Download

The 7 Keys to Strong Passwords

Twelve characters are the absolute minimum, but passwords can be both easy to remember and hard for an attacker to crack. 

Creating a strong password may seem like a chore, but sometimes it can literally be the only thing standing between a cybercriminal and your personal and financial information or access to your company’s network and intellectual property. Here are some tips for creating a strong password (that you can actually remember):

1) The most important factor in creating a secure password is length. A longer sequence of characters (letters, numbers and possibly punctuation marks) means more possible combinations to help thwart an attacker. The absolute minimum should be 12 characters. If a password has eight characters, for example, modern password cracking software will break it in a matter of hours. A difference of four characters in a password may not seem like much, but there is a huge increase in the number of possible combinations it will yield (and hence attempts that the cracking software will have to make before it can break the password in question). Even if only letters and numbers are allowed, there are 14 million times as many combinations with a 12-character password vs. an eight-character one. If punctuation marks are included, the 12-character password is 81 million times as hard to break. Simply put, longer passwords are always better.

2) Use a nonsensical (or completely personal) passphrase. You can pick a password that is both easy for you to remember and hard for an attacker to figure out. If you really want to, you can mix in random characters like $, @, etc., though hackers are well aware that people try this trick. Truth be told, it’s really the length that makes a passphrase difficult to crack, so the special characters will essentially make the password more difficult to remember while not making it any harder to break.

When creating your phrase, make sure it really is unique to you (or genuinely random). Avoid famous literary quotes and song lyrics – hackers can check for those. A good nonsensical passphrase might be something like: CyanStapleWashingtonBanana44 (don’t use this exact one – or any other suggestion you see online. Hackers can find those, too). A personal phrase can be effective because it relates to something that’s memorable to you. Just make sure it isn’t a widely known event. Perhaps you can use that time you were surprised at the aquarium: “BlueLobstersAreReal!” It’s long enough that a machine won’t break it anytime soon; no one is going to guess it; and you will remember it.

3) Don’t use the same password for multiple sites. Reusing passwords is known as "daisy-chaining." If one account gets compromised, it will instantly expose others with the same (or a similar) password to attacks.

4) Don’t have a file or email called "passwords" anywhere on your computer (or saved in an email). These are easy for a hacker to find.

5) Change passwords regularly – perhaps every few months. If a database storing a site’s passwords has been compromised (which is often not discovered right away), changing a given password makes it effectively useless to an attacker even if it’s stolen and eventually cracked.

6) Use “multi-factor authentication” whenever it’s available. Additional “authentication factors” are just ways to ensure you are who you say you are. This can mean something like a fingerprint scanner or a code sent to your phone via text message that is then entered in addition to your password. If an attacker only has your password, she still won’t be able to get access. If you’re curious to see what this looks like in practice, Google has a good explanatory video here.

7) Avoid using security questions, if you can. Frequently, these questions are used as a way around the dreaded “I forgot my password” problem. The questions may sound helpful, but they almost always focus on information that can be found elsewhere online (where you went to school, pet’s name, favorite color, etc.). Any hacker will know to look for this information and can use it to get into your account – and potentially lock you out. Unfortunately, some sites require you to use the questions. If possible, try to select questions that don’t have just a few or even a single answer that a hacker can find (your mother’s maiden name, for example).

Remember that there is no such thing as an impervious system, but that doesn’t mean you should make it easy for attackers. If you’re a difficult target, they may well move on to an easier one.

Navigating EEOC and Labor Department

The focus is likely to be on the Americans with Disabilities Act and the Genetic Information Nondiscrimination Act -- and litigation should increase.

Trends in 2013 suggest that the Equal Employment Opportunity Commission is stepping up litigation, potentially involving large dollars.

Recoveries by the EEOC were $39 million in 2013, slightly down from the $44 million recovered in 2012, but 2013 featured some high-profile cases. In 2014, the focus is likely to be on the Americans with Disabilities Act (ADA) and on the Genetic Information Nondiscrimination Act (GINA).

Even though GINA has been in effect since 2009, it wasn’t until 2013 that the EEOC filed its first lawsuit alleging genetic discrimination. The suit, against Tulsa-based Fabricut (Civil Case No: 13-CV-248-CVE-PJC), alleged the company violated the ADA by refusing to hire a woman because it regarded her as having carpal tunnel syndrome and violated GINA when it asked for her family medical history in a post-offer medical examination. Employers need to be very aware that GINA prohibits requesting family medical history, even with a contract medical provider during a post-offer examination. In May 2013, Fabricut agreed to settle the suit for $50,000 and to take specific actions to prevent future discrimination.

Just nine days into 2014, the EEOC settled its first systemic lawsuit alleging GINA violations, for $370,000. According to the complaint (EEOC v Founders Pavilion Inc. No 13- CV-06250), Founders Pavilion conducted post-offer, pre-employment medical exams and asked applicants to provide information about their family medical history. The suit also alleged that Founders Pavilion: fired an employee after refusing to provide her with an accommodation, a violation of the ADA; refused to hire two women because of a perceived disability; and either refused to hire or fired three women because they were pregnant.

It appears that there will be a major focus in 2014 on ADA and GINA violations –- which go hand in hand. Note that the trend in EEOC litigation regarding ADA claims has shifted from disability to a focus on an employer’s obligation to provide reasonable accommodations.

