More lawsuits are being filed against employers in connection with active shooter incidents, said a speaker at the Professional Liability Underwriting Society’s conference in San Diego on Thursday.
Claudia A. Costa, a partner with Gordon Rees Scully Mansukhani LLP in New York, spoke during a session on significant employment liability issues at the conference as attendees were still absorbing the news of the shooting in a Thousand Oaks, California, bar Wednesday in which 12 people plus the gunman died.
She observed that all the recent incidents have the common factor of having occurred in a workplace, whether it was a bar, a place of worship or a school.
With the number of these incidents increasing dramatically, “more and more lawsuits are being brought against employers” in their wake, said Ms. Costa during the session.
The U.S. Occupational Health and Safety Administration’s general duty clause states employers must have a place free of recognized hazards, and active shooting incidents are considered such a hazard, said Ms. Costa, adding her firm has been involved in defending some of these cases. Claims filed against employers in these situations include negligence and failure to train workers, she said.
Other charges, she said, include negligent hiring and retention, which was an issue in the 2003 naval yard shooting in Washington, D.C., that left 12 dead.
In that case, complaints from fellow employees that the shooter heard voices in his head were not addressed, and there had been a prior incident in which the shooter had shot through his ceiling to the apartment of a neighbor, she said. Bullying was cited as a factor in the 2015 San Bernardino, California, shooting, in which 14 people were killed, said Ms. Costa.
These shootings and the ensuing litigation have “made all employers take notice of these risks,” which can involve employees, customers, clients, strangers and those related to these people, said Laura Zaroski, Chicago-based area senior vice president of the law firms practice for Arthur J. Gallagher & Co.
Coverage, which varies, is primarily coming out of Lloyd’s of London right now, she said, with a handful of domestic insurers. Coverage can include counseling, medical disability expenses for victims, funeral expenses, death benefits and “loss of attraction” coverage when a mass shooting results in a loss of revenue because people are no longer coming to the location of the incident.
Other coverages include the cost of upgrading a building and its security, damages to the building, relocation costs and sometimes the cost of a teardown following an incident, she said.
Employees should be trained to recognize potential situations. “We shouldn’t just be waiting for an event to do it for the first time,” said Ms. Zaroski. “Let’s learn what to do and handle the satiation before it arises.”
Thomas Lookstein, New York-based head of financial and professional line claims for Starr Adjustment Services, a division of Starr Cos., said one question that should be addressed is whether these policies have terrorism exclusions.
Marchelle M. Houston, senior vice president, bond and specialty insurance, for Travelers Co. Inc., said another potential claim is kidnap and ransom, where people are unable to leave a facility during an incident.
Other issues covered during the session included the #MeToo movement, sexual orientation discrimination, religious discrimination and Supreme Court rulings.
If there’s an attack on the country, the military mobilizes. When a natural disaster strikes, recovery plans go into effect. Should an infectious disease start to spread, health officials launch a containment strategy. Response plans are critical to recovery in emergency situations, but when it comes to cybersecurity, a majority of industries are not paying attention.“The reality is no matter how amazing you are with your prevention capabilities, you’re going to be hacked,” said Mohammad Jalali, a research faculty member at MIT Sloan whose work is currently focused on public health and organizational cybersecurity. “Then what are you going to do? Do you already have a good response plan in place that is continuously updated? And communication channels are defined, and stakeholder responsibilities are defined? Typically the answer in most organizations is no.”To help address cybersecurity weaknesses in organizations, Jalali and fellow researchers at Cybersecurity at MIT Sloan Bethany Russell, Sabina Razak, and William Gordon, built an eight aggregated response strategies framework. They call it EARS.
Jalali and his team reviewed 13 journal articles involving cybersecurity and health care to develop EARS. While the cases are related to health care organizations, the strategies can apply to a variety of industries.
The EARS framework is divided into two halves: pre-incident and post-incident.
1 — Construction of an incident response plan: This plan should include steps for detection, investigation, containment, eradication, and recovery.
“One of the common weaknesses that organizations have is they put together an incident response plan, but the problem is that documentation is usually very generic, it’s not specific to the organization,” Jalali said. “There is no clear, specific, actionable list of items.”
