COVID Is a Cyber Attack Enabler. How to Shut the Door on the Risk

The move of millions of workers to home offices provided flexibility during the pandemic, but it has also amplified cyber risk.

By: Elisa Ludwig | October 13, 2020

Amid the COVID-19 outbreak, many companies have transitioned to an at-home workforce. While remote work itself is not new, the sheer volume of companies deploying technology to stay productive and connected is greater than ever before, potentially proliferating cyber security risk.

“Over the last several years, we’ve seen more businesses with the capacity for remote work, but the pandemic has obviously accelerated this,” said Robert Pizarro, vice president of commercial specialty at AmTrust Financial Services, Inc.

“With that, the need to share and exchange data between coworkers and vendors has never been greater. And that can create more opportunities for data compromise.”

Same Threats, New Risks

Most experts agree that the essential tenets of cyber security that existed before the pandemic hit remain unchanged. Threats such as ransomware and phishing, spoofing and social engineering schemes continue unabated. What has changed are the conditions of the workplace which now technologically, psychologically and physically render companies more vulnerable to attack.
For many companies, this is simply a new mode of operation, and with that comes more challenges, said Jacob Ingerslev, head of cyber risk at The Hartford.

“Businesses that had employees working remotely and a high degree of cloud adoption are not likely to have experienced much impact from the changes brought about by COVID, while those with a more traditional, office-based workforce and technology infrastructure might have been affected in a more serious way,” Ingerslev said.

As the working world has reinvented itself to respond to the pandemic, threat actors have evolved, too, seizing on public concerns about health and financial stability and turning them into keywords. As of August 2020, the Federal Trade Commission reported 175,000 coronavirus related incidents, with voice call phishing attacks on the rise.

Jason Glasgow, cyber lead, E&O division, Allied World.

“The pandemic hasn’t necessarily created new concerns, but it has exacerbated existing issues,” said Jason Glasgow, cyber lead, E&O division at Allied World.

“We’ve seen COVID-19-specific phishing attacks preying on people’s fears and these have been far more successful than other attacks. We’ve also seen an increase in ransomware frequency and severity.”

The work-from-home scenario is ripe for social engineering targets, not just because of a heightened common need for information, but also because employees tend to be more distracted with children, partners and other family and pets around. The change of setting and added stressors can turn even seasoned end users into easy targets for manipulation.

“It’s likely that distractions such as having to manage the challenges of working and parenting at the same time as well as the impact on mental health from the lockdown and the gravity of the COVID situation as a whole may lead employees to make mistakes they wouldn’t otherwise make,” said Ingerslev.

It’s not just that workers are newly remote, but also that new classes of data are being shared over potentially less secure networks, said Michael Convertino, CSO of Arceo.

“When everyone moves to mobile work that exposes new data to the same vulnerabilities. Companies are in a mad scramble to upgrade their systems and better secure them as CISOs recognize the weaknesses on home networks. For example, you may be using a company device on a network with a PC and a gaming system that can easily be hacked, allowing an adversary to hitch a ride into the corporate network.”

Hacking may not even be necessary if employees inadvertently expose sensitive data, by using consumer cloud storage like Dropbox or One Drive to share or save it with other employees.

“Often these accounts can be made public to anyone who has a link and that might include personally identifiable information or proprietary corporate information,” Pizarro said.

“And in a case like that it can be difficult to see who had access, which makes forensics more difficult should an incident occur.”

Asking the Right Questions

“By and large, the process of underwriting itself remains the same, even when conducted remotely,” said John Coletti, chief underwriting officer at AXA XL, but he has observed subtle differences in the past year.

“We miss meeting with our clients and brokers face-to-face. Human interaction provides intangibles such as body language that help us corroborate or question the underwriting information. Relationships are still extremely important,” Coletti said.

The specific questions insurers are asking focus on how insureds have addressed needed changes in cyber security infrastructure: how companies are safeguarding data assets remotely, how they are keeping the network up and running, and how they are ensuring business continuity.

“One of the questions insurers always ask in the underwriting process is whether there have been any changes to operations in the past year, and that goes without saying in the case of COVID-19,” said Elissa Doroff, managing director and cyber technical leader for NFP’s management and professional lines.

Exactly how workers log on to the company network is an important line of questioning. Many larger companies issue official laptops and devices, but smaller companies may not, and employees’ own devices must be properly secured. Depending on how computer systems are defined by a policy, BYOD (bring your own devices) may not be covered by cyber insurance. Are home wi-fi networks secured or are they using a VPN to log on?

“How are they logging on to the company servers? If they are doing it without VPN access, that adds another layer to the underwriting review,” Pizarro said.

Another concern might be the ability for networks to manage the increased load of a remote workforce including the added reliance on video meetings.

“In widespread work from home situations, security around access points and potential ransomware attacks are critical but organizations should monitor and ensure there is sufficient network capacity,” said Thomas Kang, head of cyber in North America at Allianz Global Corporate & Specialty.

