Preventing Heat Illness as Temperatures Soar

With temperatures rising, employers with outdoor workers need to take steps to protect them from heat illness.

California employers need to be especially mindful as Cal/OSHA has workplace safety regulations governing the prevention of heat illness. The heat illness standard came into effect about seven years ago as the number of deaths due to heat illness started climbing, particularly among, agricultural, construction and landscape workers, among others.

Heat illness occurs when the body’s temperature control system cannot maintain an acceptable level. Under normal circumstances, the body cools itself by sweating. However, when high temperatures and high humidity prevent the body from releasing heat efficiently, a person’s body temperature can rise quickly.

Progression to serious illness can be rapid. If left untreated, very high body temperatures might damage the brain and other vital organs – and ultimately cause a person’s death

You should take immediate action to seek treatment for a worker if they start exhibiting one or more of the following signs:

  • Headache
  • Fatigue
  • Dizziness
  • Confusion
  • Cramps
  • Exhaustion

 

Workers with existing health problems or medical conditions – such as diabetes – that reduce tolerance to heat, need to be extra vigilant. Some high blood pressure and anti-inflammatory medications can also increase a person’s risk for heat illness.

To ensure you are in compliance with California workplace safety regulations, you need to ensure the following:

 

Access to water

Staying hydrated is probably the single-most important step in heat-illness prevention. Water must be “fresh, pure, suitably cool” and located as close as practicable to where employees are working (and enough to provide at least one quart per employee per hour for the entire shift).

Employers should encourage workers to stay hydrated and drink water.

 

Access to shade

When temperatures reach 80 degrees, you must have and maintain one or more areas of shade at all times, when employees are present. Locate the shade as close as practical to the area where employees are working and provide enough to accommodate the number of employees on meal, recovery or rest periods.

Even if temperatures are less than 80 degrees, you must permit access to shade for workers to rest.

 

Preventative cool-downs

If an employee starts feeling unwell, they must be allowed to take a “preventative cool-down rest,” during which they must be monitored for symptoms of heat illness.

They should be encouraged to remain in the shade and not ordered back to work until symptoms are gone. Employees with heat illness symptoms must be provided appropriate first aid or emergency response.

 

Weather monitoring and acclimatization

Instruct supervisors on-site to monitor the weather so they can institute the correct procedures (like erecting shade at 80 degrees).

Acclimation procedures include close observation of all employees during a heat wave —defined as at least 80 degrees. New employees must be closely observed for their first two weeks on the job.

 

High-heat procedures

High-heat procedures (which are triggered at 95 degrees) must include:

  1. “Effective” observation and monitoring of employees, including a mandatory buddy system.
  2. Regular communication with employees working by themselves.
  3. Designating one or more employees to call for emergency services, if needed.
  4. Giving more frequent reminders to drink plenty of water.
  5. Holding pre-shift meetings on prevention.
  6. During high heat, agricultural employees must be provided with a minimum 10-minute cool-down period every two hours.

 

Employee and supervisory training

Ensure appropriate training of both your workers as well as supervisors. Nobody should be working outside in heat if they have not been trained in heat illness prevention and emergency procedures.

Employee training should cover:

  • The company’s heat illness prevention procedures.
  • Their rights to take regular water and rest breaks.
  • Importance of frequent consumption of small quantities of water.
  • Signs and symptoms.
  • Appropriate first aid or emergency response.
  • Importance and methods of acclimatization.
  • Importance of immediately reporting signs or symptoms of heat illness to a supervisor.
  • Procedures for responding to possible heat illness.
  • Procedures to follow when contacting emergency medical services, providing first aid.

 

Supervisors must be trained on the following:

  • The heat standard requirements.
  • The procedures they must follow to implement the requirements.
  • Procedures to follow when a worker exhibits or reports symptoms consistent with possible heat illness, including emergency response procedures and first aid.
  • How to monitor weather reports and how to respond to hot-weather advisories.

