Chapter 4

RISK

 

OVERVIEW

Risk management for small and mid-size companies needs to include cyber security protection. Some experts call it the most important issue this year. OSHA fines and penalties have also increased dramatically in the past year, and preventive strategies, like training, are recommended to avoid injury and lawsuits.

 

CYBER SECURITY

60% of U.S. businesses will experience a breach of sensitive data this year, and 68% of funds compromised by cyber security issues are uncoverable, according to a recent article entitled, 28 Cyber Security Statistics that Will Inspire You (to protect yourself).

Cyber Security has become a significant problem for U.S. business, as evidenced by the 150% growth in Cyber Security insurance last year. Last fall, SHRM posted this article:

In September, Yahoo confirmed that hackers had compromised at least 500 million user accounts, making the incident the largest data breach from a single site in history. On Oct. 18, Yahoo CEO Marissa Mayer stated in a release that she remains confident of Yahoo’s value and ability to keep its users information safe, despite the breach, which analysts believe might thwart the company’s plans to sell its core business for $4.83 billion to Verizon.

 

Marissa Mayer’s confidence is not warranted: the day we went to publication, Yahoo revealed another breach – its 3rd major security breach in the past 3 years. This time 3.2 million user accounts were compromised. But, it’s not just large companies that are experiencing serious cyber security issues; attacks on small and mid-size firms are escalating, too, to the point one professional hacker called it, ‘the most significant issue for small business in 2017.’

Security breaches can be expensive for companies, according to the Journal of Cybersecurity. The total annual cost of cybersecurity crimes is $8.5 billion, and the cost for an individual company is about $200,000, according to research published in the

 

journal. The article cites Ransomware, Onion-Layered Security Incidents, and Insider Threats as among those growing in incidence. Heimdal Security reported that 59% of employees steal proprietary company data when they leave.

BitSite, a Security Blog, listed a few cyber statistics that will motivate you to implement cyber security protections.

 

Vulnerability Statistics

• “Crypto-style ransomware grew 35 percent in 2015.” Source: Symantec 2016 Internet Security Threat Report
• “59% of employees steal proprietary corporate data when they quit or are fired.” Source: Heimdal Security
• “63% of businesses don’t have a ‘fully mature’ method to track and control sensitive data.” Source: 2014 State of Risk Report, as quoted in Trustwave Security Stats

 

Data Breach Statistics

• In 2016, there have been 454 data breaches with nearly 12.7 million records exposed. Source: 2016 Identity Theft Resource Center Data Breach Category Summary
• “In 2015, at least 60% of enterprises will discover a breach of sensitive data.” Source: Forrester: Planning For Failure, 2015, as quoted in Trustwave Security Stats
• Only 38% of global organizations feel prepared for a sophisticated cyberattack.” Source: 2015 Global Cybersecurity Status Report from ISACA
• “In 60% of cases, attackers are able to compromise an organization within minutes.” Source: 2015 Data Breach Investigations Report from Verizon

 

Cost Statistics

• “80% of analyzed breaches had a financial motive.” Source: 2016 Data Breach Investigations Report from Verizon
• “68% of funds lost as a result of a cyber attack were declared unrecoverable.” Source: Heimdal Security
• “The cyber insurance market—mainly a U.S. market—has grown from $1 billion to $2.5 billion over the past two years, and it is expected to grow dramatically and expand globally over the next five years.” Source: The Business of Cybersecurity: 2015 Market Size, Cyber Crime, Employment, and Industry Statistics from Forbes See Also: Security Ratings For Cyber Insurance

 

• “The forecast average loss for a breach of 1,000 records is between $52,000 and

$87,000.” Source: 2015 Data Breach Investigations Report from Verizon

 

Cyber Security Statistics

Below, we’ve selected a list of 6 Cyber Security steps that can help protect you immediately.

• Regularly backup your data in case your company experiences a ransomware attack.
• Educate your staff so they are aware of the different types of cybersecurity incidents and how to avoid them.
• Keep your systems updated so they have fewer security vulnerabilities.
• Enforce good password policies, including requirements that passwords be changed periodically, and prohibit password sharing.
• When employees are terminated, immediately cancel all their credentials, including password logins.

 

The National Cybersecurity Alliance offers free security checkups and tools that may be useful for smaller companies that do not have dedicated security teams.

Government organizations are now holding companies accountable for security breaches. One hospital in Texas was fined 3.2 million for HIPAA violations, and Memorial Hospital in Florida was fined 5.5 million for repeated violations.

Protecting client, customer and employee information is more important for all companies in 2017. You may want to evaluate the suitability of cyber insurance, too.

[thrive_leads id=’30339′]

OSHA

According to OSHA, 4,500 people died in job-related accidents last year, and 3 million employees were injured. OSHA conducted more than 32,000 inspections last year, and in August, 2016, increased violation fines and penalties substantially.

According to SHRM’s Allen Smith, in his October 2016 article, ‘Steep New Penalties Under OSH Act Raise Compliance Concerns:

 

Serious violations of the law rose from $7,000 to $12,471 per violation. Failure to abate increased from $7,000 to $12,471 per day after the date recorded on an OSHA citation for correction of the violation. Willful or repeated violations rose from $70,000 to $124,709 per violation.

 

In addition, Smith adds that OSHA has added new rules. It is already required that work-related fatalities be reported within eight hours. In 2017, the following incidents now need to be reported by covered companies with 24 hours:

• All work-related in-patient hospitalizations of one day or more.
• All amputations (except for the loss of an ear).
• All losses of an eye (an actual loss of the eye, not loss of vision)

 

 

New mandates require much more public disclosure, too. For example, beginning in July, 2017, covered companies are required to submit Form 300 online; by July, 2018, forms 300, 300A and 301; and, by 2019, all three online forms must be submitted by March 2.

In December 2016, OSHA also began enforcement of new anti-retaliatory rules to protect individuals that report violations.

 

Most Common OSHA Violations

What are the most common OSHA issues? Neil Wasser, an attorney with Constangy, Brooks, Smith & Prophete in Atlanta, in the SHRM article, cites the following:

 

• Blocked exits.
• Unlabeled containers.
• Goods stacked precariously high.
• Missing ground prongs for electrical devices.
• Lack of appropriate personal protective equipment.

 

 

In addition, in October 2016, OSHA published its own Top 10 list of violations, which it considers a starting point for business safety.

 

• Fall protection
• Hazard communication
• Scaffolds
• Respiratory protection
• Lockout/tagout
• Powered industrial trucks
• Ladders
• Machine guarding
• Electrical wiring

 

• Electrical, general requirements

Some PEOs can conduct a Risk Assessment and provide employee training in these areas.  Creating and communicating a ‘safety policy’ is a good idea for all companies.

 

IF YOU HAVE RISK-RELATED QUESTIONS,

CONTACT COREY AT eESI at 888-495-1171 x. 152.