This material is provided for informational purposes only. Before taking any action that could have legal or other important consequences, confer with a qualified professional who can provide guidance that considers your unique circumstances, including applicable employment laws.
It is often in the darkest hours that we discover the best in people. The ongoing Coronavirus (COVID-19) pandemic is a prime example. The courage, compassion, and persistence shown by medical staff, caregivers, first responders, and others who put themselves in the line of fire is nothing short of heroic. Individuals are willing to sacrifice their and their loved ones’ personal safety to help others are real angels in our midst.
Unfortunately, such dark times also bring out the worst in a small minority of individuals seeking to prey (not pray) on others. They took advantage of the fears, uncertainties, and compromised states of mind to try to gain monetary wealth through trickery, threats, deceptions, falsehoods, and outright crimes. Among these “bad actors” are cybercriminals who lurk in the dark recesses of the Internet and take advantage of companies large and small – companies who are trying to navigate the treacherous and unfamiliar Coronavirus/COVID-19 world.
The human and financial turmoil caused by the Coronavirus pandemic is unprecedented. Businesses grapple with finding a new normal to cling to, as the global community seeks signs of a slowing of the deadly virus and a return to some degree of stability.
Companies, including professional services firms, have had the economic rug pulled out from under their feet. They desperately try to find their footing. Governments worldwide, at all levels, are understandably putting human health and safety first by issuing shelter-in-place and social-distancing orders that can effectively shut down all companies but those deemed to be providing “essential” services. That has led to countless halted projects. Tragically, this idleness has resulted in mass layoffs, furloughs, and unemployment numbers not seen since the great depression.
Due to the economic and employment turmoil, companies are increasingly vulnerable to cybercrimes. When income dries up due to work stoppages, businesses have to reduce expenses. Support staff, including IT professionals, are often the primary target for cost-cutting. Those IT professionals who remain on staff are often overworked or thrown into new roles in a sink-or-swim manner with very little guidance or formal training.
Compound this problem with an unprecedented increase in work-at-home employees. Shelter-in-place and social-distancing dictates may force employees to work from home on a full-time basis. As a result, servers and other hardware, software, and additional critical components of the company’s computer network (once fairly secure behind tightly maintained company firewalls) are all of a sudden being pieced together with company and employee equipment by a short-handed and inadequately trained IT staff.
In such an environment, company practices and procedures regarding Internet use and security protocols become shortchanged and incompletely thought through. Loss of vital knowledge and information regarding the security of internal and external networks lost with the layoffs and furloughs. And, third-party consultants you try to hire to bolster your network security efforts may not be available for weeks if not months.
Meanwhile, your clients, vendors, and other third parties are experiencing similar problems, which can leave vulnerable backdoors into your network for cybercriminals masquerading as your long-trusted business partners to enter and cause havoc.
Cybercrime had been on the rise well before the COVID-19 pandemic began. Phishing excursions, malware-ridden emails, and ransomware attacks have all been on the increase despite heightened security efforts. Far too many firms have fallen for elaborate schemes where criminals impersonate vendors, customers, or members of company management in an attempt to convince someone to wire company funds to a new external account.
With the COVID-19 crisis, cybercriminals are now adding new weapons to their arsenals. For instance, malicious Websites and emails offering advice on how to survive the pandemic attempt, and sometimes successfully snare and infect networks of those companies visiting the rouge sites. Similarly, phishing emails made to look like they come from the World Health Organization and other government and charitable bodies ask for donations and try to get access to your electronic funds.
What to Do
The COVID-19 world presents significant challenges for all size businesses. Here are some general guidelines to keep in mind when planning your cybersecurity.
Keep cybersecurity at the forefront. The current economic turmoil is putting a lot of pressure on businesses to reduce expenses. When making those cost-cutting decisions, consider cybersecurity a primary business objective. Key IT staff (or, alternately, specialist outside consultants) are essential to maintaining a secure operation, mainly if you are dealing with an increase in work-at-home employees. Think long and hard before significantly reducing your IT staff.
Secure at-home offices. Moving staff into remote home offices can create numerous inroads for cybercriminals to invade your network. Invasion is especially true when the decentralization of company staff isn’t part of a long-term strategic plan. Emergencies are calling for shelter-in-place, and social-distancing dictates. Each employee’s home office will require a security review designed to identify and eliminate cyber exposures.
You’ll need to inventory all employee home office hardware and software as well as mobile devices in use. Preferably, you’ll want employees to use only company-owned equipment. If you do allow employees to use their personally owned equipment and software, you’ll need to make sure they are up to date and protected with state-of-the-art antivirus software and the appropriate level of encryption.
You will want to examine how each employee’s home office connects to the company network – including a review of the Internet service provider. Identify which parts of the company network (servers, clouds, and other databases) remote employees have access, and what access can be blocked or restricted through firewalls and other defenses. You’ll also want to be able to track all traffic and receive alerts when there is suspicious activity that may signal a cyber breach.
Importantly, you must simultaneously review the technology restrictions employees face that could prevent success in conducting their work by an excess of security measures. Otherwise, they will look for workarounds that will defeat your network protection. Finding the “right” level of security is the challenge.
