Risk & Response Weekly

Metaverse Webinar Highlights

If you missed the February Blue Water Wave webinar I was on, we had a great discussion about web 3.0, better known as the metaverse, we'll be doing another one on April 7th at 1130am EST, email bridget@bluewaterwave.com to RSVP.

Here's a summary of things we talked about at the February 2022 webinar:

What is the metaverse:

  • It's how we interact with technology in the digital and physical world

  • Translates to a digital economy where users can create, buy, and sell goods

How the Legal Industry will experience the metaverse:

  • Criminal and civil procedures are being held in a digital format

  • Jurisdiction will be challenged because there will be no boundaries to the metaverse

  • Brand protection becomes an imperative

How the Real Estate Industry will experience the metaverse:

  • Digital will mirror physical (virtual Car Loft vs real, digital Grand Canyon, or virtual Madison Square Garden)

  • The NFT Realtor is a new career, will it be licensed?

  • Creators want physical studio space

How the Consulting and Accounting Industry will experience the metaverse:

  • Meeting and working in VR/AR

  • Creators will have revenues from various sources

  • Marketing in your face!

Side effects of Metaverse:

  • Increased social pressure and cyberbullying

  • Assaults become kinetic - remote killing

  • More intrusive ads and data harvesting

Risk:

A new cybersecurity survey finds 72% of institutions fear account takeover as a leading fraud concern in 2021. Followed by synthetic ID fraud (62%) and social engineering scams (58%).

47% say the biggest reported impacts are loss of productivity.

Now that our whole lives are online, I believe, ATO presents a massive near-future threat to our communities that most are unprepared for. We do everything online, from paying our gas bill to getting healthcare advice.

Data is the new gold. Therefore, locations where data is stored (cloud, datacenters, a computer) are similar to banks of the old west. Western gangs like the Wild Bunch and the James–Younger Gang selected "access points" like bank tellers and safes to get to where the money and gold were kept.

In modern times, cybergangs, like the hacker group ShinyHunters or Russia's state-sponsored Cozy Bear, focus on stealing credentials that give them access to information through a portal or application (with varying degrees of security). They no longer need to hack the database or server, they only need to gain access to your information by stealing your username and password.

Response:

  • Stay up to date on the latest attack vectors. There are a number of resources, from the FBI and DHS Cyber to cybersecurity companies and consultants, who publish research papers and alerts on the latest cyber threats.

  • Review cyber awareness training and testing to ensure they are meeting the latest threat vector. Update them to counter-attack trends.

  • Update policies on a frequent basis to ensure the changing business landscape hasn't opened an unforeseen vulnerability to your network or data. For example, when the pandemic lockdowns went into effect, folks started working remotely more than ever in modern history, cyber policies needed to adapt to that overnight.

  • Tool's to protect networks and data are ever-evolving and changing. If you haven't already, deploy advanced AI tools that have a high level of automation. Don't let humans do mundane tasks that could be given to a machine, that's just wrong.

References:


Is your office OSHA (COVID-19) Compliant?

How to be ready for the wave of COVID-19 fines and findings.


"My concern is that starting in 2022 OSHA will begin to take enforcement actions against businesses that have had outbreaks or safety complaints."

Risk:

We have a saying in the military to describe when bad things are on the horizon, BOHICA. I'll let you Google its meaning. OSHA just updated its guidance on mitigating and preventing the spread of COVID-19 in the workplace.


Many businesses are still struggling with just keeping people employed and continuing to provide limited services to customers, let alone enforcing mask mandates or vaccines.

But that doesn't absolve business owners of the responsibility to have a plan to deal with injuries and illnesses in the workplace.

Response:

All businesses need to understand how they are regulated by OSHA, how those regulations will be applied, as well as what to do when you have an incident or complaint.

When in doubt, reach out to legal counsel or an expert, do not try to navigate OSHA regulations on your own.


Recommendations:


How to be ready for an OSHA inspection:

  • Have a plan, policies, training, equipment, and procedures to prevent injuries and illnesses in the workplace... AND know what to do if your workplace experiences a COVID-19 outbreak (i.e. contract tracing).

  • The CDC and OSHA are constantly providing updates to their guidance, businesses need to appoint someone to keep up to date on the latest recommendations and keep the business in the green, as it pertains to compliance risk.

  • OSHA encourages vaccinations, regular testing, and face coverings and they don't care what a business's political beliefs are. If they receive a complaint, there is a great likelihood there will be an inspection and a finding.

