COVID Is a Cyber Attack Enabler. How to Shut the Door on the Risk
Amid the COVID-19 outbreak, many companies have transitioned to an at-home workforce. While remote work itself is not new, the sheer volume of companies deploying technology to stay productive and connected is greater than ever before, potentially proliferating cyber security risk.
“Over the last several years, we’ve seen more businesses with the capacity for remote work, but the pandemic has obviously accelerated this,” said Robert Pizarro, vice president of commercial specialty at AmTrust Financial Services, Inc.
“With that, the need to share and exchange data between coworkers and vendors has never been greater. And that can create more opportunities for data compromise.”
Same Threats, New Risks
Most experts agree that the essential tenets of cyber security that existed before the pandemic hit remain unchanged. Threats such as ransomware and phishing, spoofing and social engineering schemes continue unabated. What has changed are the conditions of the workplace which now technologically, psychologically and physically render companies more vulnerable to attack.
For many companies, this is simply a new mode of operation, and with that comes more challenges, said Jacob Ingerslev, head of cyber risk at The Hartford.
“Businesses that had employees working remotely and a high degree of cloud adoption are not likely to have experienced much impact from the changes brought about by COVID, while those with a more traditional, office-based workforce and technology infrastructure might have been affected in a more serious way,” Ingerslev said.
As the working world has reinvented itself to respond to the pandemic, threat actors have evolved, too, seizing on public concerns about health and financial stability and turning them into keywords. As of August 2020, the Federal Trade Commission reported 175,000 coronavirus related incidents, with voice call phishing attacks on the rise.
“The pandemic hasn’t necessarily created new concerns, but it has exacerbated existing issues,” said Jason Glasgow, cyber lead, E&O division at Allied World.
“We’ve seen COVID-19-specific phishing attacks preying on people’s fears and these have been far more successful than other attacks. We’ve also seen an increase in ransomware frequency and severity.”
The work-from-home scenario is ripe for social engineering targets, not just because of a heightened common need for information, but also because employees tend to be more distracted with children, partners and other family and pets around. The change of setting and added stressors can turn even seasoned end users into easy targets for manipulation.
“It’s likely that distractions such as having to manage the challenges of working and parenting at the same time as well as the impact on mental health from the lockdown and the gravity of the COVID situation as a whole may lead employees to make mistakes they wouldn’t otherwise make,” said Ingerslev.
It’s not just that workers are newly remote, but also that new classes of data are being shared over potentially less secure networks, said Michael Convertino, CSO of Arceo.
“When everyone moves to mobile work that exposes new data to the same vulnerabilities. Companies are in a mad scramble to upgrade their systems and better secure them as CISOs recognize the weaknesses on home networks. For example, you may be using a company device on a network with a PC and a gaming system that can easily be hacked, allowing an adversary to hitch a ride into the corporate network.”
Hacking may not even be necessary if employees inadvertently expose sensitive data, by using consumer cloud storage like Dropbox or One Drive to share or save it with other employees.
“Often these accounts can be made public to anyone who has a link and that might include personally identifiable information or proprietary corporate information,” Pizarro said.
“And in a case like that it can be difficult to see who had access, which makes forensics more difficult should an incident occur.”
Asking the Right Questions
“By and large, the process of underwriting itself remains the same, even when conducted remotely,” said John Coletti, chief underwriting officer at AXA XL, but he has observed subtle differences in the past year.
“We miss meeting with our clients and brokers face-to-face. Human interaction provides intangibles such as body language that help us corroborate or question the underwriting information. Relationships are still extremely important,” Coletti said.
The specific questions insurers are asking focus on how insureds have addressed needed changes in cyber security infrastructure: how companies are safeguarding data assets remotely, how they are keeping the network up and running, and how they are ensuring business continuity.
“One of the questions insurers always ask in the underwriting process is whether there have been any changes to operations in the past year, and that goes without saying in the case of COVID-19,” said Elissa Doroff, managing director and cyber technical leader for NFP’s management and professional lines.