 

Emergency response and written procedures

Emergency response procedures include:

  • Effective communication.
  • How to respond to signs and symptoms of heat illness.
  • Instructions on what to do when employees exhibit severe heat symptoms.
  • Procedures for contacting emergency responders to help stricken workers.

 

Written procedures form part of an effective heat illness prevention plan that should include, but not be limited to your responsibility to provide:

  • Water
  • Shade
  • Cool-down rests.
  • Access to first aid.
  • The employees’ right to exercise their rights under this standard without retaliation.

 

 

How to Retain Your Fleet Coverage

As insurers continue tightening their underwriting for commercial auto insurance, they are inquiring about companies’ fleet management programs.

If a company lacks a program, some insurers are asking them to implement one if they want coverage. With this trend likely to continue as the number of traffic accidents and injuries continues to rise, it’s imperative for any company with a fleet – or even just a few vehicles – to identify opportunities for improvement and take any appropriate remedial action.

Areas to focus a fleet management program on include:

 

Driver training

One key element that’s often overlooked is senior leadership support, the lack of which can manifest itself in a variety of ways, including getting mixed messages from what is emphasized in training and performance feedback provided to drivers from supervisors. You should also:

  • Continually reinforce safety priorities in regular driver feedback.
  • Use annual performance reviews as training opportunities.
  • Have employees sign off on areas targeted for improvement or development.

 

Focus on distracted driving

If you have a fleet or any individuals driving for you, it’s of utmost importance that you have a strict policy for avoiding distracted driving. In your fleet manual, you should document that you continually reinforce rules on avoiding distracted driving.Focus on the use of hand-held mobile devices, the use of which increases the potential for accidents by 23%, according to the National Highway Traffic Safety Administration.

You have a choice to make:

  • Use technology-based measures, such as those used to prevent vehicles from starting when mobile devices are in use, or
  • Establish strict protocols on the use of mobile phones or other hand-held devices.

 

The latter may be sufficient in your case.

Tracking systems and litigation defense

Enhanced tracking systems, including video and telemetry, can help strengthen litigation defense, improve outcomes and reinforce training. Companies implementing telemetry systems with dash cams can verify what caused an accident. By using these systems, some operators have reduced litigation costs and court awards by 90%.

Logistics software

Logistics software can be used to enhance safety and improve efficiency in routing and job distribution. Even field vehicles can be equipped with shock sensors, operator requirements to complete inspections prior to movement, tracking and other features.

Review your coverage

On an annual basis, you should talk to us to ensure your insurance levels for drivers are adequate and appropriate.For contractors with fleet operations, commercial automobile insurance policies should have a minimum of $1 million in liability limits. Higher limits of $3 million to $5 million are typically required for transporting passengers or hazardous materials.

Driver screening and safety

Screen and monitor drivers by:

  • Obtaining an annual motor vehicle record for each driver with a points qualification system.
  • Administering DOT 7- or 10-panel drug tests with standard cut-off levels for pre-employment, random, reasonable suspicion and incidents that warrant testing.
  • Requiring that drivers complete online or in-person driving courses annually.
  • Requiring that drivers wear high-visibility reflective vests when outside the vehicle.
  • Identifying personal protective equipment for drivers in the right situation (plan for rain, snow, footing, etc.).
  • Supplying polarized sun/safety glasses to reduce glare.

Generally, from a risk management perspective, candidates applying for driver positions that have DUI offenses, reckless operations and suspended licenses are considered unacceptable, as are those with two tickets and one accident in a five-year period. Many firms try to keep drivers to below three minor tickets in a five-year period.

Incident management

All fleet drivers must be trained on what do after an accident. The top priority is to ensure all people are safe and taken care of. The next aspect is to collect all necessary information and take as many photographs of the accident as possible.

Subsequently, there should be follow-up to ensure everyone is safe and the incident report is completed correctly. Require that all incidents must be reported by the end of the shift, and set a 24-hour deadline for getting the claim into your system.