Make sure that everyone in the organization knows the plan, not just the employees in the IT department. Set clear channels of communication, and when assigning responsibilities, make sure they are clearly defined.
2 — Construction of an information security policy to act as a deterrent: Clearly defined security steps establish and encourage compliance.
“Many companies think that compliance is security,” Jalali said. “[That] if you just follow the information you’ll be taken care of.”
Don’t set the bar so low that the organization is not secure. Regulations should ensure an understanding of cyber threats. Establish motivational reasons for the response teams to follow reporting policies. Compliance should go hand in hand with continuous improvement.
3 — Involvement of key personnel within the organization: No matter the size of an organization, key leaders need to be educated on the importance of cybersecurity and be ready to act according to the response plan.
Leaders don’t have to be cybersecurity experts, but they need to understand the impact an incident will have on their organization. The more informed they are, the more involved they can be in a response plan.
4 — Regular mock testing of recovery plans: Recovery exercises help organizations stress-test plans and train employees on proper response protocols.
If the organization only tests its recovery plan during an actual emergency, it’s likely to run into serious issues, which could increase the amount of damage caused by the cyber incident.
The shift from a reactive to proactive stance can help an organization identify weaknesses or gaps in its recovery plan, and address them before an incident occurs.
5 — Containment of the incident: Containment involves both proactive and reactive measures.
It’s easier to cut off infected devices from a network if they’re already segmented from other devices and connections, prior to an incident. The researchers concede that it’s not always possible to segment networks, nor to immediately disconnect it from the whole system. At the very least, immediately report the infected device to the organization’s IT team to contain the incident.
6 — Embedded ethics and involvement of others beyond the organization: It’s important to remember that all of an organization’s stakeholders could be impacted by a cyber incident.
Promptly notify legal counsel and relevant regulatory and law enforcement agencies. Consider help from external resources and share information about the cyber threat.
7 — Investigation and documentation of the incident: Be timely and thorough; every step of the pre- and post-incident reaction should be documented.
The investigation should aim to find the root technical cause of the issue, as well as weaknesses that could prevent future attacks. Proper documentation is a necessity for this analysis.
8 — Construction of a damage assessment and recovery algorithm: Organizations should self-evaluate after the incident.
While computers are where cyber attacks happen, they can also be used to help with recovery. Organizations can leverage the power of computers, especially artificial intelligence, for real-time detection and containment of incidents.
“The commonly used frameworks for incident response strategies often miss this essential step,” Jalali said, “even though there are already AI-based products for this very purpose.”
Have you ever been in the room when someone suggested doing scenario analysis? Did you see everyone in the room cringe at the thought?
I have, and I felt pity for the person who made the suggestion.
Most likely, everyone in that room has gone through the endless “what if” scenario analysis that takes 4 or 5 hours and ends without any solid conclusions.
But if done correctly, scenario analysis can be extremely effective in its support of decision-making.
Personally, I prefer to use the term “scenario planning” instead of “scenario analysis” for the simple reason that “scenario analysis” sounds painful and very computer-driven. On the other hand, scenario planning is human-based and sounds like the effort and results will be useful for the participants and the final audience.
At its core, scenario planning is a “creative and structured process to guide deliberate thinking about risk,” as defined by Aries de Geus in his book TheLiving Company. De Geus, as the corporate planning coordinator at the Royal Dutch/Shell companies, used scenario planning and described its effectiveness in this Harvard Business Review article…from 1988!
So, with all that being said, how can scenario planning support decision-making?
1. Tests and validates assumptions being made as part of the planning process
When corporate planning occurs, whether called strategic planning, annual planning or something else, management believes that a certain set of assumptions will become true. How many times has management stated an assumption as fact? But what if they are wrong?
2. Provides management with the tools to proactively prepare
Risk management activities are supported by scenario planning, which looks at possible events. While most people inherently want to say the most positive event will occur, proactively preparing for events is always better than being reactive. Being proactive rather than reactive is a key difference between traditional risk management and ERM.
