Technology

04Jul 2017

As the workforce in the United States becomes more mobile, so do the capabilities of employers to track their employees on the road. From a distance, accurately monitoring employee productivity, working hours, injuries, conduct and company property presents a challenge. The use of global positioning systems (GPS) is an excellent way to address these difficulties. Using satellites and receivers installed in a vehicle, laptop or cell phone, these devices are able to locate an employee’s physical location and vehicle speeds with reasonable accuracy.

There are several legal considerations that employers must address before using GPS technology for their mobile workers.

Invasion of Privacy 

Employees may have a reasonable expectation that their location and actions are private from their employer.

For example: An outside sales representative attends a support group during his lunch break during working hours. Though he does not disclose this information to his employer or co-workers, the employer discovers that the employee is attending these meetings through GPS monitoring. The employer may then be held liable for invasion of privacy.

Employer Fails to Supervise Employees Properly

If an employer discovers that an employee presents a risk to others and does not act, the company is at risk for a claim of negligent supervision.

For example: A commercial driver tends to speed while he is on the job, and his employer discovers this through the GPS system installed in his vehicle. The employer does nothing about this discovery, and the driver subsequently gets into an accident because he was speeding. As a result, the employer is liable for negligent supervision.

Employee Discrimination

Though an employee’s membership with a group may be protected by federal and state discrimination laws, the employer may not always be aware that the employee is a member. Yet, with the use of GPS technology, an employer can sometimes discover their employees’ affiliations, thus supporting a discrimination claim.

For example: An employee is receiving treatment for a terminal illness on his own time. Through GPS tracking on his laptop, his employer discovers that the employee is ill. A few months later, the employee is terminated and when the he files a disability discrimination claim, his employer cannot deny knowing about the employee’s illness because his laptop was being monitored.

Inaccurate Data Collection

If an employer makes an employment decision based on data collected from a GPS and the information is found to be inaccurate, the employer may be subject to defamation, wrongful termination and employment discrimination claims.

For example: The GPS system installed in a delivery driver’s vehicle inaccurately places the driver at a gentlemen’s club near where he is actually making deliveries. Though the employee was doing his job honestly, the employer assumes that he was visiting the club on the clock. As a result, the employee is terminated. This puts the employer at risk for claims of wrongful termination.

Advantages and Disadvantages of Using GPS Devices 

Employers reap several benefits from installing GPS monitoring into their employee’s vehicles or electronic devices, such as the following:

  • Increased efficiency and improved customer service.
  • Better recordkeeping capabilities and improved business operations.
  • More contact with employees throughout the work day.

Employers should also remain cautious of these dangers of using GPS technology:

  • Employees who are monitored may feel as though their employer does not trust them and may relinquish some of their independence and individuality that they once brought to the job. This may negatively affect their independent decision-making abilities.
  • There may be an urge to implement unreasonable schedules because employees are constantly monitored.
  • The ability to monitor employees during breaks and before and after working hours can pose issues. By learning what employees do with their own time, an employer can obtain a full picture of the lives of their mobile employees. Thus, employers may breach the privacy that their employees expect and prefer.

Recommendations for Employers to Reduce the Risk Associated with GPS Monitoring

When using GPS devices to monitor your employees, consider these recommendations:

  • Limit GPS monitoring to company-owned property, as it is easier for an employee to make a privacy claim while in possession of his or her own property.
  • Develop a comprehensive written policy about the use of GPS technology, and enforce this policy strictly. It should outline how the devices and the information attained will be used. All employees who will be monitored with a GPS device should acknowledge receipt of the policy in writing.
  • Limit GPS monitoring to the confines of the policy for legitimate business operations only.
  • Employers should also not monitor any activities relating to union organizations, as that can be seen as unlawful surveillance.
  • Re-calibrate the system for accuracy on a regular basis.
  • Many states have privacy laws. Check with your legal counsel before implementing GPS technology.

