Driving Record Monitoring
A well-crafted fleet safety program can provide significant benefits to organizations and public agencies of any size. Driver monitoring is an essential element of every fleet safety program. This is typically accomplished by evaluating and monitoring Motor Vehicle Records or MVR’s. MVR monitoring has been the standard practice to assure that drivers maintain an acceptable driving record, on and off the job. However, the MVR monitoring process is not perfect. There can be a significant lag time of weeks or months before a citation is posted to a drivers MVR, especially for serious offences likes DUI and reckless driving.
Vehicle telematics are not a new development in fleet safety. For over 20 years many operators of large commercial fleets have incorporated some form of telematics to obtain additional information about how and where their vehicles are operated. In recent years, the capabilities of telematics solutions have increased significantly. In addition to location, speed, and idling time, telematic systems today can provide valuable additional information:
Today’s telematic systems can alert drivers and supervisors at predetermined thresholds and can also be connected to road and cab facing cameras to obtain a far more accurate view of an event. A telematic program requires the support of senior management. Management not only must support the cost of implementation and ongoing system costs, but also the changes to organizational culture.
There is a tendency for employees to resist telematic programs, as they can be perceived as a tool that takes away flexibility and independence in job performance. Training can offset many of these concerns. It is important that employees understand the purpose of the telematics program is to improve overall fleet safety for the entire organization. Employees should also be educated and on what metrics are being monitoring and what driving behaviors will trigger alerts.
A County government with 3,000 drivers installed telematics throughout their fleet of commercial and private passenger vehicles in early 2018. The county informed employees that these systems would be installed, and internally monitored the data, with no employee notifications given for several months. When the County reviewed the preliminary data from their newly installed system, they found that over 80% of their drivers exceeded the speed limit by more than 10 miles per hour, for more than 2 minutes, monthly. This was significantly higher than the county had anticipated.
In early 2019 after the county had internally monitored driver performance for more than six months, they established safety and performance goals to use as a benchmark for evaluating driver performance. These benchmarks were widely circulated to all employees, so that they would be aware of the desired goal and their individual performance.
The next step was to start notifying employees and their supervisors of any unsafe driving behaviors that exceeded the notification thresholds. As employees became aware of their own performance, behavior changed. By the end of 2019, the percentage of county drivers exceeding the speeding criteria was reduced from 80% to 2%. The county also experienced a 53% reduction in their at-fault vehicle accidents.
Telematic systems can be an incredibly valuable resource for any public agency. Those with installed telematic systems consistently experience a reduction in vehicle claims, an in improvement in driver awareness to unsafe behaviors, and see a significant reduction in fleet maintenance and fuel expenses.
Every year OSHA compiles a list of the ten most-cited standard violations from the previous year. OSHA publishes this list to alert employers about these commonly cited standards so they can take necessary steps to find and correct recognized hazards before an incident occurs. The 2020 fiscal year statistics, which ended Sept. 30th, have just been released and not surprisingly, the list’s actual violations stayed the same as the previous year, though some standards changed places on the list. Fall Protection remained in the number one spot while ladders rose one spot to number five. Respiratory Protection also moved up two places to number three on the list, while Lockout/Tagout dropped two places, from fourth to sixth.
Let’s Take a Look at the Top three in more detail:
How to Avoid the Top Ten and Other OSHA Citations
Do any of the regulations on the list apply to your organization? If so, you should thoroughly review the standards and ensure you are complying with all employer requirements. There are several steps that an agency can take to both avoid worker injuries, illnesses and deaths. Developing and enforcing a comprehensive safety program is your key to success.
Your safety program should include:
In 2020, the global pandemic created near-perfect conditions for cybercriminals. Unsurprisingly, we have witnessed a dramatic spike in cybercrime, but what is driving this threat and what will the implications be for cyber risks throughout 2021?
Increase in the Cyber 'Attack Surface'
The shift to remote work and the large-scale dependency on personal devices and residential networks have expanded threat actors’ attack surface — the number of different points through which an unauthorized user can access or extract data from an environment. At the same time, organizations have been adapting to remote working trends at a record pace, increased virtual public meetings and services.