3. Encourages innovation
Scenario planning helps people to think outside of their comfort zone, taking next steps to a big innovative moment. Sometimes that innovation is triggered by the proactive preparation. An organization that is constantly innovating is a step ahead of its competitors.
4. Gives the organization a competitive advantage
Being prepared and innovative are two enormous parts of a competitive advantage. What company would not want that?
Management improves its way of making decisions simply by using scenario planning. It will take time for this way of thinking to take hold, but it stands to reap immeasurable benefits in both the short- and long-term.
Sociologists and psychologists tell us it is pain that makes people and living systems change. And certainly corporations have their share of painful crises, the recent spate of takeovers and takeover threats conspicuously among them. But crisis management—pain management—is a dangerous way to manage for change.
Once in a crisis, everyone in the organization feels the pain. The need for change is clear. The problem is that you usually have little time and few options. The deeper into the crisis you are, the fewer options remain. Crisis management, by necessity, becomes autocratic management. The positive characteristic of a crisis is that the decisions are quick. The other side of that coin is that the implementation is rarely good; many companies fail to survive.
The challenge, therefore, is to recognize and react to environmental change before the pain of a crisis. Not surprisingly, this is what the long-lived companies in our study were so well able to do.
All these companies had a striking capacity to institutionalize change. They never stood still. Moreover, they seemed to recognize that they had internal strengths that could be developed as environmental conditions changed.
Don’t you want your organization to be around for 300+ years? Embedding scenario planning into management’s decision-making processes will help make that happen.
An often overlooked part of the massive losses suffered by businesses, academic institutions, and other organizations as a result of fires, floods, and other severe weather is the damage to critical records and documents. By not protecting and ensuring these documents, organizations can face significant business continuity losses and compromised client services. There are several important steps that prudent risk managers can take to ensure that their critical documents are managed properly and protected as much as possible from a potentially damaging event.
1. Understand Document Retention Requirements and Dispose of Unnecessary Documents
Document retention requirements are determined by city, state and federal regulations, and can vary by document type. A general rule of thumb is that financial records should be kept for seven years. Health records for children must be retained for 25 years. Deeds and loan documents must be kept permanently. Establishing a consistent base volume of stored records and documents can help determine the necessary level of insurance coverage. The longer the retention period, the greater the risk so purging those documents that are not necessary to retain can reduce the risk that damage will occur.
2. Assess Document Exposure
Determining the level of document exposure depends on the answers to several questions. First and foremost, what is the volume of critical documents? The more documents stored, the greater the cost to insure them. The more densely they are stored, the greater the localized risk.
What type of recovery service is necessary? This answer will vary from business to business. If original documents are required, they will likely be returned after drying and cleaning with visible signs of damage, such as stains and bleeding of ink. This may be fine for archived files but may cause problems for businesses such as medical facilities, law and accounting firms, and their clients. In another instance, a mortgage title company may likely want a drying, sterilization and cleaning option even when their documents are affected by Category III water (highly contaminated water such as sewage or floodwaters, also known as blackwater). Faced with the same dilemma, a medical facility is likely to prefer reproduction or imaging.
Is immediate access to documents important in the wake of a calamitous event? This will determine which of the two basic techniques for document drying is most appropriate. Vacuum freeze drying provides the best results for books and clay-coated paper. However, capacity is limited by the size of the drying chambers and backlogs can quickly develop if a document recovery specialist relies solely on this method. Desiccant drying effectively processes large quantities of documents, but causes wrinkling and requires trained technicians to avoid secondary damage to documents during the recovery process.
The information gleaned from the answers to these questions can be extremely useful in determining the potential cost of document and record restoration. However, there is no standard formula or computer model to generate cost estimates. Instead, the number of documents required for retention and the qualitative requirements of that retention is used to develop a hypothetical, industry-average cost estimate for a worst-case scenario loss.
It is important to remember, however, that any assessment of this kind cannot determine the cost of a total loss. Establishing the cost of drying 100 boxes of documents submerged in water for two days is doable. Understanding the cost of recovering those 100 boxes after they have been burned to ash is not.
