We’ve all watched the wildlife documentaries and know what happens when animals get separated from the herd.
Don’t do it we can hear you scream,
there’s a lion hidden in the grass!. Separation from the herd is extremely dangerous in the wild.
There’s a human experiment going on right now of a very similar nature. Hundreds of thousands, if not millions, of businesses have closed their offices as a result of the COVID-19/coronavirus pandemic, and sent their employees to work from home for the foreseeable future.
One of the unintended consequences of this is that it creates vulnerabilities in your cyber security framework, and there are predators out there taking advantage.
How does working from home make my business vulnerable?
Working from home creates vulnerabilities in two main areas:
1. Poorly secured personal devices being used to access the company network
Your company has probably established a process for you to access its network and data from outside the local (office) network. You may be using a Virtual Private Network (VPN) and using one of many Remote Desktop Protocols (RDP) to connect with your computer at the office. Theoretically, there are a number of viable and secure ways to do this.
However, if you are at home, doing this from your personal computer or laptop, it has likely not been secured to the same degree as your company equipment. You may be using fairly low-grade, free anti-virus software on your personal computer which may not have the latest upgrades and patches, and is unlikely to offer the same level of protection.
In addition, your company may not have set up Multi-Factor Authentication, which adds a much needed layer of protection through a separate device.
In the course of using your personal laptop or computer you may have picked up various pieces of malware such as a key-logger, or other spyware which lets hackers know exactly what you are doing on your machine. From this, they can determine your company username, password and how you access your company network. They can then recreate the same access to your company’s network, and once inside, are free to cause damage.
So although in theory your company may have deployed a very secure remote entry to its network, the point of entry itself becomes the biggest vulnerability.
2. Individuals working apart from their teams for the first time may be more vulnerable to scams
Similar to in the animal kingdom, we’re stronger and better defended in herds. When you’re at the office, if you receive an email with a suspicious looking link, or an e-mail from the president of your company asking for an urgent favour, it’s easy to turn to the person next to you and ask for their opinion before clicking or replying.
Many people will be working from home for the first time. Perhaps they’re even new to the organization so still relatively unfamiliar with normal practices, and may be keen to impress. Even in a typical office setting, the human factor is reportedly accountable for over 80% of cyber crime as people fall prey to standard phishing or social engineering scams.
What happens then when they are at home with no one to physically turn to and ask for a second opinion? What happens when cyber criminals make use of the coronavirus pandemic to create hoax e-mails targeting unsuspecting people.
CFC Underwriting, a global and Canadian pioneer and leader in cyber insurance, have already discovered new scams of this precise nature. One such scam relates to e-mails impersonating the World Health Organization, asking recipients to
click the button below to download Safety Measure, leading to the capture of the user’s personal credentials. CFC also reports an increase in fraudulent websites claiming to sell protective equipment (e.g. face masks), which simply take money and do not deliver the promised goods.
What can I do to protect my business?
It seems likely that the current situation will continue for at least the next month if not longer. Once the dust has settled, and people get used to the benefits of working from home, perhaps the toothpaste won’t go back into the tube, and increased working from home will be with us to stay.
There are a number of steps you can take to limit your exposure and keep your network and data safe, and avoid costly cyber crime:
- Where possible, avoid the situation where your employees are using their personal devices (laptops, computers) to connect remotely into your networks. As you’ve probably gone to great lengths to appropriately protect and secure company equipment, your staff should use it wherever possible.
- If people are using their personal computers and laptops to access your network, we recommend that your IT service team or providers work with each individual as closely as possible to secure or protect their equipment, e.g. install the same grade of virus protection and firewall that are installed on company machines.
- Implement Multi-Factor Authentication as a critical step in allowing access to your network. This will mean that users will need to confirm on a separate device, e.g. their cell phone, that it is indeed them who is requesting access.
- Provide training to your staff on how to spot a phishing email and the general risks of cyber crime. Many online training tools have been created and are available in the market for this purpose. Some will even enable you to test staff with non-harmful phishing emails, to see how they react, and provide feedback. Some cyber insurers will offer these tools for free.
- Remind your staff to stay vigilant during these times. Even if they are well trained, opportunistic cyber criminals will be more determined than ever to exploit this current weakness. If an employee is in doubt, they should think twice and verify the sender before clicking.
- Make sure you have decent cyber insurance as part of your business package. No-one ever wants to spend more money on their insurance, but it is becoming increasingly typical for businesses to recognize this new and emerging risk to their business and buy coverage. There is a wide array of products out there – some better than others – so we recommend you speak to your broker for their advice on the best fit for your business.
Finally, if I already have cyber insurance, will it still protect my business if everyone is working at home?
The general answer to this question is “Yes”. If your business has moved to 100% work-from-home as a result of this pandemic, your cyber insurer should continue to protect you, and you should not need to call them to change your policy.
In fact, we asked Lindsey Nelson, Cyber Development Leader at CFC Underwriting for her thoughts on this point. According to Lindsey:
“Clearly terms and conditions of all policies vary and the specifics of any individual case must be considered under the exact wording it has been placed upon. However, as a general view, nearly all our clients already engage in remote working and this is a normal part of their business operations. Data is routinely passed over the corporate network and beyond, including to employees’ personal devices. An increase in remote working is not typically something we would seek insureds to declare mid-term, and as such our policies will continue to be interpreted in the same way as they have always been for this situation.
It is a good time however to look at other cyber policy wordings if not a CFC policy – there are still a lot of conditions or exclusions around this in the market when referring to what’s defined as a computer system, and warranties around system conditions, back-up procedures, etc.”
To be sure that your coverage is sufficient in the current environment, please refer to your cyber insurance policy or speak with your broker. Of course, if and when you next renew your policy, it’s important to update your broker and insurer about any changes to your business, including a shift towards working from home.