Oh, Dear! Frightfully Complicated!
Apr 19, 2018

On a spring morning in Glasgow, Scotland, in 1966, engineer James Goodfellow was describing his new invention over breakfast to his wife, Helen. He'd just developed the first ATM for a group of Scottish banks. He told Helen how the customer would only have to punch in an eight digit code (the PIN, of course) to access an account. "Oh, dear." Helen replied. "Eight digits will be frightfully hard to remember. Couldn't you make it shorter? Maybe four?" And that, dear reader, was the world's introduction to the push-pull we all encounter daily between cyber security and the convenience of customers and other users.

A recent article in the Houston Chronicle tells the sad story of how, even today, American government and business are falling over even the low bar set by Helen half a century ago for basic cyber security. "We're going at a snail's pace," said Mike McConnell, former director of the National Security Agency and former U.S. Director of National Intelligence. "The problem is becoming more severe, and the ones who can see what's going on are being forced to say more and more to get the nation to react in a serious way." While many recent reports on cyber-attacks focus on Russian or other state actors going after American government and/or infrastructure targets, the same story applies across the country. The City of Atlanta was recently brought to its cyber knees by a hacker who captured the city's on-line files and held them for ransom - in bitcoin, of course.

Being underprepared for cyber attacks seems an unlikely problem in the home of Silicon Valley and many of the world's most advanced IT industries. Nevertheless, as the Chronicle report points out:

[...] cybersecurity experts said even after years of increased awareness among corporate boards of online threats, the vast majority of energy and industrial companies lack technologies and personnel that would allow them to constantly monitor control system networks. That leaves companies blind to industrial attacks.

You guessed it. Cyber security is expensive and complicated. And inconvenient. Requiring strong passwords, for example, may be seen as an imposition by folks who still use "password123" on all their devices. Helen was right. Strong security is frightfully difficult. It requires complex sign-on procedures or expensive tech, like retinal scanners or fingerprint readers. Couple that with the fact that both government and industry have striven mightily to keep cyber attacks under wraps and out of the headlines. This has served to dampen widespread public support for and understanding of tougher security requirements.

Still, cyber security lands square on your desk if you're a risk manager. Check out that excellent article in the Houston Chronicle and anything else you can find. Make the folks in the C-suite think the uncomfortable thoughts. How much money do we think the City of Atlanta saved by not investing in security - until that hacker shut half the city down?

Speaking of Which...

Verizon does much more than produce annoying TV commercials. Today's exhibit is an excellent new report, the 2018 Data Breach Investigations Report, 11th Edition (good summary and other links on Verizon's site). "Businesses find it difficult to keep abreast of the threat landscape, and continue to put themselves at risk by not adopting dynamic and proactive security strategies," says George Fischer, president of Verizon Enterprise Solutions.

The report focuses on ransomware. It's the most common type of intrusion, featuring in 39% of all malware incidents. The report provides a detailed look into what's really going on now in the world of cybercrime and what you can do to protect your systems, data, reputation, and revenue (assuming that interests you). Some highlights:



Ransomware is the most prevalent variety of malicious software: It has started to impact business critical systems rather than just desktops. This is leading to bigger ransom demands, making the life of a cybercriminal more profitable with less work.


The human factor continues to be a key weakness: Companies are nearly three times more likely to get breached by social attacks than via actual system/software based vulnerabilities, emphasizing the need for ongoing employee cybersecurity education.


Financial pretexting targets HR: Pretexting incidents have increased over five times since the 2017 report, with 170 incidents analyzed this year.


Phishing attacks cannot be ignored: A cybercriminal only needs one victim to get access into an organization.


DDoS attacks are everywhere: DDoS attacks can impact anyone and are often used as camouflage, often being started, stopped, and restarted to hide other breaches in progress.


Most attackers are outsiders: Malware is increasingly a business of pros.

If any of this sounds familiar, it's because this Journal has pointed out similar reports from other sources over the last few years. But the hits just keep on coming. Cybercrime isn't going away. It's getting worse. It may well be the biggest risk on your desk.

Active Shooters and Workers' Comp

Despite the headlines, workplace shootings are fairly rare in the US. The Bureau of Labor Statistics tells us that at work homicides average about 560+ annually. Of these, a little over half involve employee fatalities incurred during a robbery or other "external" crime. The rest are primarily worker on worker violence with about 30 or so incidents each year involving two or more fatalities. Still, the rate has ticked up slightly in the last few years. During the years 2012 to 2015 workplace homicides overall increased by 2%, but incidents involving guns increased by 15%.

While the raw numbers are small, these events are devastating when they happen and the repercussions ripple out through the workplace. The Workers' Comp Institute has published a neat, short overview of the role of PTSD (Post Traumatic Stress Disorder) and its impact on workers' comp claims. While any discussion of these events necessarily emphasizes the role of first responders, bear in mind that any one of your employees could be involved first hand. You don't have to be wearing a badge to see things no one should see. You can be a school teacher, a sheet metal worker, an administrative assistant, a risk manager - anyone.

PTSD claims take us into tricky regulatory areas in most states because we are talking about what comp pros call a "mental/mental stress" claim (the claimant is not physically injured). Because an active shooter scenario can happen anywhere, having some policies and principles in place for how you want to handle subsequent comp claims is a good idea. The WCI article is an excellent discussion guide to help you think through what you need to do if the unspeakable happens on your watch. Check it out.

Concussion - in the theater?

The old theater saying is "break a leg," meaning have a good run with your new production. A study published in the March, 2018, issue of The Journal of Occupational and Environmental Medicine (www.joem.org by subscription only) recalibrates this saying. Turns out that legs are not the issue. This study looked at the prevalence of concussions in theater work and the findings were surprising. Some 67% of the folks studied (actors as well as production crews) had incurred at least one serious bell ringing type incident in the course of normal theater activities. This number came as a shock in part because theater people seem reluctant to report injuries. The ethos is "on with the show."

It has already been reported that athletes and dancers routinely don't report injuries. Professional musicians routinely and quietly suffer work related injuries, primarily from overuse. Just try playing an instrument for several hours every day. Hello, carpal tunnel or focal point dystonia. Why care? Well, are your people chronically underreporting injuries too? That might sound like a good problem to have until you think about how untreated injuries often get worse and then become serious - and expensive. Do you have an "on with the show" attitude in your business? Are you seeing a severity bias creeping into your claims? Remember that early treatment is usually the least expensive treatment. Don't make heroes of the people who soldier on valiantly until the day they can't. Great way to buy a PTD.


Share This
* Required Fields