Earlier this year, cyber terrorists launched a well-organized and highly effective attack that cut power to millions serviced by Ukrainian electricity distribution companies, the first verified and successful intrusion into a utility information technology (IT) network.
The sophisticated attack was launched through a well-planned campaign that sent fake emails containing a BlackEnergy-type computer virus to the Ukrainian utilities’ employees. Social engineering techniques such as “spoofing” real email addresses convinced the recipients that the email was legitimate and opened the malware file. The deployed virus and external programming let the hackers collect information on the structure of the utilities’ IT systems and identify programming resources and their methods for external access to utility IT infrastructure.
The cyber-attack consisted of five elements:
1) Infecting the networks via emails;
2) Assuming control of the administration of the automated system for dispatch/control that shuts off sub-stations;
3) Disabling IT infrastructure, including modems, switchboards, and uninterrupted power supply devices;
4) Destroying information on servers and at work stations; and
5) Attacking telephone numbers of utility call centers to deny service to customers experiencing an outage.
Utility companies around the world are now on higher alert that relatively low-tech but increasingly sophisticated email “spoofing” scams could take down a power grid.
There are other threats as well. Several Hays clients have documented receipt of fraudulent emails purporting to be from senior officers. The emails told recipients to transfer money to a bank account (controlled by perpetrators) and advised that the necessary documentation supporting the payment would be made later. So far, quick-thinking employees who questioned the request or deviation from proper procedure have thwarted these attempts.
In another case, which unfortunately may have been successful, a fake email supposedly from a company officer directed an employee in the utility’s HR department to send an electronic file with sensitive employee information. In this type of social engineering scam, emails with spoofed addresses said things such as:
“Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
“Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)?”
“I want you to send me the list of W-2 copy of employees wage and tax statement for 2015. I need them in PDF file type, and you can send it as an attachment. Kindly prepare the lists and email them to me asap.”
It is clear by the manner in which these fake internal emails were written — they often imitated the writing style of individual officers — that the perpetrators had gained access to the utilities’ systems for quite some time prior to the events.
The key point for risk managers is to not only ensure these attacks can’t happen because incoming emails are scanned for the latest malware and viruses, but also to identify and educate employees whose responsibilities and IT access make them prime potential targets. By properly informing workers about the various methods used, how to spot a potential fake email, how to effectively confirm legitimate requests, and when to be suspicious about attachments that could contain IT-compromising viruses, utilities companies have a chance to stay a step ahead of clever cyber criminals.
Most Disrupters aren’t all that disruptive anymore. Everyone, including our children, have become quite comfortable with Disrupters and the positive impact they have on business and our everyday lives. A true Disrupter turns a product or service upside-down and inside-out.
Consider one of the biggest Disrupters in recent history — the personal computer. Think of life without Google… More recently, consider smartphones, drones, smart watches, FitBit, Netflix, Nest, Uber, and Airbnb. Since their introduction, life has not been the same. Many of these companies have been incredibly successful. Today, we’re comfortably accepting these Disrupters with open arms and we’re hungry for more.
The Disrupter mentality and Silicon Valley.
Silicon Valley is home to some of the world’s most successful Disrupters. This continues to be true as many of the most visible Disrupters are technology-oriented.
In the first three months of 2015, venture capital (VC) funds invested $13.4 billion, much of it in the tech sector. Not since the dot-com era has there been such a run in VC funding and technology. Many young start-ups seeking funds are turning to crowdfunding and smaller investors, which is disrupting the very ground VC’s used to look to fund — Disrupters.
Two of the most successful Disrupters and their business strategy.
Sir Richard Branson, founder of Virgin Records, Virgin Airlines and Virgin Mobile, and Jeff Bezos, Amazon Founder and CEO, have a similar business philosophy: Constantly strive to improve the customer experience. In fact, they have structured their companies to encourage disruptive thinking and innovation. Bezos has upended the book and publishing industry and nearly displaced electronics retailers. He continues to disrupt and reinvent online shopping and delivery by responding to changing technology.
“We innovate by starting with the customers and working backwards,” says Bezos. “That becomes the touchstone for how we invent. For Amazon, customer focus is a cultural issue.”
The “improve the experience credo” has sparked a revolution in business thinking that fuels most new Disrupter companies.
One of the biggest Disrupters of today is the smartphone. By its very nature, its features are designed to disrupt whatever we’re doing. As a mobile device they are indispensable and frustrating because we can’t seem to put them down. They have changed the way we communicate, live and do business.