Exactly how workers log on to the company network is an important line of questioning. Many larger companies issue official laptops and devices, but smaller companies may not, and employees’ own devices must be properly secured. Depending on how computer systems are defined by a policy, BYOD (bring your own devices) may not be covered by cyber insurance. Are home wi-fi networks secured or are they using a VPN to log on?
“How are they logging on to the company servers? If they are doing it without VPN access, that adds another layer to the underwriting review,” Pizarro said.
Another concern might be the ability for networks to manage the increased load of a remote workforce including the added reliance on video meetings.
“In widespread work from home situations, security around access points and potential ransomware attacks are critical but organizations should monitor and ensure there is sufficient network capacity,” said Thomas Kang, head of cyber in North America at Allianz Global Corporate & Specialty.
“If everyone is online and highly dependent on the internet for their work, it can have a significant impact on business income loss when there is an outage. There are also bandwidth challenges when a high number of employees are video conferencing and companies should ensure that they do not compromise availability.”
In addition to hardware, software and network readiness, insureds will have to address legal and regulatory obligations in this new environment.
“There are key issues to keep in mind including what data their employees have access to and what industry they’re in,” Glasgow said.
“If they work in a law firm or in health care, they can’t access that data on a personal device, and it can’t be shown to or seen by family members, even if working from home.”
Responding to an Incident Remotely
When faced with a data breach or data loss incident, timing is always of the essence, yet employees who used to be in the office are now scattered geographically and potentially working at uncoordinated hours.
It’s paramount to have an incident response plan (IRP) that accounts for these new circumstances, including changed contact information for offsite employees or employees out sick and/or taking care of family members.
Insureds should also perform remote tabletop exercises to confirm that their IRPs are up to date and function as needed, and that the IRPs are themselves accessible at all times.
“What happens if the network goes down—you won’t be able to get on the company Zoom in that situation, so you should be able to contact everyone by phone,” Glasgow said.
“In widespread work from home situations, security around access points and potential ransomware attacks are critical but organizations should monitor and ensure there is sufficient network capacity.” —Thomas Kang, head of cyber in North America, Allianz Global Corporate & Specialty
“It can be more difficult to train on an incident response plan remotely, but these plans have always been critical in minimizing costs and business disruption, especially given the more complicated ransomware attacks we’ve been seeing lately.”
The good news is that much of the response work by vendors such as forensics services often happens remotely under normal circumstances. Still, Kang said, a decentralized workforce can complicate incident response if the team is unprepared to manage an event from a distance or able to ensure that appropriate personnel have on-site availability.
“We have seen some challenges when important IT or information security personnel are offsite and can’t get access to onsite capabilities, particularly given the tight timeframes required by many regulations and to ensure proper containment.”
Even as insurers and insureds play the indemnity version of whack-a-mole to address the cyber security risks that have already been identified, new issues are coming to the fore.
One concern is how budget cuts from the pandemic and its financial aftermath might impact cyber security resources or even the amount of cyber security coverage companies are willing to pay for. But insurance should only be part of a comprehensive approach.
“It was important to know whether there were changes in the information security budget before all of this happened, but now we really need to know how dedicated companies are to cyber security from a holistic perspective,” Doroff said.
“It’s not just a matter of tacking on cyber insurance. If they’re laying off employees who are critical to the security function, it will have an impact on protection, on recovering from an incident, on business continuity.”
Insurers should be communicating about the current landscape of risk and why cyber security insurance remains essential. Insureds, for their part, should be aware of their policies and what is and isn’t covered.
Another issue looks ahead to when offices eventually reopen—how companies will collect health data and track it to protect their workforce. What are the legal and regulatory ramifications of keeping staff safe from outbreaks?
“Taking temperatures, collecting that data and performing contact tracing will raise many other concerns about privacy,” Glasgow said. “That’s something we are keeping an eye on.” &