  • Do the basics:

    • Have written policies and procedures.

    • Educate workers on COVID-19 policies.

    • Maintain adequate workplace ventilation and perform regular cleaning.

    • Prohibit discrimination and retaliation for those who do/don't wear face coverings or do/don't get vaccinated.

    • Record (where appropriate Report) work-related illnesses and injuries (this has always been required by OSHA).

    • Investigate injuries and illnesses by conducting contact tracing.

References:

Cyber Tips: Password Management and Protecting the "Crown Jewels"

Risk:

We all do it... You know who you are... You've used the same password for 20 years in everything from your AOL.com email to cloud storage account and you keep it written down on a piece of paper under your keyboard.

With the prevalence of cyber breaches reaching an all-time high, how can you protect your vital information (client lists, confidential projects, or intellectual property) or what I call the crown jewels?

"I believe data breaches, phishing, and business email compromise will be the greatest technology risk to businesses in the 2020's."


Response:

First, let's look at some statistics:

  • Estimates show there has been a 30% increase in coronavirus-related cyberattacks in May 2020 alone (Unisys).

  • Only 5% of a company’s folders are protected (Varonis).

  • 62% of breaches involved the use of stolen credentials (username and password) or phishing (Varonis).

    • Phishing is an email or communication purporting to be from a reputable source which attempts to induce you into revealing the crown jewels.

Recommendations:

Don't be afraid, here's what you can do to protect the crown jewels:

  • Don't click on links in emails. Open a new browser tab and log in to the real website.

  • Know where your crown jewels are kept, list the applications or areas you keep important data, and turn on multi-factor authentication (MFA) or any other security feature offered.

  • MFA is an electronic authentication method in which a user is granted access to an application only after successfully presenting two or more pieces of evidence.

  • Example: a random number generated by a token or an authentication number sent in a text to your cell phone.

  • Get a password manager. A password manager generates and stores all your passwords and requires you to manage one password.

  • Consider using:

References:


What Risks Will Come From "The Great Reshuffle"

Risk:

Just when employers got used to the "new normal," momentum is building for a "new-new normal." "But wait! I just invested in a return to work strategy that met all my employee's needs, from the folks right out of college to our most senior executives!" You might be saying.

What is the "Great Reshuffle?" Employees of multiple generations are deciding right now if they want to work for their current employer or in their current industry. Health and safety regulations are pushing some to reconsider who, where, and how they work.

As we entered the pandemic in early 2020, we defined the new normal as those who can work remotely will continue to do so, then it became the hybrid work environment. But drastic changes to some of the primary employee generations are threatening to throw off employers' return to work strategies.

Millennials are considering a pause on their return to the workplace, just as they are hitting a mid-career stride, to pursue advanced degrees or less stressful careers.

Gen Xers, who are already deep into their careers, are considering leaving their employers due to disagreements over mask and vaccine mandates.

And Baby Boomers are throwing their hands up saying, "Oy vey, you can have it, I'm retiring," and leaving the workforce entirely.

Employers are stuck in the middle, frustrated, and spending massive amounts of capital on recruitment and retention. And employees are overworked and underpaid, creating a recipe for disaster.

Employees are getting into political debates, arguing about the pandemic, and becoming polarized, which is the "next normal" or an elevated rate of workplace incidents.

Response:

Building an HR, recruiting, and leadership development to meet the "next normal" is easier said than executed. We all need to reimagine how we are treating employees to ensure everyone understands they are valuable.

Millennial employees appear to want flexible work schedules and to work for an organization that is committed to social good. If you're trying to attract Millennial workers, you need to be offering both of those options.

Gen X wants to be left alone and not be mandated to do something they may not believe in. And Baby Boomer workers are leaving the workforce in droves, leaving large gaps in senior roles that need to be filled.

I believe incidents of workplace civility and conflict will reach an all-time high before the 2024 election cycle. Now is the time to mitigate these threats.

Recommendations:

  • Include empathy in your code of conduct and organizational culture.

  • Train HR and supervisors to identify a conflict between employees before it escalates to violence. As well as how to escalate the information to a Threat Management Team.

  • Consider alternatives, if appropriate, to mask or vaccine mandates. For example, have employees who do not want to wear masks or vaccinate sign waivers stipulating they understand the risks to themselves and others and implement a contact tracing protocol.

  • Survey and interview employees frequently to ensure they have an outlet for complaints or grievances.

References: