As COVID-19 continues to spread across the U.S., organizations and businesses are taking seriously their responsibility to facilitate social distancing as we attempt to slow the spread of the virus. While there are many benefits to working remotely in the current situation, remote work can place greater strain on IT systems and increase cyber risks. Both employers and employees need to take action to protect themselves and business continuity. Remote work isn’t a new concept and is considered the norm within many organizations. However, some businesses have never needed or utilized large-scale work-at-home plans prior to the current pandemic, and may not be aware of their cyber vulnerabilities.
REMOTE WORK BRINGS INCREASED CYBER RISK – CYBER COVERAGE MAY APPLY
When possible, companies should aim to assign remote access before an office closure because it’s more difficult to provide Multi-Factor Authentication (MFA) and install needed technology for off-site employees without physical access to the office (source). It’s also important that businesses new to the work-at-home arena reach out to their IT providers to determine if networks can handle increased traffic from additional remote users. It’s likely that many current networks are not equipped to handle the increased traffic, risking serious operational disruption. Partial or total system outages can result in substantial lost revenue during a time when companies need all potential income just to maintain business continuity. In our interconnected economy, it’s also not unusual for businesses to rely on external systems and networks to operate. Companies should be aware that if those systems fail, outside vendors often have limited contractual liability to pay for outages. CRC has access to markets offering cyber coverage for lost revenue due to partial or total network system failure (doesn’t have to be the result of a cyberattack), employees utilization of personal devices for business purposes, or contingent business interruption coverage should a business be impacted by failure of a third-party system such as a Cloud network. Should a loss occur, these markets are also often able to provide coverage for forensics expertise to calculate and help remediate business loss, enabling insureds to stay focused on maintaining operations.
As millions of people begin working remotely, network security is also more at risk than ever. Cyber attackers are experts at leveraging the intense focus on the virus as well as the panic and distraction it creates. Security researchers are already discovering phishing emails referring to COVID-19. Research indicates that social engineering attacks, such as email phishing or fraudulent phone calls, play a role in 70% - 90% of all successful data breaches (source). Research outside the pandemic period indicates that employees receive 4-5 phishing emails a week. Thirty percent of fishing emails make it past default security measures, making disruptions including decreased productivity, loss of propriety data, and damage to reputation a likely threat (source). Cyber extortion is another risk faced by a variety of businesses, including e-commerce companies that generate sales through the web as well as any businesses that utilizes digital tools such as online customer management software. Businesses unable to access sales websites, customer databases, or CRM tools can suffer major financial losses due to lack of data access (source). While it’s easy to think of cyber extortion only as a thrilling TV drama plotline, the threat is real, and there are cyber liability policies available to provide financial support for cyber extortion attack remediation and ransom demands (source).
BEST PRACTICES FOR TRANSITIONING TO A REMOTE WORKFORCE
There are several ways that companies can minimize cyber risks during this period of increased remote access. Companies with the capacity to support remote work arrangements should review IT security policies to confirm if there are remote system access guidelines in place. Some organizations may already have policies specifically designed to address remote work, while others may make provision for remote work as part of disaster recovery contingency plans. If no work-at-home plans or policies are in place, establish some basic guidelines around remote access to business information systems. It’s essential that the entire organization is aligned with remote work protocols. Because many employees don’t work in IT security, and many have not worked remotely before, providing guidance to all employees is critical (source).
Cyber criminals love to take advantage of a large-scale crisis because it exposes operational vulnerabilities. Businesses can protect themselves from cyber-attacks by verifying that they’re utilizing the most current version of their remote access solution and taking the following precautions (source):
1. Enable Multi-Factor Authentication (MFA) – This is important for all remote access users, including webmail users. Verifying access via email or text message confirmation or implementing biometric verification like fingerprint or facial scans, adds an important extra layer of protection to accounts, stopping cyber attackers (source).
2. Avoid Remote Desktop Protocol (RDP) – While everyone is trying to move as quickly as possible to maintain operational continuity, refrain from quick-fix, highly-vulnerable remote solutions such as RDP. Externally facing RDPs on your network are routinely scanned by attackers looking for easy ransomware targets.
3. Maintain an “Out of Band” Contact Method – Companies should maintain a means of external contact such as cell phones to contact employees outside of company systems. In the event of a cyberattack (i.e. ransom, malware, DDoS, etc.) email or other online communication systems may be compromised, so employers need a back-up option to communicate safely with all employees (source).
4. Provide Data Backup Options – Lost data can significantly contribute to business interruption. Data loss occurs in a variety of ways, including human error, physical hardware damage, or through cyber-attacks. It’s possible for malware to wipe entire systems before anyone can stop it. Confirm with IT security that data backup protocols are in place. While hardware backups are an option, one of the most convenient and cost-effective ways to store data is via Cloud-based storage solutions (source).
5. Carefully Review Wire Transfers – Thoroughly review and monitor all wire transfer requests, enforcing dual- authorization, callback procedures, and confirmation of transfer requests via phone as members of the finance department may be more susceptible to email attacks from attackers impersonating senior staff when finance departments aren’t able to confirm transfers in person.
Employees that are working remotely can also help safeguard business operations by taking the following steps:
1. Use Anti-Virus Protection & Secure Internet – Make sure all devices - including internet routers - are up to date with anti-virus protection and that you’re using only secure and known internet connections. Avoid using Bluetooth or public, unsecured Wi-Fi as these are easily hacked (source).
2. Report Lost or Stolen Devices – Remote work increases the chance that a company device could be lost or stolen. Employees should report any loss or theft immediately to IT security personnel in order to minimize the risk of fraud or other damage (source).
3. Watch for Phishing Emails – Employees should be on guard against phishing emails designed to entice viewers to click on offers related to coronavirus protections, or that claim to have urgent instructions from an off-site supervisor. Clicking on an unknown email link can unintentionally download malware to both the device and company’s systems. If an employee is unsure of the validity of an internal company email, he or she shouldn’t hesitate to contact the sender. Double checking is absolutely appropriate in order to protect business assets and information (source).
The current COVID-19 pandemic has changed how businesses interact, and the new reality for many organizations includes a remote workforce and greater cyber risks. Companies should be reinforcing basic cyber risk mitigation tools and practices to meet increased cyber risks head-on during this unprecedented situation and use remote working environments to their advantage. On average, a cyberattack costs a small business more than $50K, and can cost larger enterprises millions of dollars (source). As the pandemic continues to unfold, businesses can protect themselves by implementing thorough IT risk management plans that limit cyber exposure. A strong cyber insurance policy is yet another vital tool in protecting against the increased risk of disruption, enabling businesses to recover from business interruption. When creating submissions for cyber coverage, it’s important that agents and clients demonstrate that there are business continuity plans in place to maintain operations should a system fail, reducing the likelihood that a short outage becomes a major problem that impacts an organization’s bottom line.
Partnering with knowledgeable insurance professionals with broad market access is key for agents and customers as they evaluate ongoing cyber coverage needs and potential claims. Agents with any questions should contact their CRC Group producer to discuss how we can help businesses prepare and protect against the effects of business interruption due to direct or contingent system failure.
- Sebastian Swain is a Director with CRC’s ExecPro Practice Group, responsible for placing and managing Management Liability, including Cyber for a wide variety of industry classes.
- ExecPro Practice Group Cyber Specialty Team