Advice for Avoiding a Ransomware Attack
May 26, 2021
Advice for Avoiding a Ransomware Attack

Advice for Avoiding a Ransomware Attack


Earlier this month the country once again bore the consequences of a cyber security breach when Russian hackers, calling themselves DarkSide, coordinated an attack on the computer network of the Colonial Pipeline Co., a major gas pipeline that provides almost half of the gas supply to the East Coast of our country. The Colonial Pipeline Co. paid out a hefty ransom of $4.4 million to get control of their business network back from hackers who had taken over. The decision to pay the ransom did not come lightly and was not agreed upon by some experts, such as the FBI who maintain a policy of not paying ransom to terrorists, but the CEO felt obliged to get the gas supply up and running again for the millions of Americans who were being affected by the shortage of gas and millions more who would pay the price as supply could not keep up with demand.


Targeted attacks are no accident, there is a process that hackers follow that is somewhat predictable, but with awareness and security measures firmly in place are also preventable. Good security protocols that are followed and backed up by continuous monitoring of security are the only hope to prevent this from happening to you. Even with vigilant practices an organization weakest point is usually a human error, so training is imperative to prevention.


How ransomware works

The first step of a ransomware attack is reconnaissance. These bad actors research their targets in advance to determine the likelihood of ransom payment and they identify vulnerabilities and access points. Your business should stay vigilant in security measures and have access points monitored and checked regularly for flaws. Once access points are identified, the hackers use their skills exploiting these by obtaining credentials through phishing, using default passwords, or purchasing access to systems through the dark web. The best way to prevent this is to use secure passwords, double authentication, and train employees on staying vigilant against phishing. It’s also a good idea to have any terminated employees’ access completely cut off as early as possible in the separation process.


Once a hacker gains access to your network, the name of the game is to maintain an open door.  They do this by using malware to create back doors into the system that ensure maintained entry into your network. The next step is to encrypt or destroy your back ups and move through your network looking for additional systems and back-ups to control, encrypt or destroy. Once in control of your network these threat actors steal your data and use this as leverage to force the organization to pay a ransom by threatening to disclose the stolen data publicly and/or they encrypt as many files and systems as possible across the network to refuse you the ability to utilize your network.


Once your data and network are firmly in their handcuffs, a ransom will be requested to release the encrypted files and allow you access. If the victim organization chooses to pay the ransom, usually an experienced incident response firm is engaged to assist with the negotiation of the demand and facilitate the cryptocurrency payment. If the ransom is paid, a decryption key is provided by the hackers and data recovery can occur. If the ransom is not paid the organization must either recover the files from a clean back up or rebuild the files and system from scratch which could take several weeks or months to recover.  


What you can do to avoid ransomware attacks

The dark web is upon us and there are dark forces that work around the clock looking for large payouts and easy targets. Don’t be an easy target! Utilize your IT Security protocols vigilantly, consider a threat assessment by an expert and consider purchasing Cyber Security Insurance for breach response assistance. There are several products available to fit a variety of sizes and types of businesses that protect your business assets in the event of a breach of personally identifiable information, a hostile takeover of your network, interruption of your cloud or the introduction of malware to your system.


Talk to our licensed agent today about products available to protect your organization. In the underwriting process you may find additional tips on security measures that you hadn’t considered before and you can rely on a partner to help get your business through to the other side in case of a cyber security event.

 

The facts

In 2020 ransom and extortion claims accounted for 1 in every 5 cyber claims, up from 1 in every 10 cyber claims in 2018.

 

A ransomware attack on businesses is predicted every 11 seconds, and the global ransomware damage costs predicted to reach $20bn in 2021, up from $325m in 2015.


According to an AIG observation, network outages and business interruption from global ransom and extortion claims are lasting 7-10 days .


By 2025, global cybercrime costs is estimated to reach $10.5 trillion.

Sign up for our newsletter.

New York Employers Must Update Employee Handbooks for Reproductive Health Rights

February 3, 2025
Overview of the New Ruling New York employers are once again required to provide a notice in their employee handbooks about reproductive health rights following a recent ruling from the U.S. Court of Appeals for the Second Circuit. The ruling vacated a previous permanent injunction that had blocked the enforcement of the law, meaning employers must now comply with the New York Reproductive Health Bias Law (Labor Law § 203-e). Reproductive Health Bias Law Requirements The Reproductive Health Bias Law was enacted in November 2019 to ensure employees and their dependents can make reproductive health decisions without facing discrimination in the workplace. The law prohibits employers from taking retaliatory actions against employees regarding their reproductive health decisions and requires employers to keep employees' reproductive health information confidential unless there is prior written consent. Under the law, employers must include a notice in their employee handbooks informing employees of their rights and remedies under the Act. This is an essential update that must be made to comply with the law. Impact of the Second Circuit Ruling Religious organizations had challenged the law, arguing that the notice requirement violated their First Amendment rights. However, the Second Circuit disagreed, ruling that the notice requirement was lawful and similar to other workplace disclosure laws. The court noted that while the policy motivating the law may be controversial, the law itself and the obligation for employers to comply are not in question. Action Required for Employers Even though there is no specific penalty for failing to comply with the notice requirement, employers are encouraged to review and update their employee handbooks in light of the court's ruling to ensure they are compliant with the law. For Simco Clients: For clients who utilize Simco’s employee handbook services, rest assured this requirement is already included, and no additional steps are needed.