“If everyone is online and highly dependent on the internet for their work, it can have a significant impact on business income loss when there is an outage. There are also bandwidth challenges when a high number of employees are video conferencing and companies should ensure that they do not compromise availability.”

In addition to hardware, software and network readiness, insureds will have to address legal and regulatory obligations in this new environment.

“There are key issues to keep in mind including what data their employees have access to and what industry they’re in,” Glasgow said.

“If they work in a law firm or in health care, they can’t access that data on a personal device, and it can’t be shown to or seen by family members, even if working from home.”

Responding to an Incident Remotely

When faced with a data breach or data loss incident, timing is always of the essence, yet employees who used to be in the office are now scattered geographically and potentially working at uncoordinated hours.

It’s paramount to have an incident response plan (IRP) that accounts for these new circumstances, including changed contact information for offsite employees or employees out sick and/or taking care of family members.

Insureds should also perform remote tabletop exercises to confirm that their IRPs are up to date and function as needed, and that the IRPs are themselves accessible at all times.

“What happens if the network goes down—you won’t be able to get on the company Zoom in that situation, so you should be able to contact everyone by phone,” Glasgow said.

“In widespread work from home situations, security around access points and potential ransomware attacks are critical but organizations should monitor and ensure there is sufficient network capacity.” —Thomas Kang, head of cyber in North America, Allianz Global Corporate & Specialty

“It can be more difficult to train on an incident response plan remotely, but these plans have always been critical in minimizing costs and business disruption, especially given the more complicated ransomware attacks we’ve been seeing lately.”

The good news is that much of the response work by vendors such as forensics services often happens remotely under normal circumstances. Still, Kang said, a decentralized workforce can complicate incident response if the team is unprepared to manage an event from a distance or able to ensure that appropriate personnel have on-site availability.

“We have seen some challenges when important IT or information security personnel are offsite and can’t get access to onsite capabilities, particularly given the tight timeframes required by many regulations and to ensure proper containment.”

Emerging Concerns

Even as insurers and insureds play the indemnity version of whack-a-mole to address the cyber security risks that have already been identified, new issues are coming to the fore.

One concern is how budget cuts from the pandemic and its financial aftermath might impact cyber security resources or even the amount of cyber security coverage companies are willing to pay for. But insurance should only be part of a comprehensive approach.

“It was important to know whether there were changes in the information security budget before all of this happened, but now we really need to know how dedicated companies are to cyber security from a holistic perspective,” Doroff said.

“It’s not just a matter of tacking on cyber insurance. If they’re laying off employees who are critical to the security function, it will have an impact on protection, on recovering from an incident, on business continuity.”

Insurers should be communicating about the current landscape of risk and why cyber security insurance remains essential. Insureds, for their part, should be aware of their policies and what is and isn’t covered.

Another issue looks ahead to when offices eventually reopen—how companies will collect health data and track it to protect their workforce. What are the legal and regulatory ramifications of keeping staff safe from outbreaks?

“Taking temperatures, collecting that data and performing contact tracing will raise many other concerns about privacy,” Glasgow said. “That’s something we are keeping an eye on.” &

Elisa Ludwig is a contract writer based outside Philadelphia. She has written extensively about cybersecurity issues for the Junto blog on the eRiskHub. She can be reached at [email protected].

A Dangerous Job

Dr. Latha Brubaker, Senior Vice President Medical Operations at Concentra

To understand the physical and mental health threats firefighters face, it’s important to examine how firefighting exposes them to a number of different risks. Their job is physically taxing. They must wear heavy gear to protect them from high-temperature exposure while rescuing people and pets. They have to climb ladders and stairs during rescue operations. Although wearing masks to limit these exposures, firefighters can inhale smoke and be exposed to harmful chemicals and environmental toxins, increasing their risk of certain cancers.

“Firefighters have to climb ladders and stairs, all the while hauling very heavy and unruly fire hoses and wearing very heavy equipment and PPE,” Brubaker said.

While completing these physically demanding tasks, firefighters can inhale smoke and other environmental toxins, increasing their risks of certain cancers. A study of 30,000 firefighters spanning from 1950 to 2009 found that firefighters were 9% more likely to be diagnosed with cancer and 14% more likely to die from the disease than the general population.

Outside of the physically taxing elements, firefighters often work in distressing circumstances. There may be thoughts of the personal risks taken to save others. They witness significant injuries and loss of life.

All of these situations have the potential to be emotionally distressing for firefighters. That’s why a number of states — including California, Tennessee, Florida and Georgia — have passed or are considering passing laws that include PTSD benefits under workers’ comp coverage for firefighters.

“We’ve really doubled down on our commitment to behavioral health, and we’ve gone so far as to partner with some third-party resources that have expanded our ability to provide behavioral health support,” said Chris Studebaker, senior director of onsite preventive services at Concentra.