For federal contractors, the key question in 2014 is: “Are you disabled?” The Labor Department issued new rules that will require federal contractors with 50 or more employees or with more than $50,000 in government work to pose that question to workers, in an effort to reduce the ever-increasing jobless rate of people with disabilities. Employees aren’t required to answer the question, but federal contractors will have to show that at least 7% of their workforce has disabilities or will face fines and potential loss of contracts.

Although the ADA does not allow employers to inquire about disability, the EEOC has made an exception so employers can comply with the Labor mandate. But lots of issues will arise. Do employees want their bosses to perceive them as disabled? Will more employees qualify as disabled with the broader definition of disability enacted with the 2008 amendment to the ADA? What will happen to reasonable accommodations, given that the exception that allows employers to ask about disabilities doesn’t appear to then allow a disabled individual to ask for a reasonable accommodation? 2014 will certainly be interesting!

While we wait to see what shakes out, there are some practices and employer can follow.

Relative to GINA, it is important for employers to know that the new regulations provide a quasi-safe harbor to employers who have inadvertently received genetic information when that information was not sought. The EEOC suggests that the employer use the following language on any requests for medical information:

“The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits employers and other entities covered by GINA Title II from requesting or requiring genetic information of an individual or family member of the individual, except as specifically allowed by this law. To comply with this law, we are asking that you not provide any genetic information when responding to this request for medical information. ‘Genetic information’ as defined by GINA includes an individual’s family medical history, the results of an individual’s or family member’s genetic tests, the fact that an individual or an individual’s family member sought or received genetic services, and genetic information of a fetus carried by an individual or an individual’s family member or an embryo lawfully held by an individual or family member receiving assistive reproductive services."

Relative to reasonable accommodations, employers are being urged by the EEOC to accept a doctor’s work release even if it has restrictions. Employers are also being urged to document entering into the interactive process if the reasonable accommodation is not straightforward or if the employer cannot meet the physician’s restrictions.

Although an employer may not ask disability-related questions or conduct a medical exam of an applicant until after making a conditional offer of employment, an employer may condition employment on the results of a medical examination or inquiries so long as all employees in a classification are subject to the same testing and or inquires and so long as the testing does not infringe on GINA. In addition, post-offer examinations may not be used to discriminate against individuals with disabilities. The testing must also be job-related and consistent with business necessity and evaluate some of the essential functions of the job. Furthermore, these tests cannot discriminate against a certain class. For example, they cannot be unduly difficult for a woman.

According to the ADA, the term “discriminate” includes an employer’s failure to make reasonable accommodations. The applicant should be provided the criteria for passing the test, based on the job description. It is very important for the employer to enter into the interactive process if performance of the essential job functions cannot be met.

Baseline testing -- a tool that can assist employers in managing employees’ injuries by establishing if the injury arose out of the course and scope of employment -- must follow the same guidelines as a post-offer test. Baseline testing must be conducted for all individuals in a classification, must be consistent with business necessity, cannot discriminate against a certain class and must evaluate some of the essential functions of the job. Baseline testing differs from post-offer testing in that it is usually not read until a work-related incident occurs.

2014 might be a trying time for employers, but the best defense for an employer is to be prepared.

Cyber Challenges Under NIST's Framework

The cybersecurity framework is voluntary -- for now -- but attorneys and regulators may claim it is a de facto standard for all companies. 

On Feb. 12, the National Institute of Standards and Technology (NIST) released its long-anticipated Framework for Improving Critical Infrastructure Cybersecurity together with a companion Roadmap for Improving Critical Infrastructure Cybersecurity.The framework is issued in accordance with President Obama’s Executive Order 13636, Improving Critical Infrastructure Cybersecurity Version 1.0., which gave NIST the task of developing a cost-effective framework “to reduce cyber risks to critical infrastructure.” The companion roadmap discusses NIST’s next steps with the framework and identifies key areas of development, alignment of cybersecurity standards and practices within the U.S. and globally and collaboration with private and public sector organizations and standards-developing organizations.

 

The framework applies to organizations in critical infrastructure. But, given the pervasiveness of cybersecurity incidents, and the ever-present, increasing and evolving cyber risk threat, all organizations should consider whether their current cybersecurity risk management practices would pass muster under the framework. In addition, although the framework is “voluntary”—at least so far—organizations are advised to keep in mind that creative class action plaintiffs (and even some regulators) may nevertheless assert that the framework provides a de facto standard for cybersecurity and risk management even for noncritical infrastructure organizations. One thing that companies should consider as they review the framework is what “tier” of cybersecurity risk management they wish to achieve. The tiers—which range from “informal, reactive” responses to “agile and risk-informed” are addressed below, together with an overview of the framework and additional detail regarding certain of its key aspects.

 

Overview
 

 

At a high level, as its name indicates, the framework provides a structure for critical infrastructure organizations to achieve a grasp on their current cybersecurity risk profile and risk management practices, to identify gaps that should be addressed to progress toward a desired target state of cybersecurity risk management and to internally and externally communicate efficiently about cybersecurity and risk management.

 

 
 
 
Building from global standards, guidelines and practices, the framework provides a common taxonomy and mechanism for organizations to:

 

 
  1. Describe their current cybersecurity posture;
  2. Describe their target state for cybersecurity;
  3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  4. Assess progress toward the target state;
  5. Communicate among internal and external stakeholders about cybersecurity risk.
 
