Precautions for Better Cyber Security

Business operations in the technology industry revolve around the functionality of computers, network connections and the Internet. It’s no secret that computer use comes with many risks, including damaging viruses, hackers, the illegal use of your system to attack others, the use of sensitive data to steal identities and other illegal actions. As a result, companies must respond by preventing, detecting and responding to cyber attacks through a well-orchestrated cyber security program.

Get Familiar with Risks

The first step in protecting your business is to take notice of the multitude of cyber risks:

Hackers, attackers and intruders: These people seek to exploit weaknesses in software and computer systems for their personal gain. Although their intentions are sometimes benign, their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to malicious activity (stealing or altering data).

Malicious code (viruses, worms and Trojan horses):

  • Viruses: This malicious code requires a user to take action to let a virus into the system, such as opening an email attachment, downloading a file or visiting a webpage.
  • Worms: Once released, this code reproduces and spreads through systems on its own. They usually start by exploiting a software flaw; then, once the victim’s computer is infected, the worm will attempt to find and infect other computers through a network.
  • Trojan horses: This disguised code claims to do one thing while actually doing something else. For example, a program that claims to speed up your computer system but is actually sending confidential information to a remote intruder.

Risk Management Planning

To reduce your cyber risks, it is wise to develop an IT risk management plan at your organization. Risk management solutions utilize industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your organization’s information systems. Consider the following when implementing risk management strategies at your organization:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, the data stored and processed, and importance to the organization.
  • Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems, the facilities where systems are stored or other conditions that may affect the impact of risk to the organization. 

In addition, your organization should take precautionary measures when selecting your internet service provider (ISP) for use for company business.

ISP Considerations

Almost all ISPs offer Web browsing capabilities with a varying degree of user support and Web hosting capabilities. Your company should determine what ISP to use, along with a plan for backing up emails and files and what firewalls to implement.

To select an ISP that will reduce your cyber risks, consider the following:

  • Security: How concerned with security is the ISP? Does it use encryption and secure sockets layer (SSL) to protect any information that you submit?
  • Privacy: Does the ISP have a published privacy policy? Are you comfortable with who has access to your information, and how it is handled and used?
  • Services: Does your ISP offer the services that you want and do they meet your organization’s needs? Is there adequate support for the services provided?
  • Cost: Are the ISP’s costs affordable and are they reasonable for the number of services that you receive? Are you sacrificing quality and security to get a lower price?

Reliability: Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems and a high volume of users? If the ISP knows that their services will be unavailable, does it adequately communicate that information to its customers?

User support: Are there any published methods for contacting customer service, and do you receive prompt and friendly service? Do their hours of availability accommodate your company’s needs?

Speed: How fast is your ISP’s connection, and is it sufficient for your business needs?

Recommendations: What have you heard from industry peers about the ISP? Were they trusted sources? Does the ISP serve your geographic area?

Cybersecurity is a serious concern for your business. Contact Tooher Ferraris Insurance Group to learn about our risk management resources and insurance solutions for emerging technology exposures.

OSHA Form 300A Posting Requirements Begin Feb. 1

#RiskSynergy


OVERVIEW

By Feb. 1 of each year, employers that are subject to the Occupational Safety and Health Administration’s (OSHA) routine recordkeeping requirements must post copies of their completed OSHA Form 300A (“Summary of Work-related Injuries and Illnesses”) from the previous year in visible locations within their employees’ workplaces. The postings must then be kept in place until at least Apr. 30 every year.  These requirements apply to all employers that are not in a partially exempt industry and have more than 10 employees.

ACTION STEPS

On Feb. 1, 2019, employers subject to OSHA recordkeeping requirements must ensure that copies of their completed Forms 300A from 2018 are posted in each of their establishments in a conspicuous place or places where notices to employees are customarily posted. 

Until Apr. 30, 2019, these employers must also ensure that their Form 300A postings remain in place and are not altered, defaced or covered by other material.

IMPORTANT DATES

February 1 to April 30, 2019

Employers must post and keep their completed 2018 Forms 300A posted in their employees’ workplaces.

March 2, 2019

Deadline for certain employers to submit electronic reports to OSHA.

Contact Tooher-Ferraris today to learn more about our integrated insurance and risk management programs at 203-834-5900 or info@toofer.com.

Mobile Device Security

Because of all they can offer, smartphones and tablet devices are essential to many professions’ daily operations. However, as use rises, it will become more and more important to ensure that security for these mobile devices is able to adequately protect you from new and existing threats.

The need for proper phone security is no different than the need for a well-protected computer network. Gone are the days when the most sensitive information on an employee’s phone is contact names and numbers. Now a smartphone could grant access to any number of applications, emails and stored passwords. Depending on how your organization uses such devices, unauthorized access to the information on a smartphone or tablet could be just as damaging as a data breach involving a more traditional computer system.

Lost or Stolen Devices

Because of their size and nature of use, mobile devices are at an increased risk of being lost or stolen. Since most devices automatically store passwords in their memory to keep users logged in to email and other applications, having physical possession of the device is one of the easiest ways for unauthorized users to access private information.

To prevent someone from accessing a lost or stolen device, the phone or tablet should be locked with a password. The password should be time sensitive, automatically locking the phone out after a short period of inactivity. Most devices come with such security features built in, which is something you should consider before purchasing. Depending on your cellphone provider, there are also services that allow you to remotely lockdown or erase a device in the event that it is lost or stolen.

Malicious Attacks

Mobile devices have the potential to be just as susceptible to malware and viruses as computers, yet many businesses don’t consider instituting the same type of safeguards. As reliance on these devices continues to grow, so will their attractiveness as potential targets. Third-party applications are especially threatening as a way for malware to install itself onto a device. Employees should never install unauthorized applications to their company devices.

Analyze Threats

Like any potential exposure, the level of risk brought on by mobile devices is based largely on how your company uses them. Conduct a formal risk assessment to see where your biggest risks are. Also establish when to conduct follow-up assessments to account for new exposures created by the ever-advancing state of technology.

Establish a Smartphone Policy

Before issuing smartphones to your employees, establish a device usage policy. Outline what does and does not constitute acceptable use and what actions will be taken if employees violate the policy. It is important that employees understand the security risk inherent to smartphone use and their role in its mitigation. Well informed, responsible users act as an invaluable layer of security protecting mobile devices.