This post first appeared on Risk Management Magazine. Read the original article.
As the pandemic
continues to wreak havoc and disrupt life and commerce globally, an epidemic of
cybercrime is following close behind. As Risk Management recently reported, Coalition’s H1 2020 Cyber Insurance
Claims Report found that cyberattacks have increased in frequency and severity
since the pandemic first struck.
The theft of money, the
exfiltration of sensitive data and the extortion of organizations worldwide
continues to proliferate and morph. The Emotet trojan can both deliver
ransomware and steal data once inside the gates. A German tech company, a major
U.S. law firm, a municipality in Colorado, and a university in Utah have all
been recent cyber extortion victims. A ransomware attack against a tech
firm in Miami stole and held hostage employee records, payroll information,
payment card data and passport scans.
Conditions created by
the pandemic exacerbate exposure to ransomware and other cybercrime—and also
point to concrete measures organizations must undertake to manage those risks.
Expansion of the
Company Network
The pandemic has forced
many organizations to expand their computer networks into dozens, hundreds or
thousands of home offices.
A larger network means
a larger perimeter to guard. Working from home has come with
understandable growing pains—some having to do with functionality, some with
productivity, and a number with cybersecurity. Zoom and other video online
conferencing platforms have allowed many to telecommute efficiently, but
security and privacy enhancements were necessary to ensure the integrity of the
communications.
The vastly expanded
array of personal computer devices mobilized for the work-from-home effort add
a new layer of security risk to corporate networks. In a target-rich
environment, cyber criminals have executed a bevy of serious attacks on
organization systems—especially in the form of ransomware.
Ransomware Plus Data
Theft
Ransomware attacks have
increased exponentially. It is hard to know whether they have grown more severe
as a result of the pandemic or if the increase is a function of ever-more
sophisticated hacking gangs. The demands to unlock data have grown too. Once
upon a time, a ransomware attack may have cost several hundred dollars to
address. Now the ransoms can range from the many thousands of dollars to
the many millions of dollars—all with no guarantee that the data will be
unlocked if a ransom is paid.
Increasingly, ransomware
attacks constitute a multi-tiered threat. Early attacks demanded a ransom in
exchange for returned access to the target’s systems and files. Now, stolen
data is itself held hostage. The attacks can encrypt data, demand exorbitant
payment for a return of information, permanently destroy data, disclose private
or embarrassing data, and pull sensitive information on the way out of the
system.
Risk Management Basics
Maintaining effective
defenses against these attacks is not only possible—it is a core corporate
responsibility. Regulators, investors and other stakeholders will insist on a
dedicated effort to keep the cyber criminals at bay. Recently, a banking
regulator levied a fine of $60 million against a financial institution in the
wake of a prior security incident, and a U.K. airline was fined 20 million
pounds for GDPR infractions after it was the victim of a security
incident.
As the pandemic
persists, it is essential to remain vigilant, continuously updating programs
and organizational software applications. Continue with security audits
and penetration testing.
Most importantly,
concentrate on the dispersed work force. Cybercrime routinely targets and
exploits human error. Coalition’s 2020 report found funds transfer claims up
35% and business email compromise attacks up 67%. Both forms of attack rely on
duping employees. The report also found that “exploitation of remote
access was the root cause of reported ransomware incidents.”
It is important to educate,
train, educate and repeat. There cannot be enough reminders about core cyber
security hygiene. New employees and longstanding ones need to adhere to the
safety protocols and receive regular education about what to do and not do
within the organization’s network.
It is particularly
vital that employees treat their personal devices with the same care that would
be expected of company ones: use strong passwords, patch and update programs,
log off entirely when not working, and secure the device at home, in the car
and during travel. Also take great care with storage devices—encrypt any
sensitive data that is resting on a hardware device.
Give Your Insurance
Regular Check-Ups
At renewal, first
purchase, or even a mid-term check-up, consider whether your cyber insurance is
up to the task of protection in a fast-shifting world of technology risk.
First, make sure your data is accurately mapped. Some firms have embraced cloud
computing without recognizing it. New computing services often take your data
and your customers’ data and host it, partly or wholly, on their servers. If
that is taking place, make sure the arrangement is reasonably secure and
disclosed to stakeholders.
Mapping data accurately
can help inform whether your insurance matches your computing. Some forms
of insurance may not include coverage for certain cloud computing operations as
part of their basic coverage—and some forms of cyber insurance may try to
sub-limit it. If you know you have to insure cloud computing data and
operations, the cyber market is robust enough to deliver the needed protection. But
have a good broker by your side to know what questions to ask and what to look
for.
Second, with the
pandemic forcing a surge in telecommuting, make sure that employee home office
computing gets picked up as part of the cyber insurance protection. There
are lots of different cyber policy forms on the market and not all are created
equal. Carefully check the definition of “computer system,” “computer network” and
related phrases to make sure that mobile devices are covered—including PCs,
laptops, tablets, smart phones and thumb drives—whether they are online or
offline. Be mindful too of where servers are located and who owns them.
Third, remember that
insurance policies other than just specialty cyber insurance policies may be
both handy and needed for serious cyber incidents.