 
 
NIST has emphasized that the framework “complements, and does not replace, an organization’s risk management process and cybersecurity program.” In addition, NIST properly notes that the framework “is not a one-size-fits-all approach” to managing cybersecurity risk, given that organizations" have unique risks—different threats, different vulnerabilities, different risk tolerances.
 
 
 

 

In releasing the framework, NIST explained that it provides a structure that organizations, regulators and customers can use to create, guide, assess or improve comprehensive cybersecurity programs and “a common language to address and manage cyber risk in a cost-effective way” based on business needs, without placing additional regulatory requirements on businesses.” NIST also notes that organizations can use the framework “to determine their current level of cybersecurity, set goals for cybersecurity that are in sync with their business environment and establish a plan for improving or maintaining their cybersecurity.” Moreover, because it refers to globally recognized standards for cybersecurity, the framework can also be used by organizations located outside the U.S. and can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity.
 
 
 

 

Although applying to organizations in critical infrastructure, the framework may be used by any organization as part of its effort to assess cybersecurity practices and manage cybersecurity risk.
 
 
 

 

Three-Part Approach

 

 
 
 
The framework adopts a risk-based approach composed of three parts: the core, the profile and implementation tiers.
 
 
 

 

Framework Core

 

 
 
 
The framework relies on existing global cybersecurity standards, guidelines and practices as a basis to build or enhance an organization’s cybersecurity risk management practices.
 

 

The framework core presents five high-level “functions,” which, as stated by NIST, “organize basic cybersecurity activities at their highest level.” The five functions are: (1) identify, (2) protect, (3) detect, (4) respond and (5) recover. NIST explains that these five high-level functions “provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk” and will provide “a concise way for senior executives and others to distill the fundamental concepts of cybersecurity risk so that they can assess how identified risks are managed, and how their organization stacks up at a high level against existing cybersecurity standards, guidelines and practices.”
 
 

 

 
For each of the five functions, the framework core identifies underlying key categories and subcategories of cybersecurity outcomes, then matches those outcomes with “informative references” that will assist organizations in achieving the outcomes, such as existing cybersecurity standards, guidelines, and practices. By way of example, categories within the “protect” function include access control, awareness and training, data security, information protection processes and procedures and protective technology. Subcategories under the “access control” category within the protect function include "identities and credentials are managed for authorized devices and users” and “[n]etwork integrity is protected, incorporating network segregation where appropriate.” “Informative references” for "identities and credentials are managed for authorized devices and users” include:
 
 
 

 

  • CCS CSC 16
  • COBIT 5 DSS05.04, DSS06.03
  • ISA 62443-2-1:2009 4.3.3.5.1
  • ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9
  • ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3
  • NIST SP 800-53 Rev. 4 AC-2, IA Family20
 

 

 
Figure 1 from the framework depicts the core:

 

 
 
 
 
 

 

 
NIST explains that the core “presents industry standards, guidelines and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.”
 
 
 

 

Implementation Tiers

 

 
 
 
The implementation tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the framework. The tiers range from partial (tier 1) to adaptive (tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices and “the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.” By way of example, considering the risk management aspect, at tier 1, “[o]rganizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner.” At tier 2, “[r]isk management practices are approved by management but may not be established as organizational-wide policy.” At tier 3, “[t]he organization’s risk management practices are formally approved and expressed as policy" and “[o]rganizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.” At tier 4, “[t]he organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities” and “[t]hrough a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.”
 
 

 

Profile

 

 
 
In essence, the framework profile assists organizations to progress from a current level of cybersecurity sophistication to a target improved state that meets the organization’s business needs. As stated by NIST, a profile is used to “identify opportunities for improving cybersecurity posture by comparing a current profile (the “as is” state) with a target profile (the “to be” state).” Comparison of profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives. NIST states that the framework profile “can be characterized as the alignment of standards, guidelines and practices to the framework core in a particular implementation scenario.”
 

 

 
Framework Implementation
 

 

 
The framework is voluntary—at least for now. NIST also has explained that the framework “complements, and does not replace, an organization’s risk management process and cybersecurity program.” Organizations can use the framework as a reference to establish a cybersecurity program, or leverage the framework to “identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices.” The framework recognizes that “[o]rganizations may choose to handle risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or accepting the risk, depending on the potential impact to the delivery of critical services.”
 

 

 
Importantly, the framework can be used as a means to communicate an organization’s required cybersecurity standards to business partners. As stated by NIST, “[t]he framework provides a common language to communicate requirements among interdependent stakeholders responsible for the delivery of essential critical infrastructure services,” such as the use of a target profile to “express cybersecurity risk management requirements to an external service provider (e.g., a cloud provider to which it is exporting data).” This is significant, because the cybersecurity shortcomings of “cloud” and other providers can have a profound impact on supply chains. As noted by NIST in the roadmap:
 

 

 
All organizations are part of, and dependent upon, product and service supply chains. Supply chain risk is an essential part of the risk landscape that should be included in organizational risk management programs. Although many organizations have robust internal risk management processes, supply chain criticality and dependency analysis, collaboration, information sharing and trust mechanisms remain a challenge. Organizations can struggle to identify their risks and prioritize their actions—leaving the weakest links susceptible to penetration and disruption. Supply chain risk management, especially product and service integrity, is an emerging discipline characterized by diverse perspectives, disparate bodies of knowledge and fragmented standards and best practices.
 

