors under winter conditions.

The human body has a core temperature of 98.6°F. Unconsciousness can occur at 86°F, and death below 73°F. Symptoms of a dangerous temperature decrease include persistent and severe shivering, fatigue, lack of co-ordination, drowsiness or apathy, hallucinations, resistance to help, and skin that turns blue before becoming pale and dry.

Employees working outdoors in extremely cold weather face two major health problems: frostbite and hypothermia. Frostbite freezes and crystallizes the fluids in body tissues and cellular spaces, which causes blood clotting and reduces the flow of oxygen to affected areas and deeper tissues. Hypothermia develops when the body can no longer maintain its core temperature and attempts to reduce heat loss by shutting down blood flow to the skin, arms and legs, as well as shivering to increase internal heat.

To help protect your outdoor workers against these risks, make sure that they:

• dress warmly and carry extra dry clothing if they’re likely to get wet
• stay dry (wet skin freezes quickly)
• drink plenty of water to prevent dehydration
• work during the warmest part of the day, as much as possible
• avoid sitting still outdoors for long periods and take regular breaks from the cold
• don’t touch metal or wear metal jewelry outdoors – metal conducts cold, increasing the risk of frostbite
• avoid cigarettes, alcohol, and too much coffee or caffeinated beverages. Smoking decreases circulation, while alcohol increases the rate of body cooling; caffeine also lowers circulation, its diuretic effect speeds dehydration, and its stimulant effect can hasten hypothermia)

For more information, feel free to get in touch with our agency.

Most privately held businesses have not implemented effective steps to protect themselves against a variety of risks, according to a recent nationwide study.

The Chubb 2013 Private Company Survey, based on interviews from executives at 450 U.S. companies, uncovered a number of disturbing conclusions. For example:

• Although nearly three in four of respondents (73%) use a third-party provider to administer their employee benefits plan, fewer than half (46%) have taken steps to reduce their fiduciary liability.
• Only two in five (42%) have a broad policy against hiring employees with criminal backgrounds, which could be a violation of state law.
• Among the more than two in three companies( 68%) that use social media, only one in ten (12%) percent are concerned about being sued for defamatory posts, while fewer than half (48%) have a written social media usage policy for employees.

During the past three years, approximately half of respondents suffered at least one loss from such exposures as employment practices liability, fiduciary liability, crime, workplace violence, and cyber liability.

“Many private companies have not taken loss prevention measures or purchased the appropriate insurance to help insulate themselves from litigation, government fines, and their related financial and reputational consequences,” says Tracey Vispoli, Chubb Senior Vice President and Specialty Insurance Global Customer Segments Leader. She add that, “This is surprising, because a large number of these firms have been sued in recent years by employees, customers, government agencies; and other parties; and many are planning to participate in activities such as mergers that can increase their risk profile.”

How effective is your risk management program?

In its 2013 Data Breach Investigations Report, Verizon Enterprise found that nearly three in four cybersecurity breaches (74%) to small businesses are “crimes of opportunity” that occur because a hacker notices and exploits a weakness in the system: the cyber equivalent of a robber seeing a window propped open and a wallet on the sill.

The report also shows that nearly half of these breaches (48%) result from basic mistakes by non-technical employees with no expertise in in data security.

To protect themselves against financial losses from stolen or compromised client information, more and more firms are carrying cyber liability coverage. However, a preventive approach that focuses on beefing up IT security can play a key role in minimizing costly claims from data breaches– which helps keeps premiums under control and reduces the time, expense, and hassle of litigation from angry clients.

Ted Devine, CEO of TechInsurance (Allen, TX), recommends that businesses reduce this risk exposure by going “back to the basics.”

1. Provide training. Make sure that non-tech employees understand and implement best practices for storing data, sharing files, and transporting hardware.
2. Encourage password security measures. According to the Verizon Enterprises report, more than three in four data breaches (76%) take place because a hacker is able to guess a password. The solution: create strong passwords and update them regularly.
3. Use antivirus software.
4. Encrypt sensitive data and limit access to it.
5. Set up protocols for off-premises work.

For more information, see the article “Workers’ Electronic Devices Pose Risks for Employers” in this newsletter).

If you’d like a complimentary review of your company’s data security procedures, just give us a call.

The widespread practice of employees bringing their own electronic devices to work can be risky for businesses. However, despite the growth of this trend, one nationwide study found that 60% of companies surveyed had no policy for dealing with remote access, while 80% provided no training about the potential risks involved.

One key issue with the use of these devices is the blurring of lines between employees’ personal and work life, which involves such questions as: 1) potential violations of employees’ privacy rights; 2) whether firms should buy electronic devices for lower-level workers who would not purchase them on their own; 3) who backs up the data and where; 4) whether companies should pay overtime when workers use these devices outside of regular hours: and 5) who owns the data (an issue that can arise when an employee leaves the company).

Another major danger involves a firm’s loss of control over its data.