Remember that while the use of GPS technology can be a powerful management tool, it can become a legal nightmare. By using this technology lawfully, you can benefit the efficiency of your business while respecting the privacy of your employees.

04Jul 2017

For businesses looking to share resources quickly and effectively, cloud computing can be an attractive answer. However, while moving operations to the cloud is an effective way to reduce hardware and software costs while keeping data readily available, it can also expose your company to certain risks that need to be taken into consideration when deciding if it is right for you.

Picking the right cloud service provider can mean the difference between a lasting success and a costly failure. Either way, you need to ask the right questions and set the right requirements to ensure that your potential cloud provider increases your productivity, not your risks.

Contracts

The most important part of moving some or all of your operations to a cloud provider is establishing a contract that will lay out, in advance, the way your data will be managed. Ultimately, your company is responsible for any data that it is entrusted with, even when that data is being stored by a third party. Without the cloud, your company has full control over its data security and Internet policy. If you make the move to a cloud computing platform, the provider you choose may not have the same high standards currently held by your company. With a contract, you can make sure your provider enforces the same level of protection that your company would on its own system.

Questions for Potential Providers 

One of the biggest mistakes a company can make is to not investigate and/or negotiate the terms of its contract with potential providers before beginning service. The less you know about your provider and what services they are willing to guarantee, the larger the room for error. When comparing cloud computing services, there are some factors that you need to consider:

  • Data recovery: What happens if a disaster destroys one of your provider’s servers? Are they obligated to replace the data stored on it? Do they even have the capability? Temporary data loss can be extremely inconvenient and costly to a company. If it is permanent and the provider has given you no guarantee to restore data, the loss can be devastating. Make sure the provider has the resources in place to back up your data to ensure that there cannot be any permanent loss. Also, make sure they can restore your data in a reasonable timeframe to avoid an extended disruption to your operations.
  • Data location: Data put into the cloud can be stored anywhere, from across town to a server on the other side of the world. Unfortunately, not all countries are as strict as the United States when it comes to data security. While your provider may be headquartered in the United States., it could utilize server space in multiple countries. Depending on the location, this could mean reduced security standards. Ask providers to guarantee your data will be stored on servers within the United States and that they will conform to all local regulations regarding data security.
  • Ending a partnership: Before you begin the partnership, it is important to consider how things will work out if it ends. Whether by your own decision or because of an unfortunate event, such as your provider going out of business or being taken over by another company, there may come a time when you will part ways with your cloud provider. To avoid loss, ask potential providers to describe the system for transferring data from their servers back into your control should your business relationship end.

New Territory

Cloud computing is a relatively new concept, meaning there may be a number of risks that are not yet apparent. This also means that most cloud providers have a limited history in the industry. Cloud computing comes with many advantages, but you need to strongly consider the types of sensitive data you are willing to risk moving to the cloud.

04Jul 2017

Allowing employees to work remotely from home or other off-site locations can increase productivity for workers, reduce costs for the company and create beneficial flexibility to keep operations going if something happened to your business’s primary physical location. However, remote work, or telecommuting, needs to be conducted carefully with the help of established company policies to protect workers, your clients and your company.

Balancing the Benefits

For the organization, one of the most tangible benefits of remote workers is the decrease in costs associated with having on-site employees. Workspace real estate can be reduced or kept at current levels, while still allowing your staff to grow. Companies can reduce utility expenses, reducing their overall carbon footprint. In addition, your employees can enjoy a savings on fuel expenses, vehicle maintenance and meal costs.

Many employees flourish in a remote work situation. The flexibility it allows can increase morale and help balance work and home life, resulting in increased productivity. As well, remote work options allow a company to employ talent from all over the world.

Having employees in different locations and able to work at home also increases your business’s ability to continue operations in the event of a disaster. If for some reason your physical office had to close, many business functions could still go on.