 

 
Incentives—and Cybersecurity Insurance

 

 
 
As-of-yet-unspecified governmental incentives will be offered to organizations that adopt the framework. The executive order directs the secretary of Homeland Security, in coordination with sector-specific agencies, to “establish a voluntary program to support the adoption of the framework by owners and operators of critical infrastructure and any other interested entities,” and to “coordinate establishment of a set of incentives designed to promote participation in the program.”

 

 
 
On Aug. 6, 2013, the White House previewed a list of possible incentives, including cybersecurity insurance at the top of the list. If cybersecurity insurance is adopted as an incentive, organizations that participate in the program may, for example, enjoy more streamlined underwriting and reduced cyber insurance premiums. As stated by Michael Daniel, special assistant to the president and cybersecurity coordinator, agencies have “suggested that the insurance industry be engaged when developing the standards, procedures and other measures that [make up] the framework and the program” and that “[t]he goal of this collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.” Mr. Daniel states that NIST “is taking steps to engage the insurance industry in further discussion on the framework.”
 

 

 
The placement of cybersecurity insurance at the top of a list of possible incentives underscores the important role that insurance can play in an organization’s overall strategy to manage and mitigate cybersecurity risk, including supply chain disruption. Adam Sedgewick, senior information technology policy advisor at NIST, stated that NIST views “the insurance industry as a major stakeholder [in] helping organizations manage their cyber risk.” All of this is consistent with the SEC’s guidance on cybersecurity disclosures under the federal securities laws, which advises that “appropriate disclosures may include” a “[d]escription of relevant insurance coverage” for cybersecurity risks.
 
 

 

Going Forward
 

 

 
The framework is a “living document,” which states that it “will continue to be updated and improved as industry provides feedback on implementation.” As the framework is put into practice, lessons learned will be integrated into future versions to ensure it is “meeting the needs of critical infrastructure owners and operators in a dynamic and challenging environment of new threats, risks and solutions.” NIST will receive and consider comments about the framework informally until it issues a formal notice of revision to version 1.0, at which point it will specify a focus for comments and specific deadlines that will allow it to develop and publish proposed revisions. In addition, NIST intends to hold at least one workshop to provide a forum for stakeholders to share experiences in using the framework, and will hold one or more workshops and focused meetings on specific areas for development, alignment and collaboration. Therefore, organizations will continue to have the opportunity to potentially shape the final framework.

 

 
 

Issue 'Tickets' for Safety Violations?

Alberta may be on to something by issuing fines -- putting the blame where it belongs, whether company or worker -- before someone gets hurt.

A recent article in CompNewsNetwork describes the training of Alberta’s first occupational health and safety peace officers.

Don't get too excited. "Peace officer" is the same politically correct mumbo jumbo term some jurisdictions use for their prison guards.

These peace officers will have the ability to write tickets to employers and workers who cut corners and put people at risk. Classes of officers will continue training until all 143 OHS officers are certified to write tickets. The fines will range from $100 to $500. While employers here in the States have become accustomed to potential fines and regulatory actions for workplace safety infractions, this is different. First, a ticketing action is onsite and immediate, similar to being pulled over for driving 98 mph in a school zone. Second, and most dramatically, the worker -- the employee previously known as the innocent victim of corporate greed and arrogance -- could be the one on the receiving end.

That is huge: personal accountability in a no-fault world. Who'd ever heard of such a thing? Frankly, I have my doubts, but it will be interesting to see if this type of approach has any impact on reductions in workplace accidents.

The ticketing of employees for safety violations will strike some as a breach of exclusive remedy; the no-fault doctrine that has guided our industry for more than 100 years. 

I think they may be wrong. The adherence of exclusive remedy is strictly post-accident -- once an injury has occurred. These citations on the other hand are clearly in the safety and prevention realm. Personal responsibility still applies in that world. As long as, that is, this method is used in a preventative manner and not a post-injury action.

What remains to be seen is what these peace officers are willing to do. There is always a tendency to go for the “deep pocket,” and writing a $500 citation for a faceless company may be much easier than issuing it to the forklift operator with a wife, three kids and a broken-down car. And what of the post-accident investigation? Will these officers cite an employee for causing an accident? If I am a worker injured by another’s action, an action for which he receives the equivalent of a traffic citation, does that cement potential third-party liability for him?

Under our workers’ comp system in the States, this policy of writing tickets would be much less likely to see the light of day. Still, it is a concept worth watching. It is possible that Alberta is on to something here that will help avoid accidents by putting the blame where it belongs, whether company or worker, before someone gets hurt.

Yeah, that’s the ticket.

Go on Offense Using Social Media

Most companies make a common mistake: They set up accounts on popular social media sites like Facebook and Twitter -- then stop.

The plane pushed back as I settled into the sports section of my local paper. Just as I was getting comfortable, the pilot made an announcement that our flight was going to be delayed for a short time. We ended up sitting on the tarmac for two hours.

I missed my connection, and, to make matters worse, the customer service personnel at the connecting hub airport were anything but service-oriented. Frustrated beyond belief, I posted a message on Twitter, my Facebook page and on several travel sites, “ABC Airlines SUCKS!"