The net effect has been a mass increase in potential targets for criminals to exploit and an unprecedented expansion of corporate networks beyond their external firewalls. Cybersecurity in these conditions has proved extremely challenging. Organizations of all industries and sizes were forced to pivot many critical operations to remote environments rapidly and with little time for preparation, exposing insufficient information technology infrastructures, data governance, and security controls.
Explosive Growth in Cyber Attacks
In parallel, ransomware proved devastating in 2020 with incidents becoming more frequent, targeted and automated. Global ransomware attacks rose by 40% in the first three quarters of 2020 compared with the same period in 2019, and payments more than doubled in size since the start of 2020. Increasingly sophisticated and AI-enabled tactics have seen large agencies become more and more vulnerable. For example, criminals have not only accessed core systems, they are successfully infiltrating backup systems as well. Criminals have also started extrapolating data from hacked networks and threatening to release it as part of the extortion scheme.
In addition, SCADA systems have proved to be vulnerable to targeted attacks, as was evidenced by the attack at the Oldsmar Water Treatment Plant in Florida, where the attacker increased the level of sodium hydroxide, more commonly known as lye, in the water from 100 parts per million to 11,100 parts per million.
Meanwhile, the explosion of “ransomware as a service” has lowered the barriers to entry for aspiring cybercriminals, enabling less sophisticated actors to cause significant harm.
Cyber Insurance Demand Grows, Losses Soar
The spike in cybercrime has driven demand for cyber insurance, with many revisiting their cyber insurance programs and requesting higher limits.
Not surprisingly, insurers have become increasingly nervous about the deteriorating risk landscape, and risk quality and underwriters are far more thorough in their underwriting review.
Despite the challenging landscape, there are reasons for optimism. Organizations are more aware of the importance of purchasing a robust cyber insurance program, and of the need to improve and harden critical IT systems.
For many years, Cyber insurance programs focused on the risks faced by the loss of third party data. The leading cyber insurance programs today address these risks, as well as provide extensive coverage for the direct costs incurred in the response to a cyber event.
The leading cyber insurance programs take this a step further by delivering preventative services to actively monitor client networks to identify weakness, and recommend corrective actions to mitigate these risks.
Safety and risk committees are an incredibly powerful tool to prevent incidents and enhance the effectiveness of all organizations. Safety and risk committees bring together dedicated employees, representing departments and divisions throughout an organization. They are focused on improving and reinforcing safety and risk management initiatives and make a real impact on the organization.
Safety committees enhance employee morale, foster greater productivity, and improve standing among the various stakeholders of the organization. An effective committee sends a powerful message that management cares about the wellbeing of their employees, and the public.
When establishing safety and risk committees, careful consideration should be given to identifying the appropriate scope and duties that will be delegated to the committee as a group, and to the members who serve on the committee(s). Effective committees include representation from senior management, supervisors, and front-line employees, from across all departments or divisions. Committees should not be so large that they lose the ability to be responsive to individuals or to affect organizational changes.
For larger organizations safety committees may need to be established in individual departments and divisions, which report to a centralized risk committee. Selecting those employees that have a desire to serve on a committee and that will be actively engaged in committee activities is crucial.
The mission of the committee should be clearly stated, with well-defined objectives. These objectives reinforce the overarching mission that safety reaches beyond just complying with OSHA or other minimum requirements. Rather, safety and risk management provide a sense of purpose and a roadmap for accomplishing key organizational objectives. For example, if the organization has had several lost time workers compensation injuries, the safety committee could identify and evaluate the root cause of the injuries and form and execute a plan to correct unsafe conditions.
While many committees meet monthly, other successful committees may meet less frequently on a semi-monthly or quarterly basis. The key issue is holding well planned meetings consistently, with good committee member participation.
Safety and risk committees are most effective when they can identify issues and are empowered and provided with the resources to resolve them. When a committee is working as it should, employees and managers work together to address safety and risk concerns before injuries or claims arise.
While many may think of safety committees as simply a forum to review workplace accidents, many successful committees have much broader oversight, including many key risk management functions, which include:
Committee Member Training
Members should demonstrate a general understanding of technical safety and risk issues, familiarity with data gathering and analysis, and experience with group dynamics and meeting participation. Training may be provided internally, online and from third party resources.