Protecting Firefighter Health

Chris Studebaker, Senior Director of Onsite Preventive Services at Concentra

Unlike in other professions, it’s hard to reduce the number of physical and environmental hazards a firefighter faces on the job. Yes, PPE can go a long way in protecting firefighters from burns and other injuries, but the physical demands are also extreme. Firefighters are wrangling heavy fire hoses to stop the damage. In addition, they are often lifting people and maneuvering in confined or challenging spaces.

In order to make sure firefighters are up to the task, many departments conduct annual physical health assessments so that they can be certain their firefighters are physically and mentally prepared for the job. Medical personnel follow the guidelines provided by the National Fire Protection Association (NFPA) Standard 1582 on Comprehensive Occupational Medicine Programs for Fire Departments which helps them determine if there is a condition present that may prevent a firefighter from performing their essential job functions.

The Joint Labor Management Wellness-Fitness Initiative, comprised of two major fire service organizations, worked to develop a comprehensive wellness-fitness program. Based on this initiative, NFPA developed standards regulating these programs. This resulted in the suggestion of adding cancer screening, fitness assessments, and behavioral health screening to the periodic health assessments of firefighters.

“Some fire departments are now asking us to perform cancer screening,” Brubaker said. “Cancer screening recommendations are made by the US Preventive Services Task Force, for example, and are based on a systematic review of scientific evidence published in peer-reviewed journals. When determining the appropriate screening tests, it is important to review the USPSTF recommendations with the understanding of the potential additional risks amongst firefighters for certain cancers.

Sleep health is another area of issue in the fire service due to the 24 or 48-hour shift schedule and the mental strain and stress of the job.

Beyond screenings, firehouses can opt to partner with providers of on-site health services, including physical therapists who can work collaboratively with employers to develop and implement injury-prevention programs. Known as “tactical athlete programs” because their rigor is like that of the training a pro athlete would undergo, these solutions can help catch injuries before they become severe and help keep firefighters’ bodies functioning optimally to enable them to perform their job.

Wearable technologies, too, are likely to play a role in keeping firefighters safe in the future: “We’re seeing the use of wearable tech sensors that look at environmental exposures and heat. And now the technologies can even track their sleep health” Studebaker said. “I think the future of wearable tech is going to shift away from discrete individual devices and more towards garment-based sensors.”

A Trusted Partner for Firefighter Physicals

The physical rigor required to fight fires combined with the emotional stressors present in the job mean that employers need to put extra care into guarding firefighters’ health and safety. Firefighters should undergo regular physical exams, and Concentra is just the partner they need to conduct these physicals.

Concentra clinicians perform examinations, imaging, and lab tests that meet the National Fire Protection Association standards.

Firefighters who undergo these examinations will complete a physical fitness test that assesses their lifting, pushing, pulling, carrying, climbing and other abilities. These kinds of assessments can guard against musculoskeletal injuries common in the industry.

Should an injury occur, the clinician utilizes a conservative treatment approach, with an emphasis on active rehabilitation. Since firefighters are in safety sensitive positions, opioids are usually avoided.

“Musculoskeletal injuries can be managed without the use of opioids,” Brubaker said. “Our approach is a conservative one with the use of physical therapy, when appropriate, and anti-inflammatory medication, if needed. We try to avoid prescribing opioids. Opioids are typically unnecessary.”

A Concentra clinician will perform lab tests including a complete blood count, comprehensive metabolic panel, lipid panel, and urinalysis as well as TB tests. They will do alcohol and drug tests. They will perform audiograms, pulmonary function tests, chest X-rays and EKGs. They will complete a cardiovascular risk assessment and depending on age and the level of risks, a stress test will be performed either at the onsite clinic or a cardiology office.

“It’s important for us to make sure in the first place that they’re healthy from a cardiovascular perspective, that they’re healthy from a respiratory perspective,” Studebaker said.

Behavioral health screening and cancer screening can be performed at Concentra Onsite Health clinics. Clinicians can conduct screenings for six cancers firefighters are at elevated risk for: colorectal, prostate, skin, blood, thyroid and bladder.

Concentra Onsite Health clinicians assess firefighters’ health holistically — something that is essential for a job that is both physically and emotionally taxing. By providing whole-person care, Concentra Onsite Health aims to guard firefighters’ health so that they can come home to their families after a day of protecting others.

“Most firefighters are very passionate about the work they do. They are vital members of their community and take risks every day to keep these communities safe. The work of a firefighter can have an adverse impact on their long-term health and well-being. It is equally vital that we take care of our firefighters and do what we can to improve their overall health.”

To learn more, visit: https://www.concentra.com/

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Concentra. The editorial staff of Risk & Insurance had no role in its preparation.

Concentra® is America’s leading provider of occupational medicine, delivering work-related injury care, physical therapy, and workforce health services from nearly 520 Concentra medical centers and more than 150 onsite clinics at employer locations nationwide.