3. Ensure Adequate Insurance Coverage
The cost of insurance is typically determined by the cubic feet of stored documents and records to be covered. A range of $100 to $1,000 per cubic foot can provide a general low-to-high estimate of coverage needed. Depending on the potential needs within that range, the type of coverage is another critical consideration.
Many insurance policies will specifically exclude coverage for documents under the contents verbiage of the policy. Instead, insurers want customers to address specific coverage of documents under the valuable papers portion of the policy. Valuable papers coverage is often described in the policy as the time to research, verify, and recreate files or information that have been damaged in a loss. Valuable paper coverage is broad and often will address the issue of document reproduction or imaging.
Valuable papers coverage is a reasonable “extension of coverage” on insurance policies, with coverage amounts ranging from $25,000 for standard coverage to several million dollars for specialty classes of businesses. Standard limitations may be adequate for small losses, but most likely will not be adequate to cover a major loss that would require the treatment of large numbers of documents. Ironically, the rule of thumb in the document restoration business is that the average client is under-insured.
Often, the key variable is how the adjuster will interpret the policy. Some adjusters will allow drying and cleaning documents to fall under business personal property coverage because the documents are tools used for conducting business. This enables the original documents to be dried and/or cleaned and returned to use. The argument is documents such as medical charts are not just valuable papers or papers per se. The information on them is organized, regulated in how it can be amended or altered, and the charts must be bound in a specific manner.
An important element of adequate insurance coverage is the quality of the claims handling process, which can be defined as the immediate response to the loss. Specific wording to this effect in the insurance policy will help, as will periodic meetings among the insured customer, insurance professional, and document restoration firm over the course of the policy period.
4. Preselect the Right Document Recovery Firm
There are only a handful of qualified document recovery firms in the United States. Preselecting one of them is not a process that should be taken lightly. Risk managers, who are serious about defining their exposure, should conduct in-person interviews with key document specialists — as opposed to area representatives or salespeople — from the firms they are considering.
There is no standard pricing in the document recovery industry. Basic services are typically measured by the cubic foot. However, one firm may charge $40 per cubic foot for drying and $35 per cubic foot for labor, handling, and packaging, while another will charge an all-inclusive $72 per cubic foot for these services.
There are a number of differentiators among these firms in addition to price. Do they have the capability to handle a document restoration project on-site if necessary? What security measures do they employ — both on-site and in their plant? How quickly can they respond to a loss and provide a complete quote for the work? What is their backlog? Can they provide access to documents during the recovery process? Do they do the work in-house, which is preferable to ensure a timely response and open lines of communications between client and document recovery firm, or do they subcontract to another vendor? Do they itemize invoices, including all services and supplies? Are they appropriately insured, including sufficient pollution coverage?
Lastly, there are a number of external signals about a document recovery firm’s qualifications. Firms that are preferred vendors with well-known national insurance carriers have qualified on the basis of security, financial stability, quality control and accountability. Letters of recommendation from previous clients is also a good indicator of past performance.
But our understanding of how people do respond is limited.
“One thing could be there are just so many incidents of data breach happening … people consider it typical,” Dr. Chen speculated.
“It’s the norm of this digital world.”
These incidents can also feel quite abstract, Dr. Cross added.
Consider the compromising of more than 359 million MySpace accounts or more than 164 million LinkedIn accounts — these are almost unimaginable numbers.
For victims, there’s also a difference of perception between your details being lost or stolen and actual misuse of that information — in the form of identity theft, for example, which is estimated to cost Australia $2.2 billion each year.
“They’re just one small individual within an entire group, and they don’t feel that they are particularly valuable in terms of a target,” she said.
New America’s Peter Singer suggested we won’t see decisive action from the government on these issues until breaches begin to have a dramatic impact in the physical world.
Connected devices, from fridges that can be accessed online to driverless cars, will make this more dangerous — and likely.
You might start caring more when a hacker uses stolen credentials to turn your lights on and off remotely.
“I think … what will inevitably happen is some type of bad outcome,” Mr. Singer added.
A badly handled data breach can also dent a company’s reputation.
Take Uber, which initially tried to cover up the exfiltration of the names, email addresses and mobile phone numbers of 57 million users.