A committee should be considered an investment, and management needs to provide adequate tools and resources. Committees may need funds to oversee and administer safety incentive programs and purchase safety equipment or tools.
Committees will make recommendations for corrective actions or changes in policy and procedure. The committees need to know that they have the support of management to carry out their mission and that their efforts will be sustained.
Engaging all organization stakeholders can significantly improve the visibility and support for the organization. Many successful risk committees prepare an annual report that is reviewed with the governing body (e.g., Councils, Commissions and Boards), with objectives and goals outlined for the coming year.
When safety and risk committees are engaged and empowered, they serve as a vital piece of a risk management program. With knowledgeable, enthusiastic members that develop innovated and creative solutions, these committees have a far-reaching impact on the organization. They improve the culture of safety and risk awareness throughout the organization, improve employee moral and build good will with those that are served by the organization.
With Spring comes the start of many significant capital projects, from new office and administration buildings to pipelines and treatment plant expansions. The risks to property under construction are significant but can be well managed through an effective builder’s risk insurance program.
Builder’s risk insurance programs can be handled by the owner or left to the general contractor or construction manager. Project owners understand the scope, cost and special conditions of the project and are better equipped to set up the builder’s risk insurance program. Contractors may not address all of the ancillary elements and supplemental limits needed for a builder’s risk project and may, mark up the cost of the insurance with profit and overhead.
In the absence of detailed information, many underwriters may make assumptions which could result in higher than necessary premiums. Providing details on the type of construction materials, a timeline of work to be completed (e.g. Gantt Chart) and a summary of new construction vs existing facilities being renovated, will provide greater clarity on the project. This will result in more competitive terms.
Many organizations use the contract value or guaranteed maximum price when setting the insured value for their projects. While this is a good starting point, a careful review of the projects costs often yields many items that may fall outside of coverage, or for which you would not intend coverage to respond. These may include site grading, pavement, purchase of property or property rights (e.g. easements).
When establishing the term of the builder’s risk policy, owners and contractors should incorporate potential delays from material suppliers, subcontractors and sub-subcontractors, weather and other exigent circumstances which could result in a delay to the project. Builder’s risk underwriters will generally increase the policy rate for projects that are behind schedule and need an extension in the policy term.
When designating the policy term, allow additional time for unanticipated delays from contractors and suppliers. Builder’s risk policies can be cancelled before the policy expiration at the conclusion of the project, with the unearned premium returned to the owner. This approach will yield the lowest overall builder’s risk policy rate and total cost.
Policies should include both the owner and contractors as insured parties. This has become more critical in recent years due to the increase in owner supplied specialized equipment, which would not be covered under a standard builder’s risk policy obtained directly by a general contractor or construction manager.
Occupancy or Use
Understanding the transition from the builder’s risk policy to your permanent property insurance program is critical. Builder’s risk policies may specify that coverage for the project will end when substantial completion is achieved, when a certificate of occupancy is obtained or when the property is put in service for its intended use, even if the project is not yet complete.
These timelines should be communicated when evaluating builder’s risk insurance options, and throughout the duration of construction to ensure that the project is not left without coverage.
Staying safe at work sounds like a simple enough goal. No worker wants to work in an unsafe environment and no administrator or elected official wants to spend time and resources investigating preventable incidents. The potential for workers’ compensation or third-party liability claims arising from unsafe activities are considerable, when, unsafe incidents occur. People get hurt property is damaged and productivity is impaired, adding to the negative impact from t events.
Often, incidents occur in spite our best efforts to adopt safety policies and satisfy training requirements. Safety culture is beyond policy and procedure, since it develops a lasting change in the organization. A culture of safety t reinforces a shared organizational commitment at all levels of the organization.
A good example is provided by Paul O’Neill, formerly of Alcoa. Mr. O’Neill took over as the CEO at Alcoa during an incredibly challenging time, when he stated: “I knew I had to transform Alcoa. But you can’t order people to change. So, I decided I was going to start by focusing on one thing. If I could start disrupting the habits around one thing, it would spread throughout the entire company.”