Much to my surprise, less than an hour later I got a post to my rant signed by the airline's customer service department, with a link to their website. The link led me into a chat room where I described my experience. A service representative apologized and offered me an upgrade on my return flight home the next day. My frustration ebbed. I even posted another Tweet: "Thanks, ABC Airlines Customer Service!!"

The experience taught me two valuable lessons: (1) With the advent of social media, unhappy customers can do real damage to a company's reputation; and (2) companies can no longer wait for their customers to call and complain. They must engage their customers in real time.

Since that experience I've been focused on how our company can leverage social media to improve our customer service. The effort required me to better understand all that social media entails. Fortunately, we have a lot of experts - the young people who work for us. They use social media like a second language. It's incorporated into their lives.

The same approach applies to a successful social media strategy for a business. The organization must incorporate social media into its day-to-day operations. Most companies make a common mistake: They set up accounts on the popular social media tools like Facebook and Twitter but don't do much after that. In effect, social media gets treated as an outlier.

Opportunistic social media

Many people think of social media as Facebook and Twitter—but those are just tools. I view social media as the ability to engage in social interactions online with people you know and don't know. You engage with social media through a series of websites and applications. But it’s the collective power to communicate that makes it so powerful.

Imagine if you could "communicate" regularly with an existing policyholder. You wouldn't need to wait until some triggering event like a problem with a bill or frustration with a claim occurs. Research shows that such regular contact would increase an insurance company's retention rate.

Here's an example of opportunistic social media: When there’s a potential major weather event, use social media sites to offer tips on how to secure a home and inventory personal holdings. The information will come up on searches and drive traffic to both your social media sites and website. A company can even change its homepage temporarily and put up a splash page: If you’re in this area, click here; if not, click a different button for the homepage.

People don’t think about insurance often. That’s why opportunistic use of social media is effective. People will be more inclined to read something from an insurer when they’re concerned about their immediate safety and security.

Going on defense

Social media poses challenges and dangers for any company serving the public. Consumers now have power to wreak havoc. Anyone who feels, rightly or wrongly, abused by an insurer can use social media to post an angry screed: “ABC Insurance Co. stinks."

That can do real damage to your brand. Negative reviews get aggregated, and, if there are enough of them, they’ll show up at the top of an online search of your company.

Customers tend to post only when they’re angry with their insurer. Happy customers typically remain silent. How can you find out about problems customers are having before they are angry enough to call? Establish a team dedicated to scouring all social media for comments about your company.

If I had any doubts about the impact of social media, the view out my window provides ample evidence. Located in the middle of Silicon Valley and just a short walk to Facebook’s headquarters, I'm surrounded by start-up companies bringing new services and tools to the digital world. The social media revolution is here to stay.

Can You Trust the Aflac Duck?

Can simply purchasing disability insurance really lower the cost of workers' compensation claims? Forgive me if I'm skeptical.

I'm always a bit skeptical when companies report the results of self-serving surveys, so let's look at what Aflac -- you know, the duck-spokesman company -- said about a survey that indicated that offering disability insurance coverage to workers could drive workers' compensation claims down considerably. The survey found:

  • 42% of all companies providing voluntary accident and disability insurance report declines in their workers’ comp claims—some of as much as 50%.
  • Roughly 17% of employers offering voluntary accident insurance and 15% of those offering disability saw claims declines of 25% to 49%. The declines were most frequent for large employers, 55% of whom saw workers’ compensation claims drop. Of small- and medium-sized companies, 34% reported the same results.

Is this really true? Can simply purchasing disability insurance really lower the number of workers' compensation claims? Forgive me for immediately thinking that this sounds a bit like the marketing strategy of snake oil salesmen: “Buy one bottle of this magic elixir, and it cures everything from rheumatism to scarlet fever.”

I can think of three reasons why “purchasing disability insurance = lower workers' comp costs” may not be a valid equation.

1. Lower claims may not amount to lower costs.

In the exposure mod rating game, there is no question that lowering the number of claims can reduce the E-Mod and result in lower premiums. However, just because the claims are lower does not automatically mean that the costs are lower.

For example, if the claims reduced by the purchase of disability insurance were small medical-only claims or small lost-time claims, this would reduce the actual number of claims but may not have much of an effect on the E-Mod of a large company that also has more serious injuries. Sure, the number of claims may have gone down, but if Acme Co.’s comp costs stayed the same because of the presence of larger or more serious claims, does that really amount to a substantive benefit?

2. Disability insurance cost may exceed any savings on workers' comp.

What this survey doesn't tell us is how much companies had to spend on disability insurance coverage to realize the savings in workers' comp costs. In other words, did Acme Co. have to spend an additional $100,000 for the disability insurance coverage to save $40,000 in workers' comp costs? If so, that doesn't seem like much of a bargain - - spending $100,000 to save $40,000 (unless we use U.S. federal government math. . . . )

The survey didn’t give us this information probably because the costs to purchase disability insurance coverage would be different for every company surveyed, as would the savings (if any) from the alleged reduction in workers' compensation claims. Nevertheless, I don’t see how we can determine the validity of the “purchasing disability insurance = lower workers comp costs” equation unless we know the ratio of dollars spent on disability insurance vs. the dollars saved in workers comp costs.

