The novel coronavirus (or COVID-19) pandemic has forced the emergence of a new digital workspace to keep businesses functioning during the crisis. With more than 75 percent of Americans and many Canadians engaging in some form of social distancing, many companies now have almost every employee working from home, adding a new level of digital security vulnerability.
Unsecured wireless networks, home hardware, third-party conferencing services and inadequate antivirus software are just some of the cybersecurity hazards that could open the door to data breaches and hacks, potentially leading to expensive losses during an already challenging time. The average cost of a data breach is on the rise, reaching $3.92 million for a single incident in 2019.
“The transition from having full office access and security infrastructures that are tried, tested and well-managed to working completely remotely has all happened incredibly quickly,” said Nathan Rose, Senior Underwriter and Business Development Specialist, Burns & Wilcox, Vancouver, British Columbia. “Still, it is important to carry over the levels of control applied in an office environment to remote working.”
Now more than ever, businesses should have guidelines in place for anyone working remotely to ensure that client privacy and sensitive company data are protected. These standards are often formed in conjunction with a Cyber and Privacy Insurance policy.
“You are only as good as your weakest link,” said Matthew Lefchik, Director, Cyber Risk Management, Node International, Detroit/Farmington Hills, Michigan. “By challenging the status quo and merging cybersecurity resources with insurance under one digital risk offering, you can harden your infrastructure and improve your cyber risk footprint. We employ a holistic approach: prevention, detection and insurance.”
Online connection is critical, but comes with security challenges
The rapid shift from social distancing recommendations to strict shelter-in-place orders in many areas of the U.S. left businesses scrambling to get employees up to speed and equipped for remote work. Similar restrictions are also in place in Canada, limiting non-essential travel and curtailing in-person gatherings. Many companies have not yet been able to implement extensive cybersecurity precautions, Rose said.
The sudden change also led to a boom in the use of videoconferencing services like Zoom for business meetings, virtual classroom lessons and social gatherings. Such services must be used with caution, however, as “Zoom bombing” hijack attempts and phishing incidents have increased in frequency since the onset of coronavirus. The U.S. Federal Bureau of Investigation recently issued a warning about these issues. Any videoconferencing platform—GoToMeeting, Cisco Webex, Google Hangouts, Microsoft Teams, and others—carries the same level of risk, Lefchik said.
“You cannot adapt overnight,” Lefchik acknowledged, noting that awareness of potential vulnerabilities is key to mitigating and preventing them.
While the challenges and potential risks of remote work are heavily felt by office-based operations suddenly managing massive at-home workforces, educational institutions have also been affected. Teachers and students are newly engaged in e-learning, and other businesses, such as yoga studios, are now inviting clients to participate virtually.
More health care providers than ever are offering telehealth appointments to lessen exposure to and limit the spread of COVID-19. Engaging in this practice without proper security measures in place could lead to a network breach.
“If an unsecured connection is used for a telehealth appointment, it can allow a criminal to hold data hostage as it is being transmitted,” said Nicole Greene, Associate Vice President, National Brokerage Operations, Professional Liability, Burns & Wilcox, Detroit/Farmington Hills, Michigan. “Hackers could extract personal health care information and utilize it for nefarious purposes.”
Best practices to secure systems and mitigate risks
Creating a safe remote work environment may look different for each company, but some advice is universal. Personal email addresses should not be used for work purposes, passwords should be updated often, two-factor authentication should be set up whenever possible, and employees should have the appropriate anti-virus software installed on the hardware they use for work purposes, Rose said. In addition, he recommends using a virtual private network (VPN).
“A VPN is always the preferred platform,” Rose said, adding that “this is a prime time to re-educate employees and drive home this and other best IT practices for working remotely.”
Whether hosting an office meeting using a videoconferencing app or providing a telehealth appointment, a secure line is crucial, Greene added. Practitioners offering services digitally for the first time should also be prepared to provide cybersecurity precautions to their clients directly, she said.
“Health care providers should be proactive and cognizant of reminding their patients about privacy and cybersecurity,” said Greene. Telehealth providers would also be better served by choosing trusted third-party services rather than rushing to adopt a new platform during the crisis, according to Greene. “Experience should be king right now.”
Videoconferencing risks can be reduced by adopting several practices, Lefchik explained. Users should obtain permission from every individual on a video conference call before recording it; personal mobile devices should not be used to record video conferences; sensitive information should be discussed in designated video conference rooms and not in public or open spaces; confidential data or paperwork should be out of camera view; cameras and microphones should be turned off when not in use; and remote control of cameras should be reserved for authenticated users.
Remote employees should also be given information to help them prevent smart devices or cameras in their homes from recording and collecting data from work-related conversations.
“There will be gaps with individuals working from home,” said Lefchik, pointing out that even large corporations with robust cybersecurity systems in place face breaches. “There is no silver bullet.”
Companies should verify that their Cyber and Privacy Insurance covers employees who are working remotely. Rose noted that this coverage is standard in Burns & Wilcox Cyber and Privacy Insurance policies. “With our policy, employees could be working remotely from any location and a cybersecurity breach would be covered.”
Business interruption stemming from a cybersecurity breach is another important consideration, especially during uncertain economic times, Rose said. While a Cybersecurity extension to an existing policy may be an option, a standalone Cyber and Privacy Insurance policy can offer broader coverage for business interruption losses. In Canada, 21 percent of businesses reported their operations were impacted by cybersecurity incidents in 2017.
“This is prime time for opportunistic cyberattacks,” said Greene. She pointed out that a Cyber and Privacy Insurance policy that offers protection as well as direction on security best practices can cost less than $2,000. “The cost of mandatory notification following a potential breach alone is hundreds of thousands of dollars—substantial protection is pennies on the dollar and an especially wise investment given what lies ahead.”
Implications for the future of work
Even as workforces adjust to what may seem like temporary changes, some experts predict the coronavirus crisis will permanently alter the way business is done. In this new business landscape, cybersecurity protection is essential.
“Now that companies’ cybersecurity systems and contingency plans have been truly tested, I think they will make remote cybersecurity more of a priority,” Rose said. “Giving those best practice measures full attention now is prudent for the future.”
Lefchik concurred. “This is an eye-opening experience and a chance for more organizations to adapt,” he said. “This could be the pivot point to more organizations having remote access and an ability to monitor and detect their vulnerabilities.”
If the current situation does change the way business is done, it may pave the way for a more connected and secure digital future, Greene said.
“We have all been moving toward technology being more integrated in all aspects of life, and I think that COVID-19 is going to have a big impact on that,” she said. “I do not think we go back from here. I think we evolve and move forward from this evolution in how we conduct business.”