He reinforced his commitment to developing a culture of safety in a now famous speech to Alcoa shareholders, he said: “If you want to understand how Alcoa is doing, you need to look at our workplace safety figures. If we bring our injury rates down, it won’t be because of cheerleading or the nonsense you sometimes hear from other CEOs. It will be because the individuals at this company have agreed to become part of something important: They’ve devoted themselves to creating a habit of excellence. Safety will be an indicator that we’re making progress in changing our habits across the entire institution. That’s how we should be judged.”
Despite initial resistance from the shareholders, O’Neill’s decision to prioritize safety over profits paid off. Sales increased, employee injuries declined, and net profits grew five-fold over his twelve-year tenure as CEO.
There are several steps we can take to better reinforce a safety culture within our own organizations. While not an exhaustive list, these seven areas are a great place to start:
As we work to improve the safety culture within our organizations, safety will become a habit. Productivity improves with a decrease in incidents, employee moral rises, and our public image is enhanced.
Sound risk management involves many preventative actions and processes, to maintain facilities and equipment, and to mitigate potential claims. Unfortunately, many of these actions go unrecognized without documentation that the tasks were completed. Two real-world situations to illustrate:
ABC City experienced a sewer back-up that flooded the living quarters of a private home. This resulted in the resident vacating the home and moving into a motel for nearly a month. When the claim for damages to the home was submitted, a request was made to the city for documentation of their sewer inspections and maintenance. The city’s public works staff responded that sewer lines were periodically inspected but could not produce written records of any inspections or completed maintenance. This severely hindered the city’s defense efforts, which led to the city ultimately settling with the homeowner for over $100,000.
XYC City also experienced a sewer back-up, which caused raw sewage to back-up into a restaurant. Because the back-up occurred in the sewer main line under the street, city staff thought that the city was likely responsible for the damages, and the city contacted their insurance company to report the back-up before a claim was even submitted. The claims adjuster requested and reviewed the documentation of sewer inspections.
The area where the back-up had occurred was a known low spot in the main. Less than two weeks prior to the back-up, XYZ City’s public works staff had inspected the main on both sides of the low point, noting that the line was running free and clear. Additionally, the city had documentation reaching back several years for their entire sanitary sewer system inspections and maintenance activities. The documentation demonstrated that the city was being a responsible utility owner and, consequently, was not liable for the back-up and damages to the restaurant. Instead, it was later established that restaurant employees had caused the back-up by dumping grease down the drain and had not properly maintained their grease trap. Without this documentation, XYZ City could have been liable for significant clean-up and restoration expenses.
Benefits of Documentation
For local governments, there are several benefits to documenting the many daily activities conducted by staff, not just sewer system operations. These benefits include:
What to Document
Documentation should include all inspections and maintenance activities, as well as repairs conducted, and replacements made. While the list of what should be documented will vary by entity type, there are some common activities that should be documented across all public agencies, whether you are city, county, water or sewer utility, school district, fire district, or other government agency.
Inspection reports should contain the below items:
While documentation can be as simple as a spiral notebook with hand-written entries; many organizations use sophisticated asset management or work-order systems to not only track inspections and incident reports, but to also receive reminder tasks for preventative maintenance issues (e.g. cleaning ‘hot-spot’ sewer lines). These systems can also often include pictures of sites before and after work is completed
Documentation and reports should provide sufficient detail so that someone who was not present when the work was performed, or when the problem was addressed, could fully understand what transpired.
Documentation offers many benefits to you as a worker and to your agency, the least of which is that ongoing and thorough documentation can help reduce an agency’s liability when a claim occurs.
The U.S. Department of Transportation’s Federal Motor Carrier Safety Administration (FMCSA) clearinghouse of commercial driver's license (CDL) holders' drug and alcohol violations went into effect on January 6, 2020.
Employers must register to access the data repository to fulfill compliance obligations. Employers of CDL drivers, can now register on the site and create a secure online user account. Employers with drivers covered by FMCSA regulations will be required to query the database for current and prospective drivers' drug and alcohol violations before permitting those employees to operate a commercial motor vehicle. Employers also must report drug and alcohol program violations through the site. The regulation requires that employers annually screen each of their drivers through the clearinghouse.
