COVID Is a Cyber Attack Enabler. How to Shut the Door on the Risk

The move of millions of workers to home offices provided flexibility during the pandemic, but it has also amplified cyber risk.

By Elisa Ludwig

(Photo by Getty Images)

Click here to request a Cyber Liability Insurance Quote!

Amid the COVID-19 outbreak, many companies have transitioned to an at-home workforce. While remote work itself is not new, the sheer volume of companies deploying technology to stay productive and connected is greater than ever before, potentially proliferating cyber security risk.

“Over the last several years, we’ve seen more businesses with the capacity for remote work, but the pandemic has obviously accelerated this,” said Robert Pizarro, vice president of commercial specialty at AmTrust Financial Services, Inc.

“With that, the need to share and exchange data between coworkers and vendors has never been greater. And that can create more opportunities for data compromise.”

Same Threats, New Risks

Most experts agree that the essential tenets of cyber security that existed before the pandemic hit remain unchanged. Threats such as ransomware and phishing, spoofing and social engineering schemes continue unabated. What has changed are the conditions of the workplace which now technologically, psychologically and physically render companies more vulnerable to attack. For many companies, this is simply a new mode of operation, and with that comes more challenges, said Jacob Ingerslev, head of cyber risk at The Hartford.

“Businesses that had employees working remotely and a high degree of cloud adoption are not likely to have experienced much impact from the changes brought about by COVID, while those with a more traditional, office-based workforce and technology infrastructure might have been affected in a more serious way,” Ingerslev said.

As the working world has reinvented itself to respond to the pandemic, threat actors have evolved, too, seizing on public concerns about health and financial stability and turning them into keywords. As of August 2020, the Federal Trade Commission reported 175,000 coronavirus related incidents, with voice call phishing attacks on the rise.

“The pandemic hasn’t necessarily created new concerns, but it has exacerbated existing issues,” said Jason Glasgow, cyber lead, E&O division at Allied World.

“We’ve seen COVID-19-specific phishing attacks preying on people’s fears and these have been far more successful than other attacks. We’ve also seen an increase in ransomware frequency and severity.”

The work-from-home scenario is ripe for social engineering targets, not just because of a heightened common need for information, but also because employees tend to be more distracted with children, partners and other family and pets around. The change of setting and added stressors can turn even seasoned end users into easy targets for manipulation.

“It’s likely that distractions such as having to manage the challenges of working and parenting at the same time as well as the impact on mental health from the lockdown and the gravity of the COVID situation as a whole may lead employees to make mistakes they wouldn’t otherwise make,” said Ingerslev.

It’s not just that workers are newly remote, but also that new classes of data are being shared over potentially less secure networks, said Michael Convertino, CSO of Arceo.

“When everyone moves to mobile work that exposes new data to the same vulnerabilities. Companies are in a mad scramble to upgrade their systems and better secure them as CISOs recognize the weaknesses on home networks. For example, you may be using a company device on a network with a PC and a gaming system that can easily be hacked, allowing an adversary to hitch a ride into the corporate network.”

Hacking may not even be necessary if employees inadvertently expose sensitive data, by using consumer cloud storage like Dropbox or One Drive to share or save it with other employees.

“Often these accounts can be made public to anyone who has a link and that might include personally identifiable information or proprietary corporate information,” Pizarro said.

“And in a case like that it can be difficult to see who had access, which makes forensics more difficult should an incident occur.”

Asking the Right Questions

“By and large, the process of underwriting itself remains the same, even when conducted remotely,” said John Coletti, chief underwriting officer at AXA XL, but he has observed subtle differences in the past year.

“We miss meeting with our clients and brokers face-to-face. Human interaction provides intangibles such as body language that help us corroborate or question the underwriting information. Relationships are still extremely important,” Coletti said.

The specific questions insurers are asking focus on how insureds have addressed needed changes in cyber security infrastructure: how companies are safeguarding data assets remotely, how they are keeping the network up and running, and how they are ensuring business continuity.

“One of the questions insurers always ask in the underwriting process is whether there have been any changes to operations in the past year, and that goes without saying in the case of COVID-19,” said Elissa Doroff, managing director and cyber technical leader for NFP’s management and professional lines.

Exactly how workers log on to the company network is an important line of questioning. Many larger companies issue official laptops and devices, but smaller companies may not, and employees’ own devices must be properly secured. Depending on how computer systems are defined by a policy, BYOD (bring your own devices) may not be covered by cyber insurance. Are home wi-fi networks secured or are they using a VPN to log on?

“How are they logging on to the company servers? If they are doing it without VPN access, that adds another layer to the underwriting review,” Pizarro said.

Another concern might be the ability for networks to manage the increased load of a remote workforce including the added reliance on video meetings.

“In widespread work from home situations, security around access points and potential ransomware attacks are critical but organizations should monitor and ensure there is sufficient network capacity,” said Thomas Kang, head of cyber in North America at Allianz Global Corporate & Specialty.

“If everyone is online and highly dependent on the internet for their work, it can have a significant impact on business income loss when there is an outage. There are also bandwidth challenges when a high number of employees are video conferencing and companies should ensure that they do not compromise availability.”

In addition to hardware, software and network readiness, insureds will have to address legal and regulatory obligations in this new environment.

“There are key issues to keep in mind including what data their employees have access to and what industry they’re in,” Glasgow said.

“If they work in a law firm or in health care, they can’t access that data on a personal device, and it can’t be shown to or seen by family members, even if working from home.”

Responding to an Incident Remotely

When faced with a data breach or data loss incident, timing is always of the essence, yet employees who used to be in the office are now scattered geographically and potentially working at uncoordinated hours.