Start Small 

Begin your remote work program on a small scale using a pilot program. Present the opportunity to just one or a few established employees whose work could be well-suited for this type of environment, even if troubles are met along the way. Testing this program before a company-wide implementation will help address the inherent risks to business processes and workflows as bumps along the way, rather than wide-spread problems.

While remote work can pose many exposures, most of them can be mitigated with thorough planning and proper execution. Once policies and procedures are established, companies can take full advantage of the benefits that having remote workers offers.

Project Productivity Risk

The change in environment will mean that workflows will need to be adjusted. As well, different methods of communication and oversight will need to be used to keep supervisors and team members just as connected to remote workers as they are to the workers in the workspace next to them. Employees allowed to work remotely should already be in good standing with the company and understand what it will take from them to keep projects moving. Overall, with the right adjustments, productivity should remain the same, if not improve, for remote workers.

Safety at Home

Workplace safety and ergonomics should be just as important for remote workers as on-site workers at your company. Remote workers should attend a specialized safety training or orientation to thoroughly address all possible exposures they’ll face in their new environment, including ergonomics.

When a remote worker begins in their new workspace a site visit should occur with a supervisor or HR personnel to check that all commonsense safety measures are being addressed. Periodic visits are a good idea to ensure continued compliance. Remember that remote workers have all the same rights to workers’ compensation for injuries that occur in the course of employment that employees in your facility do. Not monitoring a remote workers workspace periodically can allow hazards to develop, putting your company at greater risk for a workers’ comp claim.

Information Security 

Information security is the largest challenge for companies with remote workers. Physical loss or theft of devices containing data or access to data is much more likely. Remote workers will usually be in possession of laptops and/or mobile data drives issued by the company to allow them to work with the same systems and information as workers located in-house. The protection of building security, key cards and the watching eyes of other employees will not be able to protect their equipment.

Another aspect of security to be cautious about is using company-issued equipment for non-work related tasks. If laptops are accessed by family members they could potentially download a virus or spyware. The same could happen if an employee got lax and used their company equipment for personal use. Companies should also be aware of how any sensitive data or documents will be stored and disposed of. Physical print outs especially need to be disposed of properly.

To protect your employee and your company’s interests, be sure that all equipment requires passwords and encryption for access. A thorough policy should be established regarding the line between personal and company property and activity for remote workers to prevent missteps from happening. When establishing the employees remote worksite, be sure that any wireless connection is secured and that your company has a policy about using unsecured connections (such as at hotels and other public spaces) for work tasks. Companies can also set up VPN (Virtual Private Network) access for connecting to the company’s networks, to ensure that access is secure.

Contact Kaercher Insurance for more information on protecting your business’s best interests and planning for business continuity and growth.

29May 2017

As intellectual property becomes a vital part of more firms’ assets, businesses must consider the additional exposures they face. There are several types of intellectual property protected under federal law: trademarks, copyrights, patents, trade dress and trade secrets. To help protect your business, there are two types of intellectual property coverage available: the first protects a company sued for infringement by paying for legal defense, and the second helps pay the legal expenses of suing an alleged infringer.

If the threat exists that (1) your company could be sued by a competitor for infringement or intellectual property theft, or (2) you do not have the funds to cover legal fees associated with defending your patent or trademark, it is vital that you purchase this coverage. Defending infringement litigation can cost hundreds of thousands of dollars, not including the cost of damages and prejudgment interest. In patent infringement cases, attorney’s fees can easily top $1 million.

Budgeting and planning for the protection of intellectual property rights may not only save your company a significant amount of capital; it may also help keep your business viable when legal bills accumulate rapidly. There are several options to cover these exposures: the “advertising injury” provision in the standard Commercial General Liability policy; endorsements to Errors and Omissions policies; and specialized policies offered by certain insurers specifically designed for the protection of intellectual property rights.