This new regulation comes from a law signed in 2012 intended to help reduce crashes, injuries and fatalities involving large trucks and buses by creating a way to identify and track commercial drivers with a history of violating drug and alcohol prohibitions.
Before the clearinghouse was created, regulated employers were required to check with a driver's prior employers to verify his or her drug and alcohol testing record. Drivers with violations are not eligible to drive a commercial motor vehicle until the employer confirms that the driver has successfully completed mandatory return-to-duty obligations.
The clearinghouse will enable employers to more easily identify drivers who commit a drug or alcohol program violation while working for one employer but who fail to subsequently inform another employer. Records of drug and alcohol program violations will remain in the clearinghouse for five years, or until the driver has completed the federally mandated return-to-duty process, whichever is later.
Registration is free, but there will be a charge, depending on the number of queries, to run records searches. Employee drivers are not required to immediately register for the clearinghouse but will need to register to respond to an employer's request for consent prior to a pre-employment check or other query. "Employers may want to encourage drivers to create an account, however, as doing so will streamline the process by which a new driver can be hired or returned to work following a report. As the database grows over time, it will become more effective. Unfortunately, employers must also continue to independently gather driver drug and alcohol program compliance records directly from prior employers until the clearinghouse has been operating for three years.
FMCSA regulations require employers to add language to their drug and alcohol testing policies to notify drivers and driver applicants that employers are now required to report any adverse drug and alcohol testing information to the clearinghouse.
This includes any positive drug-test results, any alcohol test results with a blood alcohol content greater than 0.04, refusals to test, and any other non-test violations of the FMCSA's drug and alcohol regulation. Employers will have to submit a report of a drug or alcohol program violation by the close of the third business day following the date on which the employer obtained the information.
In addition, employers will be required to report any "actual knowledge" violations along with a detailed description of the event, supporting evidence, and the names and contact information for any corroborating witnesses.
For example, supporting documentation will be required … from a supervisor who saw the driver engage in prohibited conduct or documenting a driver's admission of a regulatory violation. The employer must also ensure and certify that all of the information reported to the clearinghouse was also provided to the covered driver in question. This process is designed to ensure that covered drivers are able to exercise their right to dispute potentially inaccurate information.
FMSCA-regulated employers must initiate a database query of the clearinghouse as part of the hiring process for new drivers. This query must be run on every prospective driver before they are able to perform safety-sensitive functions. Employers must obtain the consent of the driver before running the check. Consents to limited queries can be evergreen, allowing the employer to continue to search the database as needed after the driver's initial check. If the query identifies a relevant report on a driver in the database, however, the driver must at that time and on an individual basis authorize the release of the full query report to the employer. Failing to authorize the release of these records to the querying employer will prevent the employer from using or continuing to use the driver.
In addition, employers will be required to run a search of the database at least once a year for all their current drivers. Employers have some flexibility as to the timing of the searches and should be wary of the potential disruptions that running queries on all drivers at once can create. For example, if an employer elects to run all covered drivers at once as part of its annual review, and the limited query reveals information necessitating a full query on certain drivers, the employer must then conduct a full query on each of those drivers within 24 hours. If the employer fails to conduct a full query within 24 hours—recognizing that the employer must obtain specific consent from the driver to do so within this time period—the employer cannot allow the covered driver to continue to perform any safety-sensitive function until the results of the full query confirm that the driver's clearinghouse record is clear.
The operation of motor vehicles remains among the highest impact risks of public agencies. Collectively, the public sector operates nearly 3 million licensed vehicles; more than any other segment of the US economy. From patrol vehicles to fire trucks and specialized utility vehicles, these fleets are diverse, with unique uses and operational requirements. The risks associated with the use of vehicles continue to expand, particularly the increasing number of distractions present within vehicles. It is crucial to have a well-crafted fleet safety program to establish and reinforce best practices for the use of vehicles. A comprehensive fleet safety program should address the following areas:
The policy statement should address your unique operations and environment, as well as reinforce the commitment of management to the safety of drivers and the safe operation of motor vehicles.