Mr. Hunt also sees companies being judged harshly if a breach exposes their poor security posture, such as storing passwords in plain text without cryptographic protection.
On the flip side, he cited the Red Cross Blood Service’s reaction as “the gold standard” after it lost donor information in 2016.
The group was swift to act and tell the public — and was apologetic throughout.
As data breaches continue, Mr. Hunt hopes people will avoid fatigue and take control: get a password manager, make all passwords unique and turn on two-factor authentication.
“These are really basic things that we can all do, and they fundamentally change the impact of a data breach,” he said.
In college, I had a short-lived and hilarious dream that I could learn to play lacrosse. I suppose I was attracted to the glamour of running wind sprints for two hours while being hit with titanium poles.
Alas, the dream was not to be. When I showed up to my first pick-up game, I had no idea what a “slide” was, didn’t realize “clamping” had anything to do with face-offs and had no idea where “the box” was.
Fortunately, Gartner research can help you and your team get data literate. They’ve come up with multiple strategic suggestions that you can implement at your business.
What Is Data Literacy?
Data literacy means you “speak” data the way you might speak any other foreign language.
“Gartner defines data literacy as the ability to read, write, and communicate data in context, including an understanding of data sources and constructs, analytical methods and techniques applied, and the ability to describe the use case application and resulting value.”
(Full research available to Gartner clients.)
In plain English, data literacy means you know what data you’re tracking, why you’re tracking it, how to read that data, and how to use that data to save or make money.
Data Literacy Is the Gateway to Business Intelligence
At its heart, business intelligence software is a data-wrangling program.
BI software programs organize all your data sources (website data, CRM data, email data, financial and POS data) and let you see how those data sources interact (for example, did sales increase when you changed the colors on your website?).
So, until your employees are literate with the data your business intelligence tool wrangles, they won’t know how to wrangle their business intelligence tool.
The data literate person knows what data they’re tracking, where it’s stored, and how it fits together. That’s not all they know, though.
Data literacy is also a way of thinking in terms of data. The data literate person doesn’t just think in generic terms—such as did sales increase? They think in terms of data—did Q1 website conversions among women ages 18 to 34 increase as a result of that email campaign?
It’s like learning a foreign language: You haven’t really learned that new language until you start thinking in it, as well as speaking it.
How To Teach Your Employees Data Literacy
Most employees, however, probably don’t think in terms of data, which presents you with another challenge: How do you get your employees to start thinking in terms of data?
1. Employees need to know what data literacy is
Becoming literate in any new lingo is challenging … especially when people don’t know that lingo even exists.
Chances are, most of your employees aren’t even aware that data literacy is a concept. So if you want your employees to use your BI software, you’ll have to introduce data literacy first and explain why it matters.
And don’t just introduce the concept of data literacy once. Introduce it repeatedly.
No, “introduce repeatedly” is not an oxymoron. Since learning how to speak (and think) data is a major change, a single introduction probably won’t stick. They may forget at first, and that’s natural.
Case in point: As a one-time substitute teacher, I got several classes to make a major change by introducing that change gradually.
The English teacher I subbed for allowed cell phone use in her classes. Predictably, the students were learning next to nothing, though their Candy Crush scores were amazing, and they Snapchatted all their paper cuts. About a month into the gig, I decided to ban cell phones.
The change only worked because I introduced it gradually—I announced I would start the policy on a set date, explained why I was doing it, and reminded students to leave phones in their lockers.
If students brought their phones with them, they could put it in a plastic box at the front of the room when class started. If their phone rang while in the box, I’d leave it alone. If it rang while on them, I’d answer it in a loud and public fashion, and they’d go to the principal’s office.
Though the notion of spending even 45 minutes without their phones was horrifying for most of them, the policy worked well because I gradually introduced the concept of class without phones.
How to put this into practice:
There are multiple ways to introduce data literacy to your employees over a period of time.
At Capterra, our employees volunteer to lead “lunch and learn” sessions: brief, hourlong intros to topics that interest them. You could encourage data-savvy employees at your company to do the same.