Smartphones are also having a dramatic impact on many other businesses, both positively and negatively. Yet smartphones have also created a dynamic new business category — app design. They help promote shopping, banking, health and fitness, news, entertainment, restaurants and better communication between businesses and consumers, just to name a few.
Understanding how Disrupters are affecting insurance and employee benefits begins with big data.
The biggest Disrupter to date is big data and most agree that big data benefits customers by offering them tailored insurance and employee benefits programs for their specific experience, location and risk profile. Collecting this information is no easy feat: it means gathering financial, claims, risk, customer preference and sales data from multiple sources, then scrubbing and analyzing it, all while complying with protective regulations designed to safeguard the data and data-driven decisions.
IBM’s Big Data @ Work survey reported that big data’s influence in the insurance realm is strong: some 47 percent of insurers want to use it to develop customer-centric programs and another 66 percent are conducting or planning big data activities.*
Today, the use of these devices is ubiquitous. We’ve become so accustomed to formerly “disruptive” technology that it doesn’t faze us anymore.
At the heart of the trend is effectively aggregating the data … and we are doing that at Hays.
We are on the edge of the big data trend, developing innovative programs and opportunities that will benefit our customers. At Hays, we have a proprietary technology platform that pulls together data. This allows us to audit the data, provide consistency of data extracts, show continuity of data across multiple vendors, simplify access to data through one portal, and reduce fees by eliminating ad hoc reports.
We help eliminate the “silos” that come from bucketing cost centers to give our customers a data-focused assessment of the true cost of employment.
The dark side of data.
When it comes to customer and employee privacy, however, we should never be complacent about the dark side of Disrupters.
Cyber terrorism and data breaches have shadowy technical roots in the so-called Deep Web and Dark Web, which most people don’t even know exist. Your company’s data is vulnerable through email links, apps, a compromised network, or a web download. But, the threats are not always through a coding attack. Hackers are increasingly using social engineering techniques to trick people into breaking normal security procedures because they think the phone or email contact is a trusted source.
That’s just the start. The rise of the Internet of Things (IoT) means personal data could be hacked or collected by cybercriminals in a way never before possible.
Does your wellness program encourage employees to use wearable fitness trackers or apps? Sure, they can improve employee health but there’s also a risk to private information: the FitBit cloud holding this personal health data has already been hacked, raising fears about their vulnerability. And that’s not even addressing their lack of Health Insurance Portability and Accountability Act (HIPAA) compliance.
With so many ways to hack into your company and your employees’ lives, it’s a top priority to have the best cyber security as well as the best insurance and employee benefits programs that protect your company’s people, property, data, reputation, and — ultimately — your bottom line, no matter what new Disrupter comes down the pike.
Technology is expanding at an unprecedented rate; there are new Disrupters in development that offer improvements and increased risks. Hays is at the forefront, watching the development and the impact on your business. We’ve always believed in providing the best resources available for our clients, so our representatives are prepared to provide guidance in managing the evolving risks. We hope you call on us if you have any questions.
This issue is an excerpt from our quarterly FOCUS publication. If you would like to read more, you can request the full issue below.
Recently, updated guidance has been received from the Federal Government with respect to the ACA, including release of updated health plan “Benefit and Payment Parameters” for 2017. For your information, we have summarized these updates below.
2017 Benefit and Payment Parameters:
On February 29, 2016, the US Health and Human Services (HHS), Treasury and Labor Departments finalized rules addressing 2017 Benefit and Payment Parameters for essential health benefits. The guidance issued is summarized in the linked “Fact Sheet”. Highlights of the changes affecting health plans under the proposed rule include:
Annual out-of-pocket maximums for health plans (other than HDHPs with HSAs) will be indexed in 2017, to $7,150 for individual coverage and $14,300 for family coverage.
HHS proposes to “codify statutory language” defining whether a new entity that was not in existence throughout the preceding year is a “large employer” subject to the play-or-pay mandate. The statutory language, when finalized, will reflect that the determine will be based on the number of employees it expects to employ on business days in the current calendar year.
The individual cost exemption for 2017 from the individual shared responsibility requirement will index to 8.16% of adjusted gross household income.
The Exchange open enrollment period for coverage beginning in 2017 and 2018 will begin November 1 and end the following January 31. For coverage beginning in 2019 and subsequent years, Exchange open enrollment will be from November 1 through December 15.
Click here to find an ACA Compliance Bulletin that contains further details, for your reference. If you have any questions, please contact your local Hays Consultant.