3. Why would injured workers leave money on the table?

Let’s assume that Joe Sixpack is injured on the job. If his employer, Acme Co., has both disability insurance and workers' comp coverage, Mr. Sixpack now has a choice of how he seeks payment for medical care and payment of lost wages. The implied argument from the survey is that if Mr. Sixpack has the choice between the two, he will choose disability insurance over workers' comp, thereby reducing the number of comp claims for Acme Co.

But wait…does disability insurance pay for permanent partial disability benefits? Does disability insurance pay for permanent total disability? Does disability insurance pay benefits longer than the term specified in the policy?

Obviously, the answer to these questions could vary. However, in most states, workers' compensation coverage would pay an injured worker a lot more money than the type of disability coverage refererred to in the survey. I’m not attempting to argue that injured workers should choose workers' comp over disability insurance -- but I am pointing out that claimants will typically choose whichever type of benefit will pay them the most money. If that turns out to be workers' comp, then it is doubtful that claimants would be so magnanimous as to choose to file a claim through disability insurance.

Finally, the state where Mr. Sixpack lives may allow him to file a comp claim after he gets benefits through his disability insurance coverage. The presence of disability insurance wouldn’t even amount to a reduction in claims if Mr. Sixpack pursues both avenues.

Bottom line: If you are considering the purchase of disability insurance coverage because it may decrease your workers' comp costs, make sure the math works. Ducks are cute, but I don’t trust their math skills.

Pension Insurance: Just a Stairway to Heaven?

I wondered whether we all have the same requirements when we retire. Or will we eventually expect a degree of customization?|

My eye was caught recently by a small classified ad in the Miami Herald for a care establishment for the elderly called The Door of Heaven. It’s in Fort Lauderdale, if you don’t believe me. The title is a little presumptious and maybe assumes that everyone staying there has pre-qualified for the next (better) life. Less of a care home, more of a departure lounge, with the background music probably falling somewhere between Andy Williams and Doris Day. That same evening, one of the major life insurers ran an ad on TV that took a rather more sophisticated (and expensive) approach. The ad talked about the company's reinvention of its pension products to meet the needs of a changing world. The ad was good brand positioning, even if it didn’t tell me exactly what the company had in mind. But at least they are thinking about the issues. I wondered whether, at the end of the day, we all have the same requirements when we retire. Or will we eventually expect a degree of customization to meet our particular expectations? The recent unforeseen decision by the UK Government to allow policyholders to withdraw their savings as a lump sum in full or part when they retire would seem to provide some new flexibility. In the UK, at least, policyholders can now choose to spend their pension savings on a new sports car, a cruise or even a Gibson Les Paul guitar while they are young enough to enjoy it, rather than save it up for future needs. Sounds like it’s worth thinking about, at least. Ultimately, there are probably limits to the degree of pension options available to us, if not as individuals, then as market segments. Perhaps those customer segments will be based on decade of birth. It seems to me that those born in the era of "flower power" who save their money for future care might have different expectations than do hellraisers of the Led Zeppelin era. Happiness for retired hippies may involve having flowers in now-greying hair. Fans of Zeppelin may demand their carers to provide them with denim-covered Zimmer frames. Dylan fans in their twilight moments as they pass on to the next world will expect to be serenaded by "Knocking on Heaven’s Door." And for those whose faculties aren’t what they used to be, perhaps a touch of the Stones' "I Can’t Get No Satisfaction"…. Personally I’m more of a Who man. When Roger Daltry sang "I hope I die before I get old" in 1965, I don’t suppose he was thinking about the complications of pension schemes. I’m not a fan of old age, but, as they say, it’s better than the alternative.

Tony Boobier

Profile picture for user TonyBoobier

Tony Boobier

Tony Boobier is a former worldwide insurance executive at IBM focusing on analytics and is now operating as an independent writer and consultant. He entered the insurance industry 30 years ago. After working for carriers and intermediaries in customer-facing operational roles, he crossed over to the world of technology in 2006.

Suicide Prevention: Talk About It at Work

Suicide prevention IS a workplace issue, and leaders can create an environment where individuals are more likely to reach out for the help they need.|

Suicide is a serious public health problem -- but is preventable. Suicide has a dramatic impact on the workplace in both human and financial terms. According to the Centers for Disease Control and Prevention, suicide was the 10th-leading cause of death in the U.S. in 2010. There were 38,364 suicides—an average of 105 each day. In addition to the loss of life and suffering of surviving family members, colleagues and friends, the suicides resulted in an estimated $34.6 billion in combined medical and work loss costs. In addition, for every one suicide, there are 25 attempted suicides. An estimated 8.3 million adults (3.7% of the adult U.S. population) reported having suicidal thoughts in the past year. We want business leaders to understand that suicide prevention IS a workplace issue, and that they can create an environment where individuals are more likely to reach out for the help they need. You likely already have employee benefits, such as an employee assistance program (EAP), in place that offer valuable resources for employees and family members in need. Unfortunately, most people who attempt suicide do not reach out to the resources that are available to them. Simply talking can save lives. (Let’s dispel the myth right here – talking about it does not trigger suicidal thoughts or attempts. When the subject of suicide is treated responsibly in a non-sensational manner, discussion can generate increased awareness and understanding, thereby increasing the chance that the person suffering from suicidal thoughts will seek and receive support and help.) When barriers come down and people seek help for mental illness, as many as 90% can significantly reduce their symptoms and improve their quality of life. So, specifically, what can you do? You can begin with a campaign to de-stigmatize mental health issues and to encourage people to seek help. Create a supportive environment where corporate leadership shows that they value physical and emotional health. Convey key messages such as, “It’s a sign of strength to ask for help,” and encourage employees to take talk of suicide seriously, whether in a family member, friend or co-worker. Many employers are beginning to create greater dialogue on this topic. The National Action Alliance for Suicide Prevention is the public-private partnership advancing the National Strategy for Suicide Prevention. The Workplace Task Force of this group, in particular, has developed several public service announcements targeted at employers and organizational leaders. The group has also developed tools to support the workplace in addressing suicide prevention. For more information, including a comprehensive blueprint for a workplace suicide prevention program, visit the National Alliance for Suicide Prevention, Workplace Task Force. For information on an anti-stigma campaign, visit stampoutstigma.com.

