Understanding the Importance of Cyber Hygiene for Organizational Safety

Safety professionals and risk managers in the manufacturing, construction and service sectors spend considerable time ensuring that their workers’ have a physically and mentally safe workplace. Recent technology outages and cyberattacks demonstrate that safety professionals also need to consider technology risks that could pose a threat to workers’ safety.

Here’s what you need to know about the risks that cyberattacks and Internet of Things (IoT) breaches pose to workers—and what steps you can take to address those risks.

The CrowdStrike outage in summer 2024 was a botched Microsoft software update that became the largest cyber outage in U.S. history. While not a cyberattack, the impact of this outage was especially extreme on airlines. In fact, Delta had to cancel hundreds of flights over a period of days. That caused severe disruptions for customers and employees, who experienced scheduling issues, which are critical in the aerospace industry because federal law prohibits employees from exceeding the work hours allowed for safety purposes.

The CrowdStrike outage is a good reminder that organizations must be vigilant and understand that the intangible world of cyber can have major impacts on their organizations as well as workers’ safety. Many CIOs and CTOs were asked why operations were at a halt and, in the early hours of the outage, organizations were not yet aware of what caused the issue. Safety professionals had to account for employees and systems capturing employee check-ins were impacted.

Prioritize Workplace Safety

Workplace safety is paramount for employees. Manufacturers and construction sites invest much time and energy on plant security and safety. Equally important to the sense of workplace safety is the emotional, mental and physical safety of the workforce.

Examples of cybersecurity in the workplace that contribute to employees’ sense of safety and well-being include tracking employees in the plant, monitoring machines to ensure they are operating appropriately, and installing lockout/tagout technology to shut down machines if compromised. Part of the process for safety personnel is to work with IT to ensure that appropriate firewalls, which serve as digital barriers to prevent unauthorized network access and protect against cyberattacks, are in place. In addition, both departments need to install and update antivirus software on any—and all—necessary equipment to detect and remove malicious software, or malware, that can compromise digital systems.

In addition, organizations should make sure appropriate surveillance technologies are in place to monitor and track activities. Surveillance serves various purposes, including securing the plant or site and tracking individuals for identification.

One issue that presents itself more in our current environment is IoT vulnerabilities. Hackers often compromise IoT devices as a gateway to an organization’s network, which allows hackers to access more sensitive data. Manufacturers and other industrial businesses collect and possess an increasing amount of data that is valuable to hackers. In addition, with the prevalence of technology, downtimes for companies can lead to safety concerns for workers and major disruptions to operations.

One key element to successfully defending against crippling attacks is to ensure good cyber hygiene.

Practice Good Hygiene

The first part of making workers feel safe and addressing the risk of cyberattacks is practicing good risk hygiene. Business owners repeatedly have identified cyber security and privacy as the top risk they are concerned about. There are a number of steps that safety professionals and risk managers can proactively take, including:

Privileged access management

This consists of two elements. The first is controlling access to what information is available to people. The second is monitoring and preventing unauthorized privileged access to critical systems.

Controlling data collection

Part of risk management around cybersecurity includes understanding what information your organization is collecting from workers—and why.

If your business is collecting biometric information, make sure that you are following any applicable state or local laws. Recently, Meta agreed to a $1.4 billion settlement in Texas over a class action claiming that it used biometric data of users without their permission. Similarly, many employers in Illinois have faced large lawsuits by employees for collecting biometric data without their permission.

Cybersecurity awareness training and phishing testing

Every employee should understand the risks of cyberattacks and how to prevent exposing their employer, as hackers are getting more sophisticated. In addition, periodic testing should be conducted to ensure good risk management.

Employee awareness

Let your workers know the steps you have taken to ensure that sensitive personal information is secured with minimum access to those who need to know and, as much as possible, the information is not accessible to external people.

Cyber incident response planning and testing

Every organization should have a good cyber incident response plan in place. It also needs to be tested so that in the event something does happen, the organization—and its employees—are prepared to quickly and appropriately respond.

Tested backups

One key to resisting ransomware attacks demanding payment is to have a robust program of secured, encrypted and tested backups. A best practice is to take snapshots several times a day, so that in the event that an attack occurs, you can get back and up running quickly.

Cybersecurity program

Each entity is a bit different; therefore, the cybersecurity program should be proportionate to its resources and risks. However, not having one is never the answer.

Good cyber hygiene is not a guarantee that your business will never experience a breach, but it will make it more difficult for attackers to find and exploit vulnerabilities within your systems. Good risk management and safety protocols will minimize any exposure.

Invest in Cyber Insurance

Another part of the puzzle of helping to comfort employees is having a good cyber insurance risk management profile in place. Whether you’re in manufacturing, construction or the service sector, it’s important to have a good overall insurance program that includes protection for cyber events. The cyber insurance market has matured in recent years, and more of the risk is placed on the insured.

Risk managers can help to understand the types of cyber risks that exist in the companies’ profiles and then work with the insurance broker to make sure the policy addresses those risks. Cyber insurance policies vary by insurer, with most cyber insurance policies being cafeteria style, where various risks can exist. Check for exclusions, such as war exclusions and the Recording and Distribution of Material or Information in Violation of Law Exclusion, which attempts to exclude exposures to things, such as biometric information collection violations.

Despite vigilant efforts, companies are still vulnerable to bad actors’ incessant efforts to exploit vulnerabilities. By taking these proactive steps, companies can reduce their exposure.

Prepare Your Cyberattack Response

In the event of a cyberattack, safety professionals and risk managers should take steps to safeguard employees. This includes:

Assessing the risk

Learn as quickly as possible what information has been attacked and what, if any, personal data of the employees has been compromised or accessed.

Informing employees

Once you know what data has been compromised, inform the workforce of what steps you are taking to minimize their exposure.

Reminding the workforce of safety practices

It is crucial to learn how the attack happened and remind every employee that safety practices must continue to be observed even if there is a production stoppage.

Notifying insurers

Risk managers should notify the cyber insurance carrier, but also other lines of insurance, as some risks and attacks may fall under other coverages, including business owners’ policies and directors and officers insurance.

Updating policies and procedures.

Figure out what caused the attack and what vulnerabilities the bad actors exploited, then review and update risk management and safety policies to prevent a similar attack in the future.

Considering ransomware demands

The FBI and many regulators recommend strongly against paying ransoms. The theory is that paying ransoms encourages and funds future ransomware attacks. Organizations that pay ransoms may also risk violating the Office of Foreign Asset Control (OFAC) sanction; before your organization does pay, check to make sure it is not paying to an OFAC-listed entity. Also, note that even if you do pay, bad actors often do not release access to the data or, in many cases, leak the data.

Conclusion

Safety professionals and risk managers can protect employees’ cyber health by taking steps to implement a good cyber hygiene, to make sure that the risks are protected to the extent possible by insurance, and to have a good plan to reassure employees when an attack occurs on the software, hardware or IoT of the organizations. Taking such steps should help to avoid the sort of exposure that companies faced with the CrowdStrike outage and other well-known cybersecurity breaches.