Inspections

Inspect vehicles prior to each usage. Pre-trip inspections typically include visual checks of tires and lug nuts, windshield, windows, wipers, lights and mileage.

Oil levels and tire pressure should be inspected weekly or more often, depending on weather conditions and vehicle utilization.

 

Don’t Get Caught without a Business Succession Plan

Many business owners may be good at running their companies, but the majority of them are failing to address essential long-term planning that is critical to sustaining their businesses.

The one area that the majority of business owners often neglect is planning for business continuity if they die or become disabled, according to the “2015 MassMutual Business Owner Perspectives Study”.

While the question of your death or disablement is not one that’s fun to ponder, it makes good sense for business owners to put plans in place in case the worst happens. One of the key ways to ensure that is to have in place a buy-sell agreement, which would essentially sell your company in the event that you are unable to run it any longer.

Business owners in the survey identified these concerns:

  • The effect on the business of the death or disability of the owner or key employee.
  • Protecting the business from disability and death of an owner or key employee had the second and third highest levels of importance (44% versus 42%, respectively). However, these two pillars were not very top of respondents’ minds, with 55% saying they rarely or never think about the effect of disability and 59% saying they rarely or never think about the effect of death.
  • Of those with a buy-sell agreement in place, just over half said it was funded with life insurance, but only 5% said it was funded with disability buy-out insurance. The rest were either funded with cash flow from the business or not funded at all.

 

What’s a buy-sell agreement?

A buy–sell agreement, also known as a buyout agreement, is a legally binding agreement between co-owners of a business that governs the situation if a co-owner dies or is otherwise forced to leave the business, or chooses to leave the business. If the business has just one owner, then the agreement should specify who would be buying the company and continue its operation.

A buy-sell agreement should be designed to protect the business from the five D’s – death, disability, divorce, departure and disqualification.

When properly executed, a buy-sell agreement can help ensure the continuity of the business when ownership needs to change hands for any reason. It is a legally binding agreement that requires one party to sell and another party to buy ownership interest in a business when a triggering event occurs, such as the death, disability or retirement of an owner.

This agreement structures the method and manner in which the business will continue in the event of the owner’s death.

In a 2003 article for Franchising World magazine, Patrick Olearcek explains: “The proprietor and one or more key employees [or partners] enter into an agreement which provides that the proprietor’s estate will sell the business to the employee at death.”

By agreeing to buy the company, the key partner, employee or associate relieves the owner’s family of the responsibility, and instead provides them with a lump-sum payment. A key employee, as opposed to the owner’s family, is in a much better position to continue the business operations properly.

 

Funding the agreement

The majority of buy-sell agreements are funded with life insurance. In the case of a sole proprietorship, a policy covering the life of the owner is typically bought and paid for by the key employee who has agreed to purchase the business.

The employee is also the beneficiary of the policy, which has a death benefit equal to the pre-determined purchase price of the business. Upon the death of the owner, the employee would receive the proceeds of the life insurance policy, then transfer that money to the owner’s heirs in exchange for all interest in and assets of the business.

 

 

Tips on Hiring Teens for Summer Employment

You may be considering taking on some extra workers for the summer months, and often many employers will gravitate towards hiring teenagers looking for temporary work.

If you are planning on hiring any workers under the age of 18, you should familiarize yourself with federal and any state laws on child labor restrictions.

The Fair Labor Standards Act contains rules for employing minors, including that they are entitled to the prevailing minimum wage and overtime. But it also includes provisions for when minors can work and what kind of work they can do.

The FLSA’s child labor restrictions are heavily enforced and management bears the burden of abiding by these rules, so it’s best to study up on the restrictions.