Personal Use of Company Vehicles
Many organizations permit certain types of vehicles to be taken home to facilitate greater efficiency or as a benefit of employment. Rules should be outlined to clarify the personal use of vehicles for these employees, including permitted operators and passengers, deviations while commuting or any other territorial or mileage limitations. These rules should also specify when prior authorization is required to deviate from the rules, and how that might be obtained. In addition, company vehicles should not be used for the towing of personal trailers or for off-road or recreational use.
Use of Personal Vehicles on Company Business
When employees drive their personal vehicle on official business, their employer may be enjoined in any claims arising their negligent acts. Accordingly, they should be held to the same standards as those employees operating company vehicles. Employers should specify the minimum acceptable personal insurance requirements for these employees, and obtain evidence of the personal insurance limits purchased. Employers should also specify that when the employee is driving their personal vehicle on company business that they must still comply with the organizations fleet policy, including the use of electronic devices.
Use of Electronic Devices within Vehicles
While many public safety positions require the use of technology while driving, rules should specify when the use of these systems are permitted. For all other drivers, strong emphasis should be placed on minimizing distractions – pulling over to take urgent phone calls and waiting until the driver arrives at their destination of non-urgent matters. The use of laptops, tablets, radios, etc. should be limited to when the vehicle is stopped and safely out of the roadway.
Seat Belt Use
Reinforcing the importance of seat belt use is crucial. Annually, 47% of people killed in motor vehicle crashes were not wearing a seat belt. Your policy should clearly state this is a requirement to operate a motor vehicle.
Driver Selection and Qualification
Operators of company owned vehicles must have a current driver’s license for the class of vehicle being driven. A commercial driver’s (CDL) license must be required for all operators of commercial vehicles. Employees with suspended or revoked licenses should not operate vehicles at any time.
Motor Vehicle Reports (MVR’s) can be a valuable tool to ensure drivers have an acceptable driving history, however the timing of data being available on these reports can be problematic, often taking several weeks to be updated for the most severe violations (e.g. DUI, reckless driving), where mandatory court appearances are required. In most states, public agencies have free access to MVR reports, which can be continuously accessed and monitored. In Utah these reports are available through Utah Interactive. It is recommended to require that employees self-report any moving violations immediately to their supervisor, regardless of severity.
Scoring criteria should be included to designate drivers as acceptable or unacceptable based on the number and severity of moving violations. Examples of critera that would disqualify an employee from driving are as follows:
Driver fatigue is responsible for nearly 800 fatalities annually. Your policy should affirm that drivers should be alert, attentive and rested before driving. Drivers who may be fatigued or ill should not operate vehicles.
Use of Commercial Vehicles
Rules specific to the types of commercial vehicles that you operate should be included, including securing of equipment, covering of loads, towing of trailers, and use of specialized vehicles (e.g. Streetsweepers, garbage trucks, vacuum trucks).
The use of telematics to monitor fleet movements has increased significantly in recent years. The data collected through these systems may be a useful tool to identify areas for improvement and reinforce safe driving behaviors. Many telematic systems can provide alerts based on vehicle speed as well as acceleration, braking and cornering velocities. Alerts may be triggered when a vehicle leaves a designed geographic area, or moves during a specified time (e.g. a take home vehicle moving after work hours). Some systems also include forward facing and cab facing cameras, which can prove invaluable in the event of accident.
Training requirements should be established for new employees, including training for the specific vehicle(s) that will be operated, including a road test. Special emphasis should be placed on unique driving exposures, including driving at night, use of 15 passenger vans, or other extreme driving conditions. At least annually, all drivers should be required to complete refresher training as outlined by management.
Vehicle Maintenance and Inspections
Vehicle maintenance should be monitored, scheduled and documented by a designated employee within the organization. Employees should not be responsible for or directly perform vehicle maintenance. Pre-trip and post-trip inspections should also be completed and retained by management for all vehicles.
If an accident should occur, all vehicles should have a copy of the organization’s post-accident procedures. At minimum, the following steps should be included:
A formal process should be established to review the facts of the accident, determine if the accident was avoidable or unavoidable, and outline the corrective steps if an accident was avoidable. This review may be completed by a supervisor, manager, director of accident review board.