You could also spend time at all-company or department meetings translating basic activities, or concepts, into data. Anything that breaks the data-ice is a good idea.
2. Employees need to speak data
Once employees know what data literacy is, they need to learn to “speak” data.
Gartner analyst Valerie Logan suggests you approach learning to speak data the same way you would any foreign language and even refers to the process as ISL or information as a second language. (Full Gartner research is available to clients.)
How to put this into practice:
Figure out which employees already speak data, and also who can translate data into plain English. These “data translators” can help employees who struggle to speak data.
Figure out what the language barriers are to speaking data: If business and IT folks don’t speak the same language, that’s a language barrier (or “interpretation gap,” as it’s also called).
There are multiple ways to break language barriers:
Keep a glossary of common terms.
Make sure C-level executives speak data so they can set an example.
Make sure your business goals are expressed in actionable language.
3. Employees need to speak data to each other
Practice makes perfect, so speak data regularly until it becomes a habit.
As Gartner analysts Alan Duncan and Lydia Clougherty Jones suggest, the best data-driven companies focus consciously on this goal. They don’t just speak data, they interact in terms of data. They use data as a way to build inter-team trust, presenting evidence and keeping an eye open for problems such as confirmation bias. (Full Gartner research is available to clients.)
At the same time, you’re learning terms such as “confirmation bias” and “cognitive filtering,” you can think about examples of this in your own work, and be on guard against these bad habits.
How to put this into practice:
Follow the example of foreign language conversation clubs. In the same way those clubs meet once a week to practice German or Amharic, get a group together for weekly or monthly coffee meet-ups where you talk data: what data you’re working with, how it interacts with other departments’ data, and what data you wish you had.
For instance, how does your website’s load time impact visitors and conversions? If sales and tech aren’t discussing how those data sets interact, you could be missing out on a possibly lucrative correlation. (Hint: shorter load time almost always means more visitors and conversions).
Discussion groups like this also help with another important goal: becoming data-driven. This is where business intelligence as a way of thinking comes into play. As you’re learning to speak data, treat it as an opportunity to learn how to think differently.
4. Employees need to speak data frequently
Ideally, brown bags and discussion groups will be your first step on the way to data literacy immersion.
Immersion’s the best way to learn to speak a foreign language, and speaking data is no different.
How to put this into practice:
Gartner analyst Valerie Logan recommends you speak data in everyday conversations, “from board meetings to team meetings.” If speaking data becomes a regular behavior, it’s more likely to stick. And when it sticks, you’ll be on your way to being data-driven.
As Gartner analyst Alan Duncan notes, becoming data-driven has more to do with behavior than technical know-how. That’s why HR should also be involved in your attempts to become data literate.
Duncan recommends having the HR department be a core stakeholder in business intelligence change management. Primarily, they can “adjust hiring practices to emphasize analytic literacy.” (Full Gartner research available to clients.)
The hacking of medical clinic employee’s email account during travels overseas demonstrates the risks posed to data when workers travel – and the need to mitigate those risks.
Billings Clinic in Montana – which includes a multispecialty group practice with a 304-bed hospital and a Level II trauma center – says in a breach notification statement it became aware on May 14 of “unusual activity” within one of its employee’s email accounts.
The employee was traveling overseas on a medical mission at the time of the hacking incident, according to the statement.
Billing Clinic says it took immediate action to disable access to the email account, launched an investigation to determine what happened and took action to further secure its email system.
“As a result of the forensic investigation, we learned that an unauthorized individual had access to emails and attachments within that one account, some of which included patient information.”
The types of information on 8,400 individuals included in the affected email account include patient name, date of birth, contact information, the medical record number, internal financial control number, diagnosis and limited information about medical services received, the clinic reports.
“Each patient had different types of information, included in the emails, and no one email contained all of these types of information,” the notification statement says.
As of July 16, the hacking incident was not the Department of Health and Human Services’ HIPAA Breach Reporting Tool website – commonly called the “wall of shame” – that lists breaches affecting 500 or more individuals.
That breach tally, however, lists a different hacking/IT incident reported in April by Billings Clinic that impacted 949 individuals.