 

Hazardous work
Minors are prohibited from any occupation that’s on the U.S. Department of Labor’s list of hazardous occupations. This includes, among many others:

  • Driving a motor vehicle
  • Trenching and excavation work
  • Roofing work
  • Bailing
  • Using power-driven tools and machinery

 

The above are the only laws that apply specifically to 16- and 17-year olds. There are some additional provisions for 14- and 15-year-olds, who can generally do jobs like:

  • Office and clerical work
  • Intellectual and creative work (like design)
  • Cashiering
  • Stocking shelves

 

The federal youth employment provisions limit the times of day, number of hours, and industries and occupations in which 14- and 15-year-olds may be employed. If it’s summer and school is out of session, you have leeway to let them work eight hours a day. But if they stay on during school, consult the child labor section of the Department of Labor’s website.

 

Tips

Get a USDOL-sanctioned age certificate – This will help you avoid misjudging a minor’s age and advertently violating child labor laws.

Clearly describe job duties – This will help you ascertain whether the work you are expecting the minor to perform does not conflict with regulations on prohibited work. Take extra care when hiring someone younger than 16.

Tell other workers the exact tasks the minor can do – This will avoid “mission creep” if another employee decides to ask the minor to perform additional tasks that were not in the original job description. This will avoid a situation where they may be asked to do something they are prohibited from doing.

Proper supervision – Make sure that your minor employees are properly supervised. A good idea is to assign a more experienced employee to work with them to ensure they are doing their job properly and safely. This also frees up supervisors from having to constantly monitor the young employee.

 

Rating Agency Calls for 7.2% Workers’ Comp Rate Cut

Thanks to reforms enacted in 2014, California’s workers’ comp rating agency is recommending that the average benchmark rate be cut by 7.2% for policies effective July 1 and onward.

The filing made by the Workers’ Compensation Insurance Rating Bureau is for the state’s pure premium rates, which are essentially the base rates to cover expected costs of claims and claims-adjusting expenses across all worker class codes.

The rates are advisory only and insurers can price their policies as they wish, so there are no guarantees that any particular employer will see a rate decrease when their policy renews.

The rate reduction is a recommendation and Insurance Commissioner Dave Jones will have the final say on whether to accept it or propose a different rate change based on analysis by Insurance Department actuaries.

If Jones adopts the rate change, it will be the seventh straight cut since rates started declining in 2015. Should the latest recommendation be approved, benchmark rates will have dropped an average of 35% since then.

 

Why is the rate falling?

The benchmark rate is falling due to the effects of SB 863, which took effect in 2014. Besides increasing permanent and temporary disability payments to injured workers, the legislation has gone a long way towards reducing claims costs by:

  • Significantly reducing the number of spinal surgeries.
  • Reducing bureaucratic tie-ups, leading to increases in claim settlement rates. At the 48-month mark, 77.1% of claims had been settled in 2017, up from 71.1% in 2011. At the 36-month mark, 66.8% of claims had been settled, up from 58.5% in 2011.

The Rating Bureau attributes these improved settlement rates to SB 863, which it says has accelerated the rate in which claims have settled as a result of quicker medical-treatment resolution through the use of independent medical review, reduction in the volume of liens and the drop in spinal surgeries.

  • The higher claims settlement rates have also decreased the cost of adjusting claims.
  • Setting requirements for lien filings and simplifying the lien system, which significantly reduced lien filings. Before new rules on liens took effect, in 2016 the Workers’ Compensation Appeals Board was receiving 25,500 liens per month. After the rules took effect, lien filings from March 2017 to February 2018 had fallen 40% to a monthly average of 15,500.

Another factor the Rating Bureau cited is the new Medical Treatment Utilization Schedule drug formulary, which took effect Jan. 1, 2018. It says it adds 0.5 percentage points to the rate-decrease proposal.

 

The black marks

The one area of concern is cumulative injury claims, which continue to grow in numbers mostly in the Los Angeles area and San Diego.

The ratio of cumulative injury claims in the LA area had grown to 15.5 claims per 100 indemnity claims in 2016, up from 8.7 in 2011. In San Diego, they accounted for 11.2 claims per 100 indemnity claims in 2016, up from 6.6 claims in 2011.