Commercial General Liability Policy – Advertising Injury

The Commercial General Liability Policy, or CGL, is a standard liability policy offering broad coverage. Coverage for an advertising injury often falls under Coverage B in a CGL. Any act by the insured that somehow violates or infringes on the rights of others (referred to in the policy as an offense) is the subject of personal and advertising injury liability coverage, although only those acts that are specifically listed in the policy are covered. The coverage under the “advertising injury” provision is limited to those injuries that are directly related to the advertisement. Therefore, the policy covers debts owed by the insured party due to claims filed against it.

Coverage B policyholders are sometimes covered in cases relating to trademark infringement; however, copyright claims are only successful where they are directly related to advertising, and patent claims are rarely covered under the “advertising injury” provision. The cases which allow for coverage in a patent infringement case are generally limited to instances in which a court finds contributory infringement or inducement to infringe through an advertising medium. Since the “advertising injury” provision in a standard CGL is rather limited, many businesses consider additional coverage.

Special Endorsements and Policies 

Beyond the CGL, specialized policies can be better suited to a business’s unique exposures. These are Errors and Omissions liability policy endorsements that can vary in focus from media and communications to patent infringement. Note that these policies have not been the subject of much litigation, and therefore, judicial guidance on coverage determinations is comparatively limited. It is important to consider multiple carriers, since available coverage varies widely from carrier to carrier.

Infringement Defense and Abatement Insurance

A third option relates primarily to patents, though riders for copyrights and trademarks may be available. Carriers have developed policies specific to intellectual property, generally with patents in mind. In relation to patents, there are three basic policy types: (1) defense and indemnity; (2) defense only; and (3) offensive, or infringement, abatement insurance.

A defense and indemnity policy would provide defense coverage in a patent infringement suit and, if the party in question is found liable, would pay for damages, including prejudgment interest. A defense only policy, much like it sounds, covers only the cost of defense and does not cover damages awarded to the successful party, while an offensive policy covers only the costs of pursuing an infringer. Certain carriers will amend some of the above-mentioned policies to include endorsements for trademark and copyright infringement for an additional premium.

Exclusions to Coverage

In addition to special exclusions, there is a general exclusion to the CGL stating that there is no coverage “for an offense committed by an insured whose business is advertising, broadcasting, publishing or telecasting.” With the increase in claims, many carriers are drafting exclusions that specifically omit coverage for copyrights that falls outside of infringement of copyrighted advertising materials, patents, trademarks and the like.

It is important to be aware of the exclusions to any policy that you purchase. The most common exclusions specified in intellectual property policies are for willful infringement, anti-trust violations, infringement existing or known on the effective date of the policy and criminal acts

Asserting Coverage 

To maximize coverage, there are a number of steps that your company should follow. Failure to investigate the existence of coverage in a timely manner can absolve a carrier of liability and create grounds for a malpractice case against the intellectual property legal counsel. While courts have held outside intellectual property counsel liable for failure to pursue coverage determinations, companies should still proactively recognize and review the potential for insurance coverage for protection of their intellectual property assets.

  1. If a claim has been asserted against your company, you have a duty to notify your carrier. In fact, notifying your carrier immediately is in your best interest because a delay could be grounds for denying coverage. In the case where a formal complaint has been served on the company, the following six steps are recommended.
  2. The policy or policies should be analyzed by counsel to determine under which policies the claim may be covered. In this step, the complaint should be closely examined for types of issues raised and should be compared to the relevant policy clauses.
  3. The company should promptly tender defense to the carrier. In the tender, all policies that may provide coverage should be identified, including the specific clauses.
  4. Demand a prompt response to the tender. If a sufficient extension of the time to answer is not granted, it is possible that a response to the complaint will be due prior to the issue of coverage being resolved. If that is the case, then defense counsel should be retained until the issue of coverage is determined.
  5. Review the carrier’s response to the company’s tender. The carrier may accept defense; it may defend under a reservation of rights; the carrier or the policyholder may seek a declaratory judgment for a coverage determination; or it can reject tender.
  6. If there is a conflict in the interests of the carrier and the policyholder, the policyholder should insist on the right to control the litigation and should further insist upon independent counsel.
  7. Be diligent about which documents are shared with the carrier, especially in cases where the carrier has reserved its rights to deny coverage. While the policyholder has a duty to cooperate with the carrier, in a case where a reservation of rights to deny coverage has been tendered, the production of certain documents to the carrier could result in the waiver of the attorney-client privilege as to the subject matter of the produced documents.