Rich Paul

Profile picture for user RichPaul

Rich Paul

As senior vice president and customer and product strategy officer, Paul is responsible for organizing, directing and executing ValueOptions’ product development and market growth strategies supporting sales, new market entry and development, client retention and product innovation and enhancements that support enterprise performance.

The Science (and Art) of Data, Part 1

In essence, business intelligence needs to transcend data, structure and process and be not just a precise science but also a well-integrated art.

Most insurers are inundated with data and have difficulty figuring out what to do with all of it. The key is not just having more data, more number-crunching analysts and more theoretical models, but instead identifying the right data. The best way to do this is via business-savvy analysts who can ask the right strategic questions and develop smart models that combine insights from raw data, behavioral science and unstructured data (from the web, emails, call center recordings, video footage, social media sites, economic reports and so on). In essence, business intelligence needs to transcend data, structure and process and be not just a precise science but also a well-integrated art.

The practitioners of this art are an emerging (and rare) breed: data scientists. A data scientist has extensive and well-integrated insights into human behavior, finance, economics, technology and, of course, sophisticated analytics. As if finding this combination of skills wasn’t difficult enough, a data scientist also needs to have strong communication skills. First and foremost, he must ask the right questions of people and about things to extract the insights that provide leads for where to dig, and then present the resulting insights in a manner that makes sense to a variety of key business audiences. Accordingly, if an organization can find a good data scientist, then it can gain insights that positively shape its strategy and tactics – and gain them more quickly than less-well-prepared competitors.

What it takes to be an effective data scientist

The following table highlights the five key competencies and related skills of a qualified data scientist.

Competencies

Key Skills

Business Impact

1. Business or Domain Expertise

   Deep understanding of:

  • Industry domain, including macro-economic effects and cycles, and key drivers;
  • All aspects of the business (marketing, sales, distribution, operations, pricing, products, finance, risk, etc.).
  • Help determine which questions need answering to make the most appropriate decisions;
  • Effectively articulate insights to help business leadership answer relevant questions in a timely manner.

2. Statistics
  • Expertise in statistical techniques (e.g., regression analysis, cluster analysis and optimization) and the tools and languages used to run the analysis (e.g., SAS or R);
  • Identification and application of relevant statistical techniques for addressing different problems;
  • Mathematical and strategic interpretation of results.
  • Generate insights in such a way that the businesses can clearly understand the quantifiable value;
  • Enable the business to make clear trade-offs between and among choices, with a reasonable view into the most likely outcomes of each.

3. Programming
  • Background in computer science and comfortable in programming in a variety of languages, including Java, Python, C++ or C#;
  • Ability to determine the appropriate software packages or modules to run, and how easily they can be modified.
  • Build a forward-looking perspective on trends, using constantly evolving new computational techniques to solve increasingly complex business problems (e.g., machine learning, natural language processing, graph/social network analysis, neural nets, and simulation modelling);
  • Ability to discern what can be built, bought or obtained free from open source and determine business implications of each.

4. Database Technology Expertise

  Thorough understanding of:

  • External and internal data sources;
  • Data gathering, storing and retrieval methods (Extract-Transform-Load);
  • Accessing data from external sources (through screen scraping and data transfer protocols);
  • Manipulating large big data stores (like Hadoop, Hive, Mahoot and a wide range of emerging big data technologies).
  • Combine the disparate data sources to generate very unique market, industry and customer insights;
  • Understand emerging latent customer needs and provide inputs for high-impact offerings and services;
  • Develop insightful, meaningful connections with customers based on a deep understanding of their needs and wants.

5. Visualization and Communications Expertise

Comfort with visual art and design to:

  • Turn statistical and computational analysis into user-friendly graphs, charts and animation;
  • Create insightful data visualizations (e.g., motion charts, word maps) that highlight trends that may otherwise go unnoticed;
  • Use visual media to deliver key message (e.g., reports, screens – from mobile screens to laptop/desktop screens to HD large visualization walls, interactive programs and, perhaps soon, augmented reality glasses).
  • Enable those who aren’t professional data analysts to effectively interpret data;
  • Engage with senior management by speaking their language and translating data-driven insights into decisions and actions;
  • Develop powerful, convincing messages for key stakeholders that positively influence their course of action.