In addition, the average cost of medical treatment is also on the way up, but at a relatively low rate of 3% a year.

 

Protecting Your Important Data When Employees Leave

When is a business most susceptible to losing data, intellectual property and important records? No, not during a cyber attack or a break-in, but during lay-offs.

With employees maybe feeling disgruntled after being let go, it’s common for some of them to pocket important company data – usually client lists, old e-mails, vendor contacts and even intellectual property that is essential to the company’s competitive advantage.

During lay-offs or termination, you need to take steps to protect your data and intellectual property, but there are legal implications as well for how far you can go. Consider the following:

Non solicitation agreements – These protect from a departing employee taking with them proprietary, confidential information like client and vendor lists. A non-solicitation agreement bars an ex-employee from going to a competitor and contacting your clients for business.

These are not legal in all states, so check your state laws and consult with your attorneys. In California, for example, non-solicitation agreements are not enforceable.

Non-disclosure agreements – These are different than the above and no states bar them. They focus instead on company data that a competitor can use to harm the business.
These agreements spell out the employee’s fiduciary obligations under the law by identifying protected company proprietary and confidential information. The agreement requires that the employee keep such information secret for a certain period of time.

Before huddling with your lawyer, your management team should identify all of your company’s protected data that you feel is worth protecting.

Return and inventory all company property – Before your employee leaves the premises, make sure they have returned all of your property that may contain company information. That would include:

  • Originals and copies of company documents the employee has made.
  • Data on the worker’s personal phone or home computing devices (this may be difficult to enforce, but you should make them aware that they are required to delete it).

 

Passwords and access – On their last day, remember to delete from your database and systems their user names and passwords and access codes. This could include:

  • E-mail passwords
  • Voicemail passwords
  • Teleconference and intranet passwords
  • VPN access and passwords
  • Building or office coded lock-access codes.

 

Make sure to also collect any company ID cards. If you have concerns they may try to contact your current customers or vendors for any reason that could be detrimental to your firm, you can consider notifying them that the employee is no longer with you.

Conduct an exit interview – During this interview, you should go over boilerplate information like why they were let go and the importance of not taking with them any physical or intellectual property.
Ask questions to determine what, if any, company data they may have been privy to or had access to. Also, if you have non-disclosure or non-compete agreements in place, use this time to reiterate the consequences for violating those agreements.

 

What to look for

It’s more difficult to avoid data misappropriation by an employee that is planning on quitting, as they can make preparatory moves unbeknownst to you.

When employees are planning to take corporate data or are in the process of doing so, there are often one or more signs, which can be monitored with the right systems in place:

  • A spike in an employee copying information to the cloud, USB drives, personal devices, e-mail accounts, and more. An increase in such activity could mean that an employee is planning to leave or has gotten wind of an impending dismissal and wants to copy useful information before they go.
  • A surge in documents being deleted from an employee’s laptop or desktop computer. Files may also be deleted from corporate file shares.
  • Sudden spikes or drops in e-mail activity.
  • An employee accessing your customer relationship management system or financial accounts during late nights or very early mornings. This could mean they are scraping your files.
  • The employee is sending and/or receiving e-mails from a competitor.

 

 

Top 10 Wage and Hour Law Mistakes by Employers

California’s wage and hour laws are not always easy to conform to and often employers are confused about how to comply with statutes. Employers have cause to worry: often, failure to follow the law can leave a company open to lawsuits and/or regulatory action.

To keep you informed about the laws that are most easily breached, this story looks at a presentation by Jennifer Shaw, partner of the Shaw Valenza law firm in San Francisco at the Society for Human Relations Managements annual convention and exposition. Shaw treated attendees at the conference to her “Top 10” list of the most common wage and hour infractions.