In a notification statement posted on Billings Clinic’s website about the earlier incident, the clinic says that on February 26, it also became aware of unusual activity within its email system, and immediately took action to disable the account.
A Billings Clinic spokesman tells Information Security Media Group that the two breaches were separate incidents, but declined to discuss further details, including the steps the clinic is taking to bolster security in the wake of the breaches.
The spokesman also declined to discuss whether the traveling employee in the latest breach was traveling with a Billings Clinic laptop or other mobile computing devices, or whether the employee had been accessing Billings Clinic’s email system while using a personally owned computing device or smartphone.
Data breaches occurring during employee travel are a common but often overlooked problem, says Rebecca Herold, president of Simbus, a privacy, and cloud security services firm, and CEO of The Privacy Professor consultancy.
“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it.”
—Consultant Rebecca Herold
“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it,” she says. “People are often unaware of what is going on around them when they are traveling. They are using any charger station they can find, they speak loudly and they use free Wi-Fi,” she says.
Cybercriminals routinely scan free Wi-Fi networks and copy unsecured transmissions, including emails, she says.
“Shoulder surfing is also still very common; it’s a decades-old tactic that still works effectively today. And the skimmers on charging stations are increasing in use. Don’t think that if you are in a frequent flyer lounge that these things do not happen there; they happen in those exclusive lounge areas possibly more than in other places,” she warns.
Cybercriminals often target travelers, Herold says, because “it is easy for them to commit their crimes without getting caught because there is usually no digital evidence created.”
Mac McMillan, CEO of security consultancy CynergisTek, offers a similar assessment: “Any time you travel overseas you may be at greater risk as local cybercriminals will have access to your mobile devices, the locations where you are staying or the ISPs their networks and your traffic is traversing.”
Healthcare entities and other organizations – and their traveling staff members – should review information from the Federal Communications Commission, Department of Homeland Security, and other agencies for tips on securing their computing devices while overseas, McMillan stresses.
“The problem is that most private businesses don’t educate their employees on these risks,” he says. Government agencies “routinely brief employees on foreign travel risks and are always aware that overseas we are potential targets.”
Steps to Take
McMillan advises workers on vacation to “leave the work computer at home. Temporarily suspend access to sensitive apps and work email, and do not permit mail forwarding.”
But if remote access is absolutely required, he says, “employ two-factor authentication on both apps and email, and strong encryption on all devices. Use different passwords or pins when you travel. Do not make online purchases or go to your online banking site. Clear your cache regularly. Turn off auto-join on your Wi-Fi. If traveling for more than a few days, reset your settings. Above all keep your devices with you at all times and shielded from view.”
Keith Fricke, a consultant at tw-Security, notes that some companies issue a laptop specifically for overseas travel that is locked down more than normal and has fewer applications on it.
There have been reports of some private airplane flights having “hidden cameras” in them recording information on the screens of laptops passengers used laptops during the flight, he says. “Stories also exist of hidden cameras in hotels of certain foreign countries or people entering hotel rooms when the occupant left the room for meetings or a meal. The intruder looked for ways to obtain unauthorized access to information,” he notes.
Herold advises organizations to take a number of precautions to reduce the risk of breaches while individuals are traveling.
“Implement policies for employees to not use public Wi-Fi,” she stresses. “Provide secured virtual private network or similar types of solutions for remote access. I carry my own device that I use to establish a private VPN connection. I never use public Wi-Fi, or the Wi-Fi in the hotels or restaurants either.”
Organizations should also require that data be encrypted in transit and in storage, she says. “That way, if someone gets access through a network, the data is not accessible. If they get access to the device, the data is not accessible.”
Herold also advises employers to “provide information security and privacy reminders and awareness communications of other types prior to employee travel so that they have the need to practice safe mobile computing at top of mind.”
TOP 15 RISK MANAGEMENT BLOGS & WEBSITES FOR RISK MANAGERS
World Risk Management (WRM) is a proud member of the Ballator Insurance Group. Together, Ballator and World Risk Management provide unique, quality-driven insurance solutions for some of Florida’s largest governments and municipalities.