[BreachExchange] 8 Tips on Cyber Security for Staffing Companies

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 5 10:06:52 EDT 2017


Raise your hand if your staffing company has credit card or billing
information on its servers. Raise your other hand if there is personal
employee information like addresses and social security numbers on your

Are both hands raised? Well that, my friends, is a sign; it is a blinking
light flashing “cyber exposure.”

The vast majority of staffing companies keep private and personal
information on their computer systems that easily identifies clients or
employees. If this sensitive data falls into the wrong hands via a network
security breach, it can lead to fraud, identity theft or similar
cybercrimes. These security breaches can happen either accidentally or
through employee misconduct.

Take, for example, an in-house staffing employee who mistakenly distributed
copies of hundreds of staffing employee W2s to an email address that
auto-populated into their email. It was an honest mistake, but cost the
staffing company more than $75,000 in credit monitoring for those
individuals, should their identities be stolen in the future.

Another industry example is when a hacker released a computer worm that
launched a service attack against an IT placement firm’s entire system. The
infection caused a 48-hour shutdown of its computer systems. The IT
staffing firm incurred extensive costs to repair and restore their system
as well as business interruption expenses that totaled more than $750,000.

So throw that whole “it won’t happen to me” saying out the window. It does
not matter size, location or industry when it comes to a cyber attack. What
does matter is having the proper safeguards in place to minimize risk
and/or the fall-out of an attack.

Managing Cyber Liability Risk

Here are eight ways to help minimize your staffing company’s risk:

1. Develop and implement an appropriate cyber security policy.
2. Create a formal process to update software, firewalls and anti-virus
3. Safeguard mobile devices that hold sensitive personal data with
encryption codes.
4. Safeguard personal information within the workplace, segregating pay
information and personal 5. details on a separate part of the network and
restrict access.
6. Implement regular staff training on security procedures.
7. Have a breach response plan in place.
8. Investigate a company’s security practices before outsourcing any
business functions, such as payroll, web hosting or data processing.
9. Have an insurance policy in place to cover this type of liability.

Implementing the Right Policy

The last tip was specific to insurance policies, which is an important
subject to expand upon. When comparing quotes from competing insurers, here
are some considerations:

Limits and Deductibles: It is important to determine your liability and
choose limits that align with your exposures as a company. To compare
quotes “apples to apples,” be sure all quotes have the same limits and
deductibles. If that is not possible, higher limits and lower deductibles
are obviously favorable as long as the pricing makes sense.

Policy Aggregate: This is significant in the event of a claim. For example,
with a large claim, notification costs could exceed your aggregate limit
and you would have nothing left for the year. Some insurers do not have a
policy aggregate limit; rather each insuring clause is its own tower of
coverage. This is the favorable option.

Prior Acts Coverage vs. Retroactive Date: Full prior acts coverage is
significant because regardless of how far in the past a claim took place,
the claim will be covered (as long as it is made against your company
during the current policy period). A retroactive date eliminates coverage
for claims prior to a specified date (retroactive date), even if the claim
is made during the policy period.

Social Engineering Endorsement: Social engineering attacks are different
from typical cyber hacking attacks in that it targets employees not the
network system. Adding a Social Engineering Endorsement to either your
crime or cyber policy will ensure coverage for this type of attack.

Now, put one hand down if your company has or will soon have more
preventative practices in place to minimize cyber risk. Put your other hand
down if your company has or is looking into a policy to minimize the impact
post-breach. Hopefully, both hands are down and your staffing company is
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170505/3cceec78/attachment.html>

More information about the BreachExchange mailing list