Comparing Policies

Insuring your company’s intangible assets and its liability is a vital part of risk management. Insurance for both infringement of intellectual property and for an assertion of infringement against your company can provide financial security and peace of mind.

Kaercher Insurance will compare your desired coverage to the specifically named offenses in policies based upon enumerated risks and will examine any exclusions that may weaken the coverage you seek. We are skilled at identifying the perils associated with intellectual property and high-technology companies and can assist you in selecting the right policy for you. Let our experience help you to protect your most precious assets. Contact us today at (702) 304-7800 to assure that the coverage you buy meets your needs in today’s marketplace.

16May 2017

Hiring young employees can bring fresh talent and innovation, giving your company an edge over your competitors. But that edge can quickly be erased, as young workers also bring additional technology risks. According to a Cisco Connected World Technology Report, 70 percent of young employees frequently ignore their company’s information technology (IT) policies.

Millennials, generally those born in the early 1980s to late 1990s, have grown accustomed to sharing everything about their personal lives on social media sites such as Facebook, YouTube, and Twitter. Though these social platforms encourage users to share personal information, young workers should be actively encouraged to safeguard company data.

Common Misconceptions 

Young employees, especially those new to a business environment, can have some common misconceptions when it comes to IT policies. Millennials can:

  • Forget the policies
  • Believe their supervisors aren’t monitoring computer or mobile device use
  • Believe the policies are too inconvenient
  • Think that the policies will make work inefficient
  • Use unauthorized programs or applications to expedite work
  • Assume that company security is handled entirely by the IT department

Additional Risks to Consider

Young employees can compromise IT security by leaving their computers or other personal devices unattended, increasing the risk that that both the equipment and company data could be lost, stolen or misused. Sending work-related emails to personal email accounts, and using computers and social networking sites for both work and personal reasons can also compromise IT security. Millennial workers may be more likely to blur the line between using IT for both personal and work-related purposes, which can increase the risk of negligence.

Consider that not only young employees, but all employees can compromise IT security in the following ways:

  • USB flash drives: While these are convenient portable devices for storing information, they make it too easy to take sensitive information out of the office and can be misplaced easily since they are so small.
  • Wireless and wi-fi networks: Whether it’s an employee’s personal Wi-Fi network at home or free Wi-Fi at the local coffee shop, it is important that employees use a secured virtual private network (VPN) and take other security measures when they log in on networks outside of your company.
  • Laptop computers: Lightweight and handy for working remotely, laptops are also susceptible to viruses from improperly-secured networks.
  • Smartphones: Though useful for obtaining information at your fingertips, smartphones are also another portable way to take sensitive data out of the office. 
  • Collaboration websites: Websites, such as a wiki or SharePoint site, are great tools for employees working together on projects; but it’s critical that only authorized employees are logging in and accessing your company’s projects on these sites.
  • Social media tools: Sites such as Facebook and Twitter can benefit your business, but negligent use, such as including sharing critical company information, can be a risk.
  • Other communication applications, such as peer-to-peer (P2P), Skype and instant messaging tools can be vectors for malware and a threat to information security.

Employers shouldn’t necessarily prohibit employees from using technology, as this list includes many tools necessary to complete work-related tasks. It’s important to know the risks and educate young employees to use technology properly.

