Monthly Archives: April 2019

Want to scan your crypto wallet for risks? Check: AML crypto BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money.

67% of Hotel Websites Expose Guest Data, Study Finds

Posted on by

According to new research from cybersecurity company Symantec, 67% of hotel websites are leaking customer reservation details and other personal information. Candid Wueest, the company’s principal threat researcher, tested more than 1,500 hotels in 54 countries, including low-cost to high-cost hotels, as well as both chain and independent hotels.

buy tobradex online desiredsmiles.com/wp-content/uploads/2023/10/tobradex.html no prescription pharmacy

symantec hotel data exposureWhen a customer uses a hotel’s website to book a room, the site usually creates and sends them a link so that the customer can directly access  and manage their reservation.

buy desyrel online desiredsmiles.com/wp-content/uploads/2023/10/desyrel.html no prescription pharmacy

According to Symantec, part of the problem is that third-party advertisers on hotels’ booking websites and web analytics companies (which track web traffic) can access customers’ bookings because they also get those links. This means that advertisers and analytic companies – including any potential malicious actors among their employees – could access and steal the information that the customer entered when booking a room, and even change or cancel the reservation.

Symantec also found that more than a quarter of the hotel websites examined do not send secure, encrypted links in their confirmation emails. Encrypted links prevent anyone trying to hijack a customer’s data from being able to see that data. If a customer received a confirmation email while using an unprotected WiFi (a public network in a café or an airport, for example), a cybercriminal could intercept that customer’s emails and use the unencrypted hotel booking link to access the customer’s booking. Some of these automatically generated links also contain details like customers’ email addresses in the web address, which makes accessing their information even easier for cybercriminals.

Additionally, many hotel websites are vulnerable to a type of cyberattack called “brute forcing,” where an attacker can use the customer’s email address and guess their booking number to gain access to the reservation and personal information. In some cases, Symantec found that hotel websites did not even require an email address to access customers’ reservation information via brute forcing. Though this method would not be useful to gain access to large amounts of customer data, attackers could use it to target individuals, like a specific CEO or conference attendee.

Wueest noted that hotels have thus far been slow to respond to these data exposure risks, and some have not responded at all. When he alerted the hotels’ data privacy officers to the problems in their sites, 75% responded, and those who did took an average of 10 days. Hotels and their information security staff should promptly assess their booking processes to ensure they are minimizing the risk of potential data leaks and breaches.

buy elavil online desiredsmiles.com/wp-content/uploads/2023/10/elavil.html no prescription pharmacy

By leaving these gaps in their websites’ security, they are endangering their customers and opening themselves up to risk, including potential liabilities and reputational damage.

Symantec recommends that hotels use encrypted links, and ensure that the automatic links generated do not include information like customers’ email addresses. It also recommends that customers use Virtual Private Networks (VPNs, services that protects users’ internet traffic) when booking or accessing their reservations using public WiFi to prevent any cyberattacker from intercepting any information that would provide a way in.

The report should also serve as a reminder that corporate employees’ personal devices and personal information are popular targets for cybercriminals and can be especially vulnerable to risks while traveling. Any time an employee exposes their devices to unprotected networks or, in this case, insufficiently protected websites, it leaves both the employee and their employer at risk. Even if an employee is using their own device to conduct business, it still endangers their employer because it may expose valuable business information. Cybercriminals have particularly used the hospitality industry as a hunting ground for such attacks, for example, targeting individuals using hotel WiFi, tricking them into downloading malicious software and stealing their information or spying on their internet activity.

How a Strong(er) SRM Program Could Have Helped Boeing

Posted on by

A strategic risk management (SRM) program is designed to assist organizations in identifying, prioritizing, and planning for the strategic risks that could impair or destroy businesses and reduces the chances of these kinds of crises. And while hindsight is 20-20, an SRM program – or a more effective one – could have helped Boeing avoid some of its recent high-profile crises.

Between October 2018 and March 2019, two crashes involving the Boeing 300 737 MAX 8 models resulted in the loss of 346 lives. Since then, Boeing has:

  • had a possible criminal investigation commenced against it,
  • lost $22 billion in market value in the week following the Ethiopian Airlines’ crash in October,
  • had more than 300 737 MAX 8s grounded worldwide,
  • sustained significant reputational harm,
  • received demands from airlines seeking compensation for lost revenue,
  • been sued by crash victims’ families, and
  • had sales orders cancelled or suspended.

This is a crisis from which it may be difficult to recover.

One could trace back some of the risks to its decades-long rivalry with Airbus and an effort to remain viable.

buy zetia online www.tvaxbiomedical.com/scripts/css/zetia.html no prescription pharmacy

When American Airlines indicated it was close to finalizing an exclusive deal with Airbus for hundreds of new jets, Boeing sprung to action. The New York Times reported that Boeing employees then had to move at “roughly double the normal pace” to avoid losing “billions in lost sales and potentially thousands of jobs.”