A sharp rise in public sector ransomware attacks across the U.S. has drawn considerable attention in recent years – and for good reason. Such attacks can cripple an organization’s ability to conduct important operations or provide needed services to the community. They can also have a huge financial toll.
“Ransomware is not a new problem, but it’s presenting a bigger challenge for public entities,” said Kirstin Simonson, Cyber Lead for Technology and Public Sector at Travelers. “Ransoms are trending significantly higher, in years past ransoms were often in the five to six figure range. Cyber criminals now routinely demand seven or eight figure sums from local and state governments. Ransomware has impacted government agencies of all sizes, unfortunately, no one is immune.”
While ransomware has been a threat for years, newer variants are able to infect entire networks and cause considerable damage, often before detection. Here are some measures you can take to help protect your data and ensure an effective response in the event of a ransomware attack:
Back Up Data
A primary step is to back up critical data on a frequent basis. Backed-up files can be quickly recovered, which can help to restore operations in the event of an attack. Ensure the backed-up data is stored on a separate offline device that is completely severed from the working network. Otherwise, it’s likely to be ransomed along with your primary data.
Segment Network Access
Splitting your network into smaller segments is another way to protect critical data. This is typically done by business function or data type, so you can grant employees access to just the data they need to do their jobs. If an employee should fall for a ransomware attack, segmentation can help to prevent the virus from spreading throughout your network and operations. Employees should only have access to critical data, including all forms of protected information when it is required to perform their work. Otherwise, sensitive data should be restricted.
Use Multifactor Authentication
Multifactor authentication (MFA) provides an addition level of protection to your network data. This is a method of verifying an employee’s identity with two or more pieces of proof. The authentication factors typically correlate to a device (e.g., an authenticator app or text message on a smartphone), biometrics (e.g., a fingerprint) or information (e.g., a PIN).
Even if a cyber attacker has obtained a user ID and password, MFA decreases the risk that an attacker can gain access by requiring an additional means of validation. For example, they would need to steal both an employee’s password, as well as their phone, to be able to log in to your systems.
Monitor Network Vulnerability
It is important to continuously monitor your network to identify and mitigate security vulnerabilities. Begin with a complete assessment of the network; identify all systems that are not fully patched and take corrective action. This includes operating systems and software, especially older legacy systems that your municipality may depend upon, which often the most vulnerable systems.
If security updates are no longer feasible, you can reduce the legacy system’s exposure by placing it within its own network segment, making it inaccessible from the internet and restricting employee access.
Your monitoring should also include the systems that remote employees use to gain access to the network. Microsoft’s Remote Desktop Protocol (RDP), for example, can act as an open door for cyber criminals if not properly configured and secured.
Ransomware attacks can often be traced back to an employee who unknowingly clicked on a phishing email or malicious link. To minimize the risk of human error, provide frequent training on how to recognize cyber threats. Emphasize to your employees the importance of examining links and attachments to make sure they are from a reliable source. Also, warn them of the dangers of sharing company or personal information in response to an email, letter or phone call, and set up protocols for reporting suspicious activity to a designated contact within the organization.
Develop an Incident Response Plan
Avoid scrambling to figure out a plan after a ransomware attack occurs. Having an incident response plan in place in advance is key to a swift, systematic response to help contain the damage to your systems and minimize the response and recovery costs. To ensure that your plan will fulfill its intended purpose, test your plan and put it into practice before an incident occurs. You should also continuously update it as you become aware of new risks and vulnerabilities.
A comprehensive cyber insurance program should provide access to a data breach coach, who can review real-world claim scenarios and identify areas for improvement in our response planning; as well as provide complementary or discounted access to qualified cyber security services. Some of the most common services provided are:
Engage the Professionals
If an incident occurs, the first step a public entity should take is to engage legal and computer forensics experts, ideally those identified in your incident response plan or recommended by your cyber insurance provider. These professionals can assist with investigating the extent of the infiltration, removing the cause, restoring your network and determining whether or not to pay the ransom. You may also have an obligation to notify others of the incident if their information was potentially compromised as a result of the breach.