Mitigating the Risks 

Employers must find the balance between allowing young employees to use social networking websites and portable devices to do their jobs, while at the same time protecting company information. Employers should examine their exposures and consider what level of risk they are willing to accept. Here are some easy steps that will help secure your company’s information safe:

  • Review your company’s IT policy. If it needs to be updated, speak with the professionals at Kaercher Insurance for up to date cyber security information.
  • Make sure all employees are aware of your company’s IT policy and the consequences if the policy is not followed.
  • Create strong, trusting relationships between young employees and your IT department.
  • Create IT awareness materials so young employees are continually reminded of IT security risks and what they can to do prevent them.
  • Train new young employees on data protection and IT security risks, and provide refresher training for seasoned employees to ensure everyone is aware of the risks and the importance of safeguarding company information.

Contact Kaercher Insurance for more information on how to avoid IT security risks.

02May 2017

You’re not in the technology industry, so you don’t need cyber liability coverage, right? Consider the amount of sensitive or confidential information about your law firm and clients that you store electronically. How would you answer that question now?

You may not think you need this kind of protection, but in an age where a stolen laptop or hacked network can instantly compromise the personal data of all of your clients, protecting yourself from cyber liability is just as important as protecting yourself from some of the more traditional exposures. And cyber risks and data breaches are most likely not covered under your legal professional liability policies.

Benefits of Cyber Liability Coverage 

Cyber liability insurance is specifically designed to address the risks that come with using modern technology. The level of coverage your law firm needs is based on your individual operations and can vary depending on your range of exposure. It is important to work with a broker who can identify your areas of risk and tailor your policy to your firm.

If your law firm experiences a data breach, you have a responsibility, and are sometimes legally obligated, to report the breach to your clients. This can damage both your finances and your relationships with your clients. Cyber liability coverage may cover the costs of notifying the people or institutions affected as well as any lost income resulting from the data breach.

What Your Policy Should Cover

When working with your broker on your cyber liability coverage, make sure your policy includes these coverage options, if applicable to your firm:

  • First party coverage: Covers your own data or lost income after a data breach.
  • Third party coverage: Covers your liability to clients or government/regulatory entities.
  • Confidential information: Covers data when it is under the care, protection or control of third parties (the copy center you use, IT support services).
  • Unencrypted devices: Protects laptops and other devices from easy access if they are stolen.
  • Data restoration: Covers the work hours and money needed to regain your lost data.
  • Coverage for corporate clients: Covers liabilities for your clients that are companies, corporations or partnerships, as well as the people who work for these entities.

Making Your Policy Affordable

Cost is always a concern when adding a new insurance policy. Here are strategies you can use to help lower your premium:

  • Install, use and regularly update anti-virus and anti-spyware software on every computer used in your business.
  • Use a firewall for your Internet connection.
  • Conduct regular risk assessments.
  • Use strong, encrypted passwords and change them regularly.
  • Train employees in cyber-security principles and develop a written IT policy.

Remember that even the best computer security can be breached. But conducting risk assessments will help you identify anticipated threats and be prepared to respond and recover. Taking steps to establish a cyber security program, including purchasing cyber liability insurance, is a smart way to protect your firm.

02May 2017

Selling your goods online can enhance customer relationships, attract new customers and increase sales revenue. However, if you are considering expanding your business online, it is important to understand what is required to maximize information security and minimize credit card payment risks. E-commerce sites that have little or no fraud controls in place can experience a chargeback rate of 10 percent or more. It is important to understand the basics of credit fraud before opening up for business online.

Typical Risks for E-Commerce Merchants 

Those handling transactions online should consider the following common risks:

  • Fraud
  • Account information theft by hackers
  • Account information theft on site
  • Customer disputes and chargebacks

Authentication Systems

To avoid chargebacks, it is up to the e-commerce merchant to apply the right tools and controls to verify the cardholder’s identity and the validity of the transaction. When used efficiently, these systems can reduce fraudulent transactions and the potential for customer disputes:

  • Address Verification Service checks a credit card holder’s billing address with the issuer, providing merchants with an indicator of the validity of the transaction.
  • Card Verification Value numbers are printed on the back of credit cards and can help ensure that the customer is in possession of a genuine card.
  • Fraud Screening examines transactions and calculates the level of risk associated with each transaction, providing merchants with risk scores.