While it may seem unrealistic to find a single individual with all the skills we've listed, there are some data scientists who do, in fact, fit the profile. They may not be equally skilled in all areas but often have the ability to round out their skills over time. They typically tend to be in high-tech sectors, where they have had the opportunities to develop these abilities as a matter of necessity.

However, because of the increasing demand for data scientists and their scarcity, insurers (and companies in other industries) should consider if they want to build, rent or buy them. Although buying or renting capabilities can be viable options – and do offer the promise of immediate benefits – we believe that building a data science function is the best long-term approach. Moreover, and as we will address in our next post, in light of the shortage of data scientists, a viable approach is creating a data science office of individuals who collectively possess the core competencies of the ideal data scientist.

Anand Rao

Profile picture for user Anand_Rao

Anand Rao

Anand Rao is a principal in PwC’s advisory practice. He leads the insurance analytics practice, is the innovation lead for the U.S. firm’s analytics group and is the co-lead for the Global Project Blue, Future of Insurance research. Before joining PwC, Rao was with Mitchell Madison Group in London.

5 Rules for Hiring Quality Producers

Many agency owners are not good producers, and poor producers typically don't like to hire good ones. Good producers are intimidating, even grating.

A simple and obvious solution to many, likely most, agencies’ growth issues is to hire a quality producer. As proven by the 70%-80% failure rate for such hires, the solution is much easier said than done. However, hiring quality producers is not as hard as it often seems, if agencies follow some rules. (By the way, these rules are based on my clients’ actual, repeatable successes. These rules are not based on theory.)

-- Identify the deadwood.

Quality producers do not want to work with a bunch of retired-in-place producers and owners clipping coupons. Just think about it from their perspective. Can you see a really good producer saying, “I can’t wait to get to work to sell lots of insurance while all my coworkers sit around not making any sales! What an invigorating place! I just love making everyone else rich!”?

Good producers want to work in agencies where everyone is pulling his weight, where other producers are good and generate competition. Good producers want to work in an agency that is growing. Agencies supporting deadwood don’t grow.

-- Eliminate that deadwood and start creating a real sales culture.

Firing deadwood or invigorating them is even more difficult for most agency owners than hiring quality producers. But the agency owner must.

For what it's worth, I have never seen a producer fired who did not benefit. To the best of my knowledge, they all found a better job that fit their personalities, reducing stress and increasing happiness. I have even seen many return to the agency and thank the owner for firing them because they knew they needed to leave but did not have the inner strength to do so.

If an agency owner cannot fire deadwood, she cannot build a true sales culture. Building a sales culture with deadwood producers is like attempting to build a house with twigs as the foundation.

A real sales culture is based on accountability. The producers not only have to make sales but, more importantly, are held accountable for all the activities that eventually lead to sales. A sales culture is built and managed daily rather than just measured once a month or, more honestly, as usually happens, annually. Try it! You’ll like it!

Once you're completed the first two steps -- identifying and eliminating the deadwood and establishing a culture of accountability -- you can begin the search. Don't begin the search first.

-- Test.

The best test for producers is the SPQ Gold test from Behavioral Sciences. It is good on many levels, but what has been interesting to me is the apprehension that flashes across the face of so many agency owners when I describe the test. They know they would fail. They are then caught in an important emotional bind. They have to hire someone who is better than they are at selling.

One of the secrets to why producers fail 70% to 80% of the time is that a large proportion of agency owners are not good producers, and if someone is not a good producer he typically doesn't like to hire good producers. Good producers are intimidating and ego-busting. Good producers can even be grating.

My clients who climb this emotional mountain successfully always do so using the same technique. They separate their emotions from what is best for the agency. Again, easier said than done and likely impossible to do on one’s own. A support system is likely required. Asking for help is actually key to successfully hiring producers. Asking for help is a sign of strength, not a weakness.

-- Don't have owners involved in ANY initial interviews.

When agencies advertise for producers, they try to list all the desired qualities. However, I have never seen an advertisement list the most important quality to owners: that the producer is a good guy (whether male or female).

The search for that quality is a huge reason so many owners fail to find a good producer. Do you want a producer who is a good guy and can’t sell or a producer who may or may not be a good guy but can sell?

Owners have a tendency to fall in love with every producer they interview, so they need to stay out of the process at the start. Let just about anyone else do the initial interviews.

-- Develop and manage.

If you just follow the first four steps, your odds of successfully hiring a quality producer will increase dramatically. But if you really want to maximize your prospects, you must create clear producer-development and -management plans. These are two different plans. Considerable detail is required. If you’ve never done this previously, these plans are nearly impossible to create on your own. Hire specialists.

These are not easy steps. Frankly, most agency owners are not emotionally capable of taking these steps, and many are not emotionally capable of delegating these steps, either.

Having to delegate to people who are better-equipped to hire successfully is often the most painful part of the solution. Delegation feels like abdication of personal responsibilities. Yet delegation is leadership. Being a leader -- and a leader is the decision maker who does what is right for the agency rather than making the emotionally easy choice for the owner -- is what really makes the difference in finding and hiring quality producers.

NOTE:  None of the materials in this article should be construed as offering legal advice, and the specific advice of legal counsel is recommended before acting on any matter discussed in this article. Regulated individuals/entities should also ensure that they comply with all applicable laws, rules and regulations.