 

  1. Misclassification of employees as independent contractors – One of the main factors in showing independent status is if the employer has control over the work and how that work is carried out.
  2. Improperly imposing the company’s vacation policy – First off, there is no statute that requires an employer to offer vacation time, but if they do, they cannot impose a “use-it-or-lose-it” policy. An employer must pay out accrued vacation at the end of employment. That said, an employer can cap accrued vacation at a certain level as long as it is reasonable.
  3. Failure to pay full amount of final wages – When you terminate an employee you are obligated to pay their wages immediately. Also, if an employee gives 72 hours’ notice or more of their intent to leave your employ, you must pay their wage or salary on their last day of work. If not, you have 72 hours to pay. If you pay via direct deposit, the same rules apply. You must make the deposit to their account on their last day.
  4. Improperly handling expense reimbursement, breakage or loss and the use of uniforms and tools – You are required by law to pay all expenses an employee incurs on behalf of the company. If you require uniforms or certain tools, you must provide them at no cost to the employee. You also are barred by law from charging an employee for any breakage or loss they may be responsible for.
  5. Failure to post notices as required by law – An employer is obligated under federal and state laws to post a variety of notices in the workplace. In California, along with other required postings, employers must post applicable wage orders.
  6. Improperly calculating wages – Be mindful of how you calculate wages to be paid for piecework, bonuses and commissions.
  7. Failing to pay overtime – All non-exempt employees that work more than eight hours in a day and 40 hours in a week are due overtime. Your employee cannot opt to forgo overtime pay and if an employee works overtime without your approval, you are obligated to pay them. You are allowed, however, to reprimand them for doing so. You are also not allowed to trade overtime for time off instead of paying the overtime rate of time and a half.
  8. Failure to provide breaks and meal periods – Under state law employees are due a 10-minute break for every four hours worked in addition to a 30-minute break after working five hours. Employees can forgo a meal break if they work less than six hours. It is best to cover your bases and require that your employees take all of their 10-minute breaks and lunch periods.
  9. Misclassifying non-exempt staff as exempt – Many companies don’t properly classify their non-exempt employees. Non-exempt employees are paid a salary instead of an hourly wage (which makes them exempt from overtime laws). But they can only be considered exempt if their salary is at least twice the state minimum wage. That also means that whenever the state’s minimum wage increases, the minimum salary for exempt workers also climbs.
  10. Wage order mistakes – With 17 different wage orders establishing the state’s minimum wage, it’s easy to understand why employers are confused. For the best resource for finding out which wage order applies to your employees, you can visit the Industrial Welfare Commission’s website (www.dir.ca.gov/iwc/iwc.html). There you’ll see a link that reads: “Find out which wage order pertains to my occupation.”

California High Court Upends Independent Contractor Test

The California Supreme Court has handed down a decision that rewrites the state’s independent contractor law by adopting a more stringent test for determining whether or not someone is an employee for wage order cases.

The new test is similar to Massachusetts independent contractor law, which is considered the strictest in the country.

The new law will affect any California business that uses independent contractors and it makes it more difficult to classify someone as an independent contractor.

In its decision in Dynamex Operations West, Inc. vs. Superior Court, the court rejected a test that’s been used for more than a decade in favor of a more rigid three-factor approach, often called the “ABC” test.

The ‘ABC’ test

Under this new test, a person would be considered an independent contractor only if the hiring entity can prove:

  1. That the worker is free from the control and direction of the hiring entity in connection with the performance of the work, both under the contract for the performance of the work and in fact.
  2. That the worker performs work that is outside the usual course of the hiring entity’s business; and
  3. That the worker is customarily engaged in an independently established trade, occupation, or business of the same nature as the work performed (in other words, that the worker is in business for themselves).

The prong that changes the most is the B prong. Prior to this decision, a hiring entity could show that a worker is an independent contractor by either showing that they work outside the course of the company’s usual business or outside all of the places of business of the hiring company.