Pre-Employment Drug Testing: What Job Seekers Need to Know

February 1, 2025
Pre-employment drug testing is a hiring practice that has sparked debate in recent years. While some industries rely on it for safety and compliance, others are rethinking its necessity—especially as marijuana laws evolve. If you're actively job searching, knowing what to expect can help you prepare, avoid surprises, and understand your rights. Who Still Requires Drug Testing? Not all industries conduct pre-employment drug testing, but for certain roles, it's still a non-negotiable requirement. Some of the most common sectors where testing remains standard include: Transportation & Public Safety – Truck drivers, pilots, transit operators, and law enforcement Healthcare & Childcare – Nurses, physicians, pharmacists, and daycare providers Government & Military Contracts – Federal employees, military personnel, and defense contractors Manufacturing & Construction – Heavy equipment operators and industrial workers handling hazardous materials However, policies vary widely even within these industries. Some companies are now loosening restrictions for non-safety-sensitive positions, recognizing that outdated drug testing policies may limit their talent pool. What Substances Are Typically Screened? Most pre-employment drug tests screen for common illicit substances, but the depth of testing can vary. Standard screenings include: Five-Panel Test – Detects marijuana, cocaine, amphetamines, opiates, and PCP Expanded Panel Tests – Can include benzodiazepines, barbiturates, synthetic opioids, and even alcohol Employers may use different types of tests, including urine, saliva, blood, or hair follicle analysis. Hair follicle testing, for example, can detect drug use from months prior—something applicants should be mindful of. The Evolving Landscape of Marijuana Testing One of the most significant changes in pre-employment drug testing involves marijuana. With over half of U.S. states legalizing marijuana in some form, companies are reevaluating their stance. Some states prohibit employers from disqualifying candidates for off-duty marijuana use. Other states still allow testing but require employers to prove impairment, not just presence. Federally regulated positions, such as those in transportation, maintain strict no-tolerance policies. This shift means that while some applicants may no longer face automatic disqualification for marijuana use, it’s still important to know an employer’s policy before assuming it won’t impact hiring decisions. What Happens If You Fail a Pre-Employment Drug Test? The consequences of failing a drug test depend on multiple factors, including company policy, industry regulations, and state laws. In regulated industries (e.g., transportation, healthcare, federal employment), a failed test almost always results in immediate disqualification. Some employers allow re-testing or a waiting period before reapplying, particularly for marijuana use in certain states. If you have a valid prescription for a tested substance (e.g., opioids or ADHD medication), you may need to provide documentation to avoid disqualification. Additionally, some companies offer assistance programs or second-chance policies, especially if an applicant is upfront about past use or addiction recovery. Do Employers Really Benefit from Drug Testing? With the workforce evolving, many companies are questioning whether traditional drug testing policies still serve their intended purpose. Some argue that testing reduces liability, improves workplace safety, and ensures reliable employees. However, others believe that outdated policies exclude qualified candidates, especially in a competitive job market. The Arguments for Drug Testing: Reduces workplace accidents in safety-sensitive roles Ensures compliance with federal and industry regulations Discourages drug use in high-responsibility positions The Arguments Against Drug Testing: May eliminate qualified candidates for non-safety-sensitive roles Does not account for impairment vs. past use (especially with marijuana) Can be costly and time-consuming for employers Companies that still require drug testing must weigh these factors and ensure their policies align with modern workforce expectations. The Future of Pre-Employment Drug Testing The debate over drug testing isn’t going away anytime soon. As laws and attitudes continue shifting, companies may move toward impairment-based testing rather than zero-tolerance screening. This means job seekers should stay informed, especially in industries where testing is likely to remain a requirement. For now, the best approach is to understand employer expectations, know your legal protections, and be prepared for potential screenings as part of the hiring process.

OSHA Form 300A Requirements: Key Deadlines for Employers

January 30, 2025
Workplace Posting for Form 300A Begins February 1 Employers with 11 or more employees at any point in 2024 must display the Occupational Safety and Health Administration (OSHA) Form 300A, Summary of Work-Related Injuries and Illnesses, from February 1 to April 30. Even if no recordable incidents occurred in 2024, this posting is mandatory. The form must be certified by a company executive and displayed prominently in each workplace where employee notices are typically posted. Certain businesses are exempt from OSHA’s regular recordkeeping requirements, including this posting, if they employ 10 or fewer people or if their primary business activity is considered low hazard according to OSHA's guidelines. A full list of low-hazard industries, categorized by NAICS codes, is available here . However, even exempt companies must report fatalities or incidents resulting in hospitalization, amputation, or loss of an eye. Electronic Submission of Form 300A Due by March 2 Businesses with 250 or more employees from the previous year, or those with 20-249 employees in high-risk industries, must submit their Form 300A data electronically through OSHA's Injury Tracking Application (ITA) by March 2, 2025. This requirement applies based on the number of employees at a specific location, not the entire company. Employers under State Plans are also required to submit electronically. Exemptions from this electronic submission apply to employers who: Are exempt from OSHA's regular recordkeeping rules. Had fewer than 20 employees in the past year. Had between 20 and 249 employees but aren’t in the designated high-risk industries. Additional resources, FAQs, and access to the ITA are available on OSHA’s ITA page . Submission of Forms 300 and 301 Required by March 2 Employers in high-hazard industries with 100 or more employees are required to submit data from both their Form 300 (Log of Work-Related Injuries and Illnesses) and Form 301 (Injury and Illness Incident Report) through the ITA, in addition to their Form 300A submission. Help with Coverage Determination Employers can use OSHA’s ITA Coverage Application to assess whether they need to submit injury and illness data electronically or refer to the State Plan for specific reporting requirements.

Have a question? Get in touch.

Share by: