Laxer security post COVID-19 heightens cyber risk

By: Santho Mohapeloa, Cyber Insurance Expert at Allianz Global Corporate & Specialty (AGCS).

The coronavirus outbreak has resulted in the largest work-from-home situation in history, presenting criminals with new opportunities to exploit any security vulnerabilities created by the pandemic.

With many companies having expanded their remote working capacity through the outbreak – often at very short notice – in order to provide as many employees as possible with easy access to software and systems, IT security standards may have had to be lowered or suspended, putting cyber security under new levels of stress.

According to research by cyber security firm Arceo, almost all of the CISOs at 250 companies, with $250mn to $2bn in annual revenues, believe that security practices when working remotely are unlikely to be as stringent as those at the office.

One consequence of potentially laxer security may be that cyber-criminals and hackers find it easier to penetrate previous effectively-protected corporate systems, causing data breaches, cyber blackmail intrusions and IT system failures. Those CISOs stated that cloud usage, personal device usage and unvetted apps or platforms pose the biggest threats during this work from home period. At the same time, it is estimated that anywhere between 50% and 90% of data breaches are caused or abetted by employees, be it by simple error or by falling victim of phishing or social engineering.

By the end of March 2020 – the very beginning of the lockdown period for many countries – the FBI had already investigated thousands of complaints of Covid-19-related cybercrimes and it predicts that the number of cybercrimes, primarily business email compromise (BEC) schemes are expected to significantly increase, along with damage costs due to phishing scams, ransomware attacks and insecure remote access to networks. There has already been a rise in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against coronavirus.

At the same time, the international police body Interpol warned of the “alarming” threat posed by scammers since the coronavirus outbreak began, with criminals shifting their focus from individuals and small businesses to governments and critical infrastructure. Other threats involve the use of deliberately misleading domain names and the use of malware and ransomware. In one four-month period (from January to April 2020), some 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs – all of them in relation to coronavirus– were detected by one of Interpol’s private sector partners.

In some countries, data shows that the number of attempted cyber-attacks increased five-fold between mid-February and mid-March. In April alone, Google detected and blocked more than 18 million malware and phishing emails and 240 million daily spam messages related to the pandemic in a single week. In total, it blocks more than 100 million phishing emails each day.

Specific sectors have also reported a rise in incidents. In the US, with millions of Americans now working from home – including those charged with looking after critical infrastructure – it has been reported that cyber-attacks on the electric grid have surged by 35% during the pandemic. In a worst case scenario, such attacks could trigger blackouts or damage vital equipment. In May, the UK’s grid data system was hacked, although electricity supplies weren’t affected. And in March, an attack against Europe’s association of grid operators, ENTSO-E, affected its internal office systems.

There have also been reports of maritime and offshore energy companies having seen a 400% increase in attempted cyberattacks. Vessels are becoming more connected to shore-based systems, meaning the cyber threat is ever-evolving – from crippling ports and terminals to a growing number of spoofing attacks on ships.

Risk Mitigation: Prepare, Practice, Prevent

Preparation and training are the most effective forms of mitigation and can significantly reduce the likelihood or consequences of a cyber event. Many incidents are the result of human error, which can be mitigated by training, especially in areas like phishing and business email compromise.

Training could also help mitigate ransomware attacks, although maintaining secure backups can also limit the damage from such incidents. Business resilience and business continuity planning are also key to reducing the impact of a cyber incident, although response plans need to be tested, practiced and regularly reviewed.
Businesses should consider taking the opportunity to carry out a desktop exercise with their insurer and broker, and include key Internal and external stakeholders. This builds trust and can take the sting out of any crisis.

Success in mitigating the impact of a cyber event also requires good oversight and knowledge of IT systems and processes across an organization. If there is no overall control or oversight it will take much longer to get on top of a situation. Clear lines of responsibility and communication, and having all departments aligned with an established relationship and master plan, will lead to a more effective response.

Purchasing cyber insurance should be one of the final points in a company’s plan to enhance its cyber resilience. Insurance has a vital role to play in helping companies recover if all other measures are insufficient but it should not replace strategic risk management.

Investing in employee awareness, together with updating and continuous monitoring of systems should definitely be at the top of any company’s cyber to-do list.