The decision essentially deletes the second clause about outside all of the places of business of the hiring company. In other words, the only way to be an independent contractor is if the work falls outside the scope of the usual course of business of the hiring entity.

While this shouldn’t interfere with your business if you hire a contractor to come in and work on building repairs, companies that have been using the independent contractor model to conduct their business may run into problems.

It should be noted that this case only concerns wage orders issued by the Industrial Welfare Commission, and does not apply to other wage and hour laws.

That means for other cases not concerning wage orders, an earlier decision known as the “Borello” decision still stands in terms of the independent contractor test.

In Borello, the Supreme Court held that the “right to control” the means and manner in which work is performed by a worker is the most important of several factors to be considered when evaluating a classification analysis. Other factors include:

Ownership of equipment

Opportunity for profit and loss, and

The belief of the parties.

This test is more flexible because it balances the different factors to arrive at a classification based on individual circumstances of each case. Prior to Dynamex, many referred to the multi-factor Borello test as the traditional “common law” classification analysis.

The takeaway

In light of this new decision, it may be more difficult proving that someone you hire as a non-employee is actually an independent contractor under the state’s wage and hour laws.

Any business that uses independent contractors as a regular course of business will have to address difficult questions concerning the continued viability of the contractor model.

Also, because the court homed in on the application of the “suffer or permit to work” standard to a variety of business relationships in California, hiring entities will have to make sure that the contracts they enter into reflect the parties’ allocation of responsibility for wage and hour violations.

Compromized E-mails Grow as Hackers Double Down on Employees’ Bad Clicks

As the cyber threat spreads its tentacles, a new report sheds light on a rising risk, with the number of business e-mail compromises growing at an increasing rate.

The report by Beazley Breach Response Services, part of specialist insurer Beazley P.L.C., found that the e-mail threat is greater for organizations that use Office 365, Microsoft’s cloud-based package of popular software like Word, Excel and Outlook, the e-mail platform.

The study found that hack and malware breaches via Office 365 accounted for 13% of incidents during the first quarter of 2018.

The report should set off alarm bells at all organizations since e-mail is central to how we get business done these days.

Financial services, health care and professional services are the top sectors targeted by attempts to compromise e-mail as a way to gain entry into an organization’s systems.

 

What’s happening?

Employees are usually the weakest link in an organization’s chain. Anybody with e-mail in an organization can let in hacks and malware by clicking on a link in a phishing e-mail, but also on a HelpDesk message or Microsoft survey. Once they click on these links, the employee is directed to a website that appears legitimate, with the Microsoft logo and a general “look” that mimics the company’s own website.

There they are asked for e-mail credentials, including a password. Once those details are supplied, the malware does its stuff and infects the system or the hacker starts harvesting the user’s credentials and logs into the mailbox undetected.

 

What happens when hackers gain access to e-mail?
After getting access, hackers can:

  • Run searches to steal personally identifiable information.
  • Steal bank information to send e-mails requesting fraudulent wire transfers.
  • Search the inbox to determine what HR and benefits self-service portal the employer uses, and then request a password reset for the user in that system. Once in the self-service portal, the attacker redirects the employee’s paycheck to one of their accounts.
  • Send spam e-mails to all of the user’s contacts in an attempt to get others to give up their credentials as well.

 

The top two causes of data breaches reported to Beazley Breach Response Services were hack or malware (42%) and accidental disclosure (20%). Social engineering and disclosure by insiders were the next highest causes of incident, each at 9%.

Other threats that also gain entry when employees click on bad links are ransomware that can shut down an organization’s entire system. Hackers then demand a ransom to unlock it.

 

What you can do

There are a number of simple ways to thwart infiltrators:

  • Change passwords regularly
  • Have dual-factor authentication
  • Remove auto-forwarding or auto-delete rules
  • Teach your employees how to detect bogus-looking e-mails. If unsure, one of the best ways is to look at the sender’s full e-mail address and see if it comports with the e-mail address of a known entity, like a bank.