An SRM program would have required an assessment of the business model and the associated risks, including competitors, long before the call from the CEO of American Airlines. The risks would have been prioritized and this information would have been factored into strategic plans that would have included responses to material risks.

During the scramble, Boeing mirrored Airbus’ operations and mounted larger engines in existing models.

buy arava online www.tvaxbiomedical.com/scripts/css/arava.html no prescription pharmacy

 The objective seemed straightforward: Make minimum changes to avoid the need for training in a simulator, decrease costs, and build the redesigned model quickly. But a risk was that mounting larger engines changed the aerodynamics in the aircraft, requiring a consequential need for new software, a Maneuvering Characteristics Augmentation System (MCAS) which was supposed to prevent stalling. Boeing’s view was that pilots did not need to be trained on the software and federal regulators agreed.

However, in an effective SRM program the C-Suite would have been advised that the strategic and life safety risks were material and that training for pilots was indeed necessary.  In addition, all such risks would have been assessed to determine whether they could be used to obtain a competitive advantage.

For example, including vital safety features in the base cost of aircraft (as opposed to charging extra for them) and requiring a focus group of pilots with no financial relationship with Boeing to test the newly designed 737 MAX 8s and the MCAS system would have been a way to solidify Boeing’s reputation for safety first.

An SRM program, which monitors progress in achieving strategic objectives with a focus on continuous improvement, would have looked at the Indonesian Lion Air and the Ethiopian Airlines crashes as an opportunity to confirm that Boeing puts safety first by grounding the aircraft. Instead, Boeing urged the U.S. to keep flying its jets until after 42 regulators in other countries had grounded them and appeared to care more about economics than life safety. Only seven months ago, Boeing was synonymous with efficient jet planes and commercial aviation – it was a reputation that took decades to build. Now, the company has a long, uphill climb to resolve its many challenges and rebuild its brand.

buy zantac online www.tvaxbiomedical.com/scripts/css/zantac.html no prescription pharmacy

An SRM program cannot succeed without full support from the C-Suite as it has to be integrated into the business model and decision-making processes in order to be effective, and in time we will learn more about what risk management protocols were followed across Boeing’s organization.

At RIMS 2019, Marian Cope will lead a panel of industry experts in discussing reasons to transform an ERM program into a SRM program or develop a SRM program in NextGen ERM:  Strategic Risk Management. The session will take place April 29th at 1:30 pm.

New Distracted Driving Data Shows Emergency Responders At High Risk

Posted on by

April is Distracted Driving Awareness Month, and the National Security Council (NSC) released new data this week that explores added transportation risks when emergency responders are en route to provide aid. It is clear that the mere presence of emergency personnel on the road can cause distractions for drivers and bystanders. To date, 16 emergency responders have been struck and killed by vehicles this year in the United States.

According to a survey released jointly by the NSC and the Emergency Responder Safety Institute (ERSI), 16 percent of respondents said they either have struck or nearly struck a first responder or emergency vehicle stopped on or near the road. Yet still, 89 percent of drivers say they believe distracted motorists are a major source of risk to first responders.

Key findings included:

  • 71% of drivers take photos and text while driving by emergency responders on the side of the road (this drops to 24% under normal driving conditions)
  • 60% take time to post to social media and 66% email about the situation
  • 80% admit to “rubbernecking” – that irritating, but also risky, practice of slowing down all traffic to get a better look
  • 49% say that possibly being struck by a vehicle is “just part of the risk” of being a first responder

As part of its #justdrive campaign, NSC has developed a free Safe Driving Kit to help employers keep their workers safe and is hosting a webinar on April 23, titled “You’re Not As Safe As You Think You Are,” to educate employers on the real risks of distracted driving and what safety-forward companies are doing to combat them.

“The cruel irony is, we are putting the people who are trying to improve safety in very unsafe situations,” said Nick Smith, interim president and CEO of the NSC. “Our emergency responders deserve the highest levels of protection as they grapple with situations that are not only tactically difficult but also emotionally taxing. Save your communications for off the road; disconnect and just drive.”

Already on the NTSB’s List

Earlier this year, Risk Management Monitor reported on the National Transportation Safety Board’s (NTSB) Most Wanted List of transportation safety improvements for 2019-2020, and “Eliminating Distractions” for all vehicle drivers is at its top.

In 2016, more than 3,100 fatal crashes on U.S. highways were attributed to driving-while-distracted. These crashes involved 3,210 distracted drivers, according to the National Highway Traffic Safety Administration (NHTSA), because some of them involved more than one distracted driver. Furthermore, the Virginia Tech Transportation Institute concluded that commercial drivers are at extremely high risk of a crash when texting—23 times greater than when otherwise engaged.

