Cyberattacks have spiked dramatically since the COVID-19 crisis began, leading to what some are calling a “cybercrime pandemic” as hackers capitalize on vulnerabilities inherent in a newly remote workforce. The U.S. Federal Bureau of Investigation is receiving between 3,000 to 4,000 new internet crime complaints each day, compared to an average 1,000 daily before the pandemic. Phishing scams alone have risen by 667 percent since March 1.
Cyber criminals target employees working from home, taking advantage of a lack of cybersecurity controls and expertise to gain access to employers’ data, through social engineering or any of a number of new tactics hackers have developed to exploit the current crisis.
“When you have a pandemic bubbling away in the background, a company’s focus is not necessarily going to be cyber risk management,” said Nathan Rose, Senior Underwriter and Business Development Specialist, Burns & Wilcox, Vancouver, British Columbia. “Companies transitioned from working in a controlled, contained environment to working remotely very quickly. That created problems from a risk management standpoint.”
Google stopped 18 million malicious emails each day during the week before April 16, each containing a link embedded in a message that preys on individuals’ fears about exposure to coronavirus. Ransomware attacks, which involve hackers holding data and networks hostage for ransom, have risen 148 percent worldwide. Recent ransomware attacks have targeted New Jersey-based IT services firm Cognizant and Canadian coronavirus response workers, among others.
“It’s not surprising that the number of cyber-attacks are up, specifically ransomware and social engineering, given how many business owners were forced to engage in a remote environment,” said Derek Kilmer, Manager, Professional Liability, Burns & Wilcox, Detroit/Farmington Hills, Michigan. “Unfortunately, many companies have not invested enough resources in their IT infrastructure to ensure privacy and data securities when accessing their network remotely.”
In 2019, the global average cost of a data breach was $3.92 million, and 43 percent of breaches involved small businesses. A recent cyberattack forced certain locations of an Ontario, Canada retail chain to temporarily accept cash only.
“In some cases, a cyberattack could take a small business down,” said Matthew Lefchik, Director, Cyber Risk Management, Node International, Detroit/Farmington Hills, Michigan. “A holistic approach to cybersecurity involves prevention, detection and Cyber and Privacy Insurance because one or two of those is insufficient—you need all three.”
1. Harden cybersecurity on all fronts
Although it may not have been feasible when stay-at-home orders first began, businesses should aim to have remote employees use company-owned hardware whenever possible, advised Lefchik. Workers using personal smartphones or laptops for business purposes are more likely to inadvertently leak company data than those using company owned and secured equipment.
At a minimum, instruct employees on how to keep company and personal information segmented to limit the extent of damage if a device is compromised. “A laptop or cell phone houses so much data,” Lefchik said.
Personal devices are often where corporate network breaches start, Rose added. In addition to providing secured hardware, he recommends remote workers use a virtual private network (VPN), which encrypts internet traffic so it is unreadable to anyone who intercepts it.
“While there is currently commentary around the vulnerabilities within VPNs, they remain a company’s best means of creating a more secure environment in which employees can work efficiently but still have their cybersecurity risks managed,” Rose asserted.
A secure network should also include firewalls, antivirus software to detect and block known malware, regular security updates and remote employees’ home networks protected with routers and encryption.
Employers should require employees to only use company email addresses for work purposes and transition their environment to incorporate two factor authentication when working remote.
While security concerns over Zoom and other video conferencing apps persist, they remain an essential means of maintaining operations and connectivity. Utilizing precautions like passwords and features such as Zoom’s “waiting room” on video calls affords some measure of security; however, work messaging should be limited to services and apps that provide end-to-end encryption, according to Lefchik.
Strong passwords are another best practice. An ideal password should be 12 to 20 characters long, Lefchik said, and it should be changed frequently.
Lastly, companies should ensure that any business associates or third parties within their supply chains are also implementing proper security measures to prevent cyberattacks, Kilmer pointed out.
“Companies need to make sure they understand what their business associates are doing in regards to safeguarding their data securely,” he said. “Your data and network are only as secure as that of your least protected business associate. It is important to understand that everyone is susceptible, and even companies that institute proper safeguards are not immune to breaches.” Consistency and data security is key to the company’s overall protection.
2. Fortify employees’ defenses with training and awareness
The longer a breach continues undetected, the more damaging and costly it can become. According to FBI data, business email-based network breach losses totaled $1.7 billion in 2019, a 37 percent increase from 2018.
To reduce the risk of a data breach and the time it takes to identify one if it occurs, train employees to identify and report suspicious emails or messages, such as the texts sent in the recent COVID-19 exposure scam. Send regular alerts to workers about current scams and reminders about safe handling procedures.
“While horrible, it is when individuals are the most fearful and anxious that cyber criminals exploit their vulnerabilities for malicious purposes,” Rose said. “Always apply the highest possible element of caution and route all concerns to your IT manager.”
Your average worker is wearing many different hats right now and remote employees may be balancing a number of competing interests at home. Distracted workers are inclined to make more mistakes.
Consider conducting in-house or third-party phishing test campaigns against employees, in which “suspicious” links or attachments are presented to assess employees’ susceptibility to an actual attack.
“I highly recommend these particular exercises,” said Lefchik. “They provide valuable insight into what practices are going on within your organization.”
At a time when workers may be unusually stressed due to the pandemic’s mental health impact, reminders about cybersecurity vigilance are especially needed. “Your average worker is wearing many different hats right now and remote employees may be balancing a number of competing interests at home,” Kilmer said. “Distracted workers are inclined to make more mistakes.”
Workers are also finding themselves with more free time and many are spending it online. Hackers can gain access to personal information about an employee — and potentially his or her employer — through unexpected means, such as social media surveys or viral campaigns like the #ClassOf2020 senior portrait challenge to show support for this year’s high school graduates.
Educate employees about social engineering, in which hackers use personal details provided by participants in surveys and online campaigns to answer security questions for account logins and access other proprietary data and private networks. “Cybercrime does not need to be sophisticated to catch individuals off guard,” Rose emphasized.
Hackers use personal data to compile an individual’s “digital footprint” on employees, Kilmer explained, and this puts their employers’ network security at risk.
Educating workers about privacy and cybersecurity risks and best practices is essential, and becoming more common, but regular reminders and vigilance are needed.
“Arguably the best line of defense against network breaches is an educated employee,” Rose explained. “It is important to educate each employee on what to avoid, what to account for and what vulnerabilities they can mitigate by applying basic risk management principles.”
3. Maintain robust insurance coverage, proactive security
With cyberattacks surging, now is an ideal time to check in with your insurance broker or agent to inquire about Cyber and Privacy Insurance coverage, including policy language, limits and potential benefits related to remote workers.
“Not every policy is created equal, so consulting an experienced, trusted advisor is critical,” Kilmer said. “With so many of us now working remotely, we have never been more vulnerable. While we are always getting better at protecting ourselves, hackers are also getting better at finding ways around our protective measures.”
Kilmer also recommends taking advantage of risk management services or training that may be available as part of your policy. As the COVID-19 crisis continues to change how companies do business, being educated about cybersecurity and aware of your company’s vulnerabilities are key to adapting successfully, Lefchik said.
“The more you know, the better,” he emphasized. “Make sure you are checking all of the boxes. Until you have actually done that, are you truly battle-tested? How confident are you about your company’s cyber hygiene?”
It is likely that new best practices for cybersecurity will emerge from the crisis in the long term, Rose added. “This crisis has been a kind of crash course in operating remotely. It is a steep learning curve, but in general I think companies will emerge from it better equipped and with greater awareness of security challenges and solutions.”