 

Office 365 tips

For organizations that use Office 365, Beazely recommends that they:

  • Require two-factor authentication for access to Office 365.
  • Use the Secure Score tool. This Microsoft tool can be used by anyone who has administrative privileges for an Office 365 subscription. It assists not just in analyzing, but also with implementing best practices regarding their Office 365 security.
  • Enforce strong password policies. Educate employees about the risks of recycling passwords for different applications.
  • Alert employees who have access to accounts-payable systems or wire transfer payments about these types of scams.
  • Train all employees to beware of phishing attempts.
  • If you use cloud-based platforms, investigate what logging is available and make sure it is enabled. For instance, if you’ve migrated from on-premises Exchange to Office 365, audit your security settings, which are reset to default settings during migration. In Office 365, you must turn on audit logging in the Security & Compliance Center.
  • Work with your cloud provider’s technical team to determine what activities are logged and ensure you have the visibility you need, for the monitoring period you need.

 

Most Disaster-hit Firms Have Wrong Type of Insurance

A new report by four Federal Reserve Banks found that small businesses affected by large disasters had failed to secure the right type of insurance, and that there was a mismatch between damages suffered and their insurance coverage.

While some businesses suffered actual property damage, the majority that were affected by hurricanes, other major storms, wildfires and flooding suffered uninsured economic damages as a result of having to close or limit operations following such events that struck in 2017.

The study by the Federal Reserve Banks of San Francisco, New York, Richmond and Dallas found that because insurance holdings appeared to be mismatched to the actual damage that occurred, many businesses suffered uncovered losses.

Additionally, affected firms applied for credit financing more than disaster relief, and most of them faced funding gaps.

The concern is that this phenomenon is widespread across the United States, which is experiencing an increasing frequency and severity of natural disasters. And the main area of an insurance mismatch seems to be not in property protection, but in business interruption coverage.

Here were some of the main findings of the report:

  • For affected firms, foregone revenues – not assets – were the largest source of losses.
  • Sixty-five percent of affected firms cited loss of power or utilities as the source of their losses. But, only 17% had business disruption insurance at the time of the disaster.
  • Flood damage (38%) and wind damage (36%) were also common sources of losses, but only 16% of affected firms had specific flood insurance coverage and just 21% had wind insurance.
  • Of the affected businesses, 36% did not lose any assets, 45% had asset losses ranging from $1-$25,000, and only 19% lost more than $25,000.
  • Of the affected firms, only 4% did not have any revenue losses, 61% had revenue losses ranging from $1-$25,000, and 35% lost more than $25,000.
  • Affected firms reported sizable revenue and employment gaps and elevated incidence of financial challenges compared to unaffected firms.
  • Their insurance holdings appeared to be mismatched to the sources of their damages, leaving uncovered losses. For example, 65% of affected firms cited power or utilities issues as the source of their losses, but only 17% had business disruption insurance.
  • After the catastrophes, 48% of affected businesses applied for credit financing and 27% filed for disaster relief (indicating they did not have the correct insurance).

 

The takeaway

In light of the increasing severity and economic cost of natural disasters, it is critical that small businesses secure business interruption coverage to account for the lost revenue from the downtime they suffer post-incident.

Many business owners assume that the property insurance they already own will cover their lost revenue, but they’re wrong. Business interruption insurance is designed to replace revenue losses a firm might suffer in the case of a disaster, be that an equipment breakdown, problems experienced by suppliers, strikes that affect distribution networks or a natural disaster, among others.

While property insurance covers the value of those physical assets, it does not cover the lost revenue potential. In some cases, this has led to businesses losing so much income that they have had to shut down.

Your business may need business interruption coverage if it:

  • Relies heavily on physical assets
  • Has smaller profit margins
  • Operates in areas prone to natural disasters
  • Deals with or handles volatile materials.

 

Call us for more details and to find out if your firm may need coverage.