The NTSB states:

Contributing to the problem is the widespread belief by many drivers that they can multitask and still operate a vehicle safely. But multitasking is a myth; humans can only focus cognitive attention on one task at a time. That’s why executing any task other than driving is dangerous and risks a crash.

Personal electronic devices (PEDs), such as cell phones, are one of the greatest contributors to driver distraction and the NTSB recommends banding all PED use on U.S. roadways. The District of Columbia and 37 states restrict the use of cell phones by novice drivers, and 47 states, DC, Puerto Rico, Guam, and the US Virgin Islands ban text messaging for all drivers.

 

Recent Apparent Suicides Highlight Need for Post-Violence Recovery Plans

Posted on by

Three apparent suicides that occurred in late March reaffirmed the need for post-incident plans that address long-term trauma in the aftermath of workplace violence and mass shootings.

All three decedents had either survived a school shooting or had been related to a victim. Two youths who survived the Marjory Stoneman Douglas High School shooting in Parkland, Florida died by apparent suicide just 13 months after a former student killed 17 and injured several more. Shortly after, it was reported that the father of a child killed in the 2012 Sandy Hook Massacre–in which a gunman killed 26 children and adults in a Connecticut elementary school–allegedly died by suicide.

As of March 31, 2019, the Gun Violence Archive confirmed 68 mass shootings for the year, and with statistics sure to rise, companies and institutions should be mindful of the delayed effects of workplace violence. Risk Management Monitor previously reported the number of suicides in the United States has risen in nearly every state between 1999 and 2016. Employers may use these tragedies to reconsider their own prevention and awareness efforts, and ways they can productively contribute to the dialogue and keep their workers safe.

Paul Marshall, managing director of Active Shooter and Workplace Violence at McGowan Program Administrators said post-incident trauma counseling is critical when it comes to preventing or reducing long-term effects.

“The trauma counseling for the mental anguish needs to be aggressively pushed, almost like the way post-traumatic stress disorder is for first responders,” Marshall said.

Counseling for physical and non-physical injury survivors and witnesses is something that could be missed when drafting a premises or employer liability policies, he said. In fact, Risk Management magazine reported that companies may not be aware of potential gaps in their coverage or that the limits of their coverage, when considering active shooter incidents, are insufficient.

Marshall said that instead of a duty to defend when it comes to a commercial general liability policy, insurers can address long-term trauma with a duty of care clause. This, he said, demonstrates an employer’s willingness to help victims from the outset.

“There’s a typically a year limit on these policies – in the insurance industry you need to apply some sort of time limit,” Marshall said. “But it’s still a year longer than you’d otherwise get. And there has been a huge uptick in these policies from a year ago.”

#BeThe1To is the National Suicide Prevention Lifeline’s campaign to empower people to help those in crisis.

How Employers Can Help

Addressing post-incident trauma in an insurance policy is important, but equally paramount is the need to ensure that employers make training available for affected employees – regardless of where the incident occurred. Regina Phelps, president of Emergency Management & Safety Solutions, said that post-incident crisis management protocols should be added to workplace violence preparedness plans. Therapy and grief counseling are critical details of those protocols.

“Always give co-workers the option of attending any funeral or memorial service for the victims,” Phelps said. “Be aware of employees’ feelings of guilt – some might feel that they could have done something to stop the suicide or perhaps the victim told them of their plans, and they dismissed the comments. Incidents like that will make co-workers feel like it is their fault. Engage your employee assistance program [EAP] to provide education and training about the suicide threat and the complexities of the situation. If appropriate, support employees who start a tribute or fund to support the worker’s family.”

Phelps said that regular post-incident training can be just as crucial as prevention.

“It is essential to conduct regular exercises with the individuals responsible for the plan and its implementation. This could include the organization’s crisis management team as well as key departments such as human resources, security, facilities and communications,” Phelps said. “Plans are written in a vacuum. During most incidents, plans are not pulled out and people instead operate on muscle memory.  Exercises are the best way to ensure that the muscle memory will be helpful.”

Finally, Phelps stressed that employers communicate that their EAPs are typically available to employees’ families as well.

“Providing mental health services to employees and their families is essential,” she said. “The incident will affect not only the employee but their families. Ensure that counseling services are very convenient – offering an option at work, off-site as well as virtually is essential to make sure that employees get the help that they need. It is also critical to provide these same services to their immediate family.”

For more about active shooter preparedness, RIMS members can access a new professional report, “Active Shooter Preparedness and Your Organization.” To download the report, visit RIMS Risk Knowledge library at www.RIMS.org/RiskKnowledge.

If you or someone you know might be at risk of suicide, here’s how to get help: In the United States, call the National Suicide Prevention Lifeline at 1-800-273-8255. The International Association for Suicide Prevention and Befrienders Worldwide also can provide contact information for crisis centers around the world.