Chargebacks

Chargebacks are transactions that are returned as your financial liability, and they translate into extra processing time and cost in addition to possible loss of revenue. They occur for several reasons:

  • Customer-disputed transactions 
  • Fraud
  • Authorization issues
  • Inaccurate or incomplete transaction information
  • Processing errors

When cardholders dispute transactions on their statements, they usually ask for a copy of the receipt, which you should provide to the card company as soon as possible to avoid loss.

Train Your Staff

Be sure your staff is aware of the risks of credit fraud and chargebacks. They should know the chargeback rules and regulations that your provider uses and be well-versed in your risk management policies and procedures.

19Apr 2017

Passwords are used in many ways to protect data, systems and networks. They are used to authenticate users of operating systems (OS) and applications such as email, labor recording and remote access. Passwords are also used to protect files and other stored information, such as password-protecting a single compressed file, a cryptographic key or an encrypted hard drive. In addition, passwords are often used in less visible ways; for example, a biometric device may generate a password based on a fingerprint scan, and that password is then used for authentication.

Password Management

Effective password management reduces the risk of compromise of password-based authentication systems. Organizations need to protect the confidentiality, integrity and availability of passwords so that only authorized users can use passwords successfully as needed. Integrity and availability should be ensured by typical data security controls, such as using access control lists to prevent attackers from overwriting passwords and having secured backups of password files.

Ensuring the confidentiality of passwords is considerably more challenging and involves a number of security controls along with decisions involving the characteristics of the passwords themselves. For example, requiring that passwords be long and complex makes it less likely that attackers will guess or crack them, but it also makes the passwords harder for users to remember. This increases the likelihood that users will store their passwords insecurely and expose them to attackers.

Organizations should be aware of the drawbacks of using password-based authentication. There are many types of threats against passwords, and most of these threats can only be partially mitigated. Also, users are burdened with memorizing and managing an ever-increasing number of passwords. Although the existing mechanisms for enterprise password management can somewhat alleviate this burden, they each have significant usability disadvantages and can also cause more serious security incidents because they permit access to many systems through a single authenticator. Therefore, organizations should make long-term plans for replacing or supplementing password-based authentication with stronger forms of authentication for resources with higher security needs.

Authentication can involve something the user knows (e.g., a password), something the user has (e.g., a smart card), or something the user “is” (e.g., a fingerprint or voice pattern). Single-factor authentication uses only one of the three forms of authentication, while two-factor authentication uses any two of the three forms and three-factor authentication uses all three forms.

Using multiple factors makes it more difficult for someone to gain unauthorized access to the system—it is easier to either discover a user’s password or steal the user’s smart card than it is to both steal the smart card and discover the user’s password. To meet various security and operational needs, the selection of authentication methods varies among systems, but passwords are the most commonly used authentication method, and are often used both by themselves and with other authentication factors.

Protecting Your Passwords

Organizations should implement the following recommendations to protect the confidentiality of their passwords:

  • Create a password policy that specifies all of the organization’s password management-related requirements.

Password management-related requirements include password storage and transmission, password composition, and password issuance and reset procedures. In addition, organizations should also take into account applicable mandates (e.g., Federal Information Security Management Act of 2002 (FISMA)), regulations and other requirements and guidelines related to passwords.

An organization’s password policy should be flexible enough to accommodate the differing password capabilities provided by various OSs and applications. Organizations should review their password policies periodically, particularly as major technology changes occur (e.g., new OS) that may affect password management.

  • Protect passwords from attacks that capture passwords. 

