Pandemic Pumps Up Companies’ Vulnerability to Cyber Attacks

A business’ risk of suffering a cyber event is often discussed, but not always easy to quantify. Recently, Allianz Global Corporate & Security analyzed its experience with cyber insurance claims over the past several years as a basis for its report, “Managing The Impact of Increasing Interconnectivity: Trends in Cyber Risk.” Its conclusions may help businesses with that calculus.

According to the report, there has been geometric growth of cyber risk over the years. The threat is expected to continue to expand in the next 12 months, especially as a result of business response to the coronavirus emergency.

Not surprisingly, whereas external malicious attacks on computer systems (such as ransomware, denial of service attacks, etc.) result in the costliest cyber claims, most cyber claims were caused by “mundane technical failures, IT glitches or human error incidents.” Indeed, the report estimates that 50%-90% of data breaches are caused or abetted by employees through error or falling for a phishing or social engineering scam. INTERPOL reported that thus far in 2020, phishing, scams and frauds have increased by more than 50%, and malware and ransomware incidents have increased by more than a third. By extrapolation, a business may be able to reduce its cyber risk by proactively managing its employee practices.

The report identifies a variety of factors that have increased companies’ cyber risk. First and foremost is the impact of Covid-19 pandemic, which has caused companies to shift to a remote work force, accommodating employee access and use of company IT systems from their homes, often on short notice and without adequate cybersecurity protocols in place. Previously protected company systems may now be easier to penetrate, resulting in data breaches, cyber intrusion and IT system failures.

Ransomware is increasing both in frequency and cost. And, whereas the price of ransom may be high, the costs of business interruption, the possibility that the ransomware was a “smokescreen” for data theft and ransomware’s possible impact on business partners may be catastrophic. Once again, the problem is expected to grow due to the “Covid-19 landscape” as remote workers are often operating outside the company’s cyber safeguards. For the same reasons, the report predicts a continued surge in “business email compromise,” which occurs when social engineering or phishing emails dupe an employee into revealing login credentials or to make a fraudulent transfer of money or other assets.

The report identifies a variety of other external factors that it concludes are having a significant impact on cyber risk at this time — such as increased regulation, class action litigation and supply chain vulnerabilities. These factors are outside businesses’ immediate control. Instead, it may be more feasible for a company to focus on risks that arise internally in connection with remote employees’ conduct.

There are several measures companies should consider for bolstering IT security while employees are working remotely:

• Mandating that employees use updated software, web browsers, virus protection and firewalls when accessing company resources;
• Limiting employee access to personal health information (PHI), personal identifying information (PII) and other sensitive, confidential, privileged or proprietary data on a need-to-know, need-to-access basis and require encryption of that data when shared or stored when appropriate;
• Requiring employee system and other passwords to be unique complex, private and changed regularly;
• Providing system protections and educating employees to identify and avoid suspicious emails and download requests;
• Instructing employees regarding safe document retention and destruction practices, when printing and with computer data, especially those containing PHI, PII and other sensitive, confidential, privileged or proprietary data;
• Encouraging employees to use available security and log-in protocols provided by online meeting platforms, identify participants in online conferences and log out at the web interface at the conference’s conclusion;
• Instructing employees to turn off voice-activated smart devices and cover webcams when not in use;
• Updating cyber detection software and regularly backing up company resources and data.

During these troubling times, it is particularly important for companies to revisit and update their cyber-security practices. An integrated approach to assess where the company is now and what the company should do to navigate the risks into the future should be undertaken by company management and information technology staff with input from in-house or outside legal, cybersecurity and insurance professionals.