The good news: you can take steps to reduce these risks. For example, workers should be sure to use effective password protection procedures. Warns one data security specialist, “Don’t just use ‘1234,’ and whatever password you choose, never put a sticky note on the back of your device.” Experts also recommend loading security apps onto devices to protect them and requiring workers to turn on the remote erasure capabilities of their devices.

Last, but not least, make sure to encrypt data on all devices. (Many states exempt companies from notifying clients about a data breach on lost or stolen devices if this information is encrypted).

Our specialists would be glad to offer their expertise on helping you reduce the risks of your workers using mobile devices on the job.

Twenty-five years ago, the oil tanker Exxon Valdez struck a reef in Prince William Sound, AK, spilling more than 11 million gallons of crude oil – an environmental catastrophe that cost ExxonMobil $507 million in punitive damages (not to mention the impact to the company’s reputation).

In the wake of this disaster, the giant conglomerate implemented a fundamental shift in its corporate culture to stress safety and preparedness throughout the organization – a focus that businesses from mom-and-pop retail stores to construction companies can use to manage risk. Rather than simply publishing policy and procedural guidelines, ExxonMobil management stressed the need for workers to execute every task, even the most basic, with care and consideration for unintended consequences. For example:

• Employees were told to back their cars into parking spaces so they could see clearly if they needed to pull away during a potential emergency.
• Daily acts that might have hazardous consequences (such as not turning off a coffee burner or wiping up after a spill) could lead to written reprimands.
• Departments organized safety meetings and competitions, with prizes for acts as minor as making sure that file drawers were closed. Managers and workers used these sessions to share stories of near misses or catastrophes averted. This approach was so pervasive that it spread to sharing safety tips for employees’ personal lives.

The result: dramatic reductions in insurance claims (and premiums) litigation, on-the-job accidents, and lost worker hours – not to mention human misery.

Your business can learn from ExxonMobil’s example by creating and promulgating your own culture of preparedness.

As always, our agency stands ready to help you implement a comprehensive risk management program.

If your idea of orienting new employees is to introduce them around and show them the bathroom and the coffee room, think again.

New workers are five times more likely to suffer a lost-time injury on the job in their first month than those who are more experienced. According to the Safety.BLR.com Web site, two in five employees injured at work have been on the job for less than a year.

Why are “newbies” so vulnerable and what are you doing about it?

High injury rates are caused by a combination of ignorance and fear by workers and employers alike. New workers are obviously unfamiliar with the tools, conditions and (most important) safety hazards of the job. Many supervisors assume that rookies know more than they do. Certain jobs require taking precautions that newcomers have never considered.

The fear comes from new workers refusing to ask questions, so they won’t seem unable to do the job — and be vulnerable to termination. Questions also remind instructors of things that they didn’t explain fully or forgot to mention.

To encourage safe-mindedness on the job from day one, follow these guidelines:

1. Make sure that supervisors keep reminding new workers that the more questions are asked, the better.
2. Acclimate new hires to workplace safety as soon as possible through web site orientation and the new hire packet.
3. Have supervisors incorporate safety information in their walk-through of the facility for new workers, pointing out such as the location of fire exits and extinguishers and, first-aid kits.
4. Last, but not least: if you haven’t already done so, set up and monitor a comprehensive safety-training program for new hires.

To learn more, feel free to get in touch with the risk management professionals at our agency.

Every year, more than 4 million workplace accidents result in injuries and illness. Quick and effective response at the scene of an accident can keep a bad situation from getting worse – and might even save a life!

In the event of a medical emergency, first-aid responders should follow these steps as soon as possible:

1. Make sure the scene is safe. Warn employees not to rush into the scene of an accident before checking to make sure that it’s safe for rescuers to enter. Otherwise, you could end up with more victims.
2. Call for help. An employee on the scene should call 911 while a trained emergency first responder tends to the victim. The employee on the phone should explain the type of injury, the exact location of the victim, and the caller’s phone number. The caller should stay on the phone in case the 911 operator has further questions. Because there’s no time to waste in an emergency and often no way to know how serious the emergency is, it’s important for employees to remain calm and act quickly and purposefully.
3. Bring help to the victim. To prevent further injury, don’t move victims unless they’re in imminent danger.
4. Check to see if the victim is breathing and has a heartbeat. If not, someone trained in CPR should try to keep the victim alive until EMS arrives.
5. Do no further harm. Employees who provide first aid should be careful not to cause additional injuries in their attempt to help a victim. If they’re not sure what to do, they should do nothing except call for emergency medical assistance and keep the victim comfortable until help arrives. Doing the wrong thing could be worse for the victim than doing nothing. Employees should never try to do more than they know they can handle in a medical emergency!

Workers who aren’t trained in first aid or feel uncomfortable dealing with injuries can help by making the 911 call and staying on the line with the dispatcher; notifying a supervisor, the safety manager, and others; getting first-aid supplies; and/or meeting the EMS at the entrance to your facility and bringing them to the scene of the accident.

Keep workers who aren’t involved in emergency response clear of the area; and once the victim or victims are removed, cordon off the area to preserve evidence for the accident investigation.