Attackers may capture passwords in several ways, each necessitating different security controls. For example, attackers might attempt to access OS and application passwords stored on hosts, so such passwords should be stored using additional security controls, such as restricting access to files that contain passwords and storing one-way cryptographic hashes of passwords instead of the passwords themselves. Passwords transmitted over networks should be protected from sniffing threats by encrypting the passwords or the communications containing them, or by other suitable means.

Users should be made aware of threats against their knowledge and behavior, such as phishing attacks, keystroke loggers and shoulder surfing, and how they should respond when they suspect an attack may be occurring. Organizations also need to ensure that they verify the identity of users who are attempting to recover a forgotten password or reset a password, so that a password is not inadvertently provided to an attacker.

Continue reading

10Apr 2017

Unmanned aerial drones, also called unmanned aircraft systems (UAS), are a new type of aircraft that has broad commercial and personal uses. UAS can be used to inspect buildings, deliver materials or fly around as simple, recreational products. However, as UAS become more advanced and widespread, they can represent a significant new threat to your business.

The exposures caused by UAS have been widely covered by the media. Drones have crashed at the U.S. Open, the White House and other prominent locations, and they have led to instances of property damage, severe injuries and death. Additionally, as UAS technology advances, new risks such as cyber security and privacy need to be considered.

These threats, along with the lack of comprehensive UAS regulations, make drones a new and substantial risk exposure. You need to be aware of how UAS can impact your business, and what you can do to protect it.

Consider the Technological Risks 

Since most drones are small and widely viewed as advanced hobbyist aircraft or toys, you may not consider them substantial threats. However, many small UAS are already equipped with advanced cameras and listening devices, and they also present other risks to your business’s privacy.

Researchers have demonstrated that drones equipped with smartphones can access data from a business’s insecure networks and devices. Additionally, these drones can access areas that a normal person could not, such as the top floor of a building or outside the window of a secured room.

Any of your business’s Wi-Fi networks, computers or wireless printers could also be targeted by a properly equipped drone. Employees’ personal devices could be vulnerable to this same type of attack, and any business information on these devices could be compromised.

The cyber security risks of drones will only be compounded by additional features that make UAS easier to use and even autonomous. As GPS and sensor technology improves, the owner of a UAS could instruct a drone to automatically monitor your business, disrupt its operations or steal its data. Even if a drone isn’t used for nefarious activities, if one is unmonitored or forgotten, it could still crash and cause significant damage.

Continue reading

10Apr 2017

Many medical devices contain configurable embedded computer systems that can be vulnerable to cyber-security breaches. In addition, as medical devices are increasingly interconnected via the Internet, hospital networks, other medical devices or smartphones, there is an increased risk of cyber-security breaches, which could affect how a medical device operates.

The Food and Drug Administration (FDA) has recently become aware of cyber-security vulnerabilities and incidents that could directly impact medical devices or hospital network operations, such as the following:

  • Network-connected/configured medical devices infected or disabled by malware
  • The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems and implanted patient devices
  • Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical and maintenance personnel)
  • Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices)
  • Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals and poor coding/SQL injection.

The FDA has been working closely with other federal agencies and manufacturers to identify, communicate and mitigate vulnerabilities and incidents as they are identified.

FDA Recommendations/Actions 

The FDA has a number of recommendations to mitigate the risks that technology may pose to health care organizations.

For all device manufacturers:

Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cyber security, and are responsible for putting appropriate mitigations in place to address patient safety and ensure proper device performance.

The FDA expects medical device manufacturers to take appropriate steps to limit the opportunities for unauthorized access to medical devices. Specifically, it is recommended that manufacturers review their cyber-security practices and policies to ensure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise the security of the hospital network that may be connected to the device. The extent to which security controls are needed will depend on the medical device, its environment of use, the type and probability of the risks to which it is exposed, and the probable risks to patients from a security breach.

Continue reading