Expanding the Definition of Safety for Today’s Workplace

Expanding the Definition of Safety for Today’s Workplace

By Don Boian

Today’s industries are facing risks on all fronts. One risk affecting all industries is the threat of cybersecurity attacks. As companies increasingly relied on technology to support remote and hybrid work policies over the past three years, cyberattacks have increased by over 15% during this period, often severely affecting an organization’s business continuity by causing damages, disruptions, and data breaches.

While it is impossible to be 100% safe from cyberattacks, organizations can reduce their vulnerability by thoroughly training employees, strengthening current policies, and developing new policies. This includes expanding policies that focus on substance use on the job. Traditionally, there is the temptation to drug test candidates and employees primarily in roles with high physical risk (such as floor workers in a warehouse, oil rig workers, even car salespeople) or following an accident on a job site – but what about other risk-sensitive situations?

No company expects an employee, remote or on-site, to put alcohol in their coffee mug and work under the influence all day – so why should using cannabis be any different? Beyond ensuring workers performing manual tasks aren’t creating hazardous situations, organizations need to have a holistic substance policy to prevent adverse effects on financial stewardship, customers’ experiences, productivity, and profitability.

WHAT’S AT RISK FOR COMPANIES

According to IBM X-Force’s 2021 Threat Intelligence Index, phishing attacks led to 33% of cyberattacks against organizations. And although many employees are vigilant in not engaging with suspicious emails, working under the influence can reduce alertness, potentially resulting in data breaches and malware infections that can devastate an organization.

STEPS TO REDUCE THREATS

Beyond just internal cyber risks, organizations with employees working in an incapacitated state can become an external vendor risk, which leaves an organization at risk for compliance, reputational damage, operational incidents, and strategic missteps with their clients and partners. To reduce threats that will interrupt business continuity, here are a few ways organizations can reduce their cybersecurity risks:

1. Ensure all computers and devices are running the most recent software (OS and Application) and enable auto-update wherever possible. Software is complex and often comes with flaws that hackers can exploit. Software developers are constantly updating their software not only to bring you the latest features but also to remedy those security flaws. Setting your operating system or application to update when new releases come out automatically can reduce your vulnerability.
2. Backup sensitive or important data and store a copy offline or inaccessible from the Internet. Having backup copies of your company’s or customers’ important information is imperative. Having a backup copy can guard against all sorts of calamities. When implementing your backup strategy, remember to include these two crucial steps:
   • Make sure at least one backup copy is stored disconnected from your network and the Internet.
   • Test that backup periodically to ensure that you can recover your data flawlessly.
3. Develop an education and training strategy for all users. At a minimum, this program should inform all users to choose good passwords, not reuse passwords across multiple accounts, and remain vigilant concerning threats like phishing, malicious attachments, and social engineering. The users of your information technology, including employees, are often the weakest point of your security – unless they are educated and made aware of the threats. Good password security is vital to protecting your systems. Unfortunately, the reuse of passwords is common and results in attacks referred to as credential stuffing attacks. A compromised password from one system is used on multiple other systems hoping that the user did not use unique passwords. Training your employees and other users about phishing and malicious attachments can help reduce nefarious actors accessing your business or customer data.
4. Implement a drug testing program to deter employees from substance use during work hours. Since employees are often the weakest link, deterring alcohol and drug use immediately before or during work hours and following the recommendations above will help mitigate more than just safety risks.

STEPS TO TAKE FOLLOWING A BREACH

Even following these tips, organizations can still find themselves victims of a cyber breach. To recover as quickly and seamlessly as possible and accurately assess the damage, here are recommended steps to take following a breach:

1. Prevent the incident from growing. Isolate systems or take them offline as appropriate. Quarantining infected or compromised systems can limit the damage and exposure of the breach.
2. Assess the extent of the breach and notify all necessary parties (organizational leaders, law enforcement, insurance carriers, and affected users). While it will take some time to determine the extent of a breach, it’s critical to communicate with business leaders, law enforcement, and eventually your customers. Don’t wait until you know all the information to begin communicating. Internal communication should be immediate with the appropriate parties.
3. Recover systems as quickly and efficiently as possible while assessing your systems and network for other vulnerabilities. In addition to recovering systems to get your business and customers back up and running, take extra care to review for additional security gaps that must be filled.
4. Expand the definition of safety to include any risk that can disrupt business continuity and can improve the ability of organizations to operate. As cyberattacks become more sophisticated, it is mission-critical to ensure employees are alert and using their best judgment.

Don Boian is the Chief Information Security Officer at Hound Labs Inc., creator of ultra-sensitive, portable cannabis breathalyzer technology. He worked at the National Security Agency for 30 years on defensive and offensive cyber operations and most recently served as CISO for a large regional bank.

Originally prepared for and published by PBSA in the May-June 2022 edition of the Journal. Read the full issue here: https://thepbsa.org/resources/publications/