Secure unused or underused office space and equipment. In a rush to comply with shelter-in-place directives, many main offices have become scattered with office equipment no longer in use. It is crucial to secure these servers, desktops, and other hardware and, when possible, disconnect them from the company network. Strive to eliminate any risk that an intruder may enter your premises and gain physical access to your network.
Beef up employee protocols. Employees must conduct themselves properly while using the company’s equipment, software, and networks. You’d be surprised how lax employees can be when it comes to creating strong passwords and changing them regularly. Strong, frequently changed passwords combined with multi-factor authentication are widely considered your best first line of defense against hackers.
You’ll also need strict rules regarding what types of Internet activities, business or personal, employees are allowed to conduct in their home offices. Limits should be put on the use of public wifi in coffee shops, hotels, and other public places as well. Also, you’ll need secure back-up procedures to help prevent data from being maliciously stolen or kidnapped via ransomware.
Institute security training. To avoid security breaches, employees will need clear direction and consistent guidance in the form of best practice procedure manuals and training. Company guidelines must spell out employees’ role in maintaining cybersecurity, identify functions and activities they can and cannot perform on the company network. Teach employees to identify potential attacks to the system through phishing campaigns, malware, viruses, ransomware, and the ever-growing list of cybercrimes.
All security training must be actively backed and attended by top management to demonstrate the high priority given to this effort. Third parties such as key vendors and clients may also need training on how to correctly navigate and use parts of your company network while applying appropriate security procedures.
The Added Protection of Cyber Insurance
Cyber insurance has become more prevalent over the past decade. The backbone of any good cyber insurance policy is a robust list of perils covered. While cyber insurance policies are becoming rather standard between carriers, they can have significant differences. When reviewing policies, look for these coverages:
Network and Data Security Coverage. Cyber insurance can cover damages to third parties due to issues such as compromised data, privacy leaks, the transmission of computer viruses, “denial of service” interruptions, and failure to notify third parties of a security breach (where required by law).
Loss of Income, Business Interruption, and Extra Expense Coverage. Cyber insurance can cover your lost income and incurred expenses due to a disruption or shutdown of your computer operations caused by a hacker attack, viruses, and other covered perils.
Electronic Media Liability Coverage. Cyber insurance can cover damages from personal injury, copyright violation, and similar perils due to information published on a company Website or via email or social media.
Security Breach Remediation and Notification Expense Coverage. Coverages can include the costs of forensic investigations and legal fees incurred determining the extent of a breach, notifying damaged parties, establishing a call center for third party inquiries, and monitoring credit.
Computer Program and Electronic Data Restoration Expense Coverage. Cyber insurance can cover expenses incurred to restore or recreate your data as well as lost or damaged equipment due to perils such as computer viruses, rogue employee theft, or hacker attacks.
Funds Transfer Fraud Coverage. Most cyber policies cover your direct loss of funds, securities, or other property due to an intruder gaining unauthorized access to your computer system and withdrawing funds.
Cyber Extortion Coverage. Cyber insurance covers costs incurred due to a credible ransomware attack or similar threat from a third party to destroy your data or computer system, disclose third-party information, etc.
While coverage of cyber perils is the backbone of cyber insurance, it is in the area of added security services where carriers can differentiate themselves from the competition. Consider:
- Some insurers are now offering suites of robust risk management resources and services that strengthen your cybersecurity measures, both pre- and post-breach. These often take the form of Web-based risk management portals.
- Insurers also sponsor in-depth Webinars on topics such as developing effective password protocols and teaching employees to recognize and combat phishing emails and other cyber attacks.
- Insurers can also assist with assessments of your current vulnerability, including staging sophisticated hack attacks to test your defensive measures.
- Should you suffer losses, you can receive assistance from your insurance company in tracking the infiltration, identifying the perpetrator, and notifying anyone with compromised data.
Many general liability and commercial insurance packages will include a base level of cyber coverages. However, to obtain a full range of coverages and security services, you need to secure a stand-alone cyber insurance policy.
The New Normal
Shelter in place, social distancing, and other dictates may ease soon, but few expect things to return to the previous “normal” for an extended time — if ever. Even if conditions improve over the coming months, new waves of infections may rise in the fall and winter seasons.
Professional services firms need to, to the best of their abilities, determine how a new normal will impact the way they conduct business and how that new reality impacts cybersecurity. We suggest you apply the recommendations presented here, keep abreast of new developments in cybersecurity, and seek guidance from security and insurance advisors to provide the necessary levels of protection.
Can We Be of Assistance?
We may be able to help you by providing referrals to consultants, and by providing guidance relative to insurance issues, and even to certain preventives, including the development and application of sound human resources management policies and procedures.
Please call on us for assistance.
We’re a member of the Professional Liability Agents Network (PLAN).
WE’RE HERE TO HELP!
Contact us at 800-969-4041 or click here to request a confidential evaluation of your insurance policies and risk management needs.
We may be able to help you by providing referrals to consultants, and by providing guidance relative to insurance issues, and even to certain preventives, including the development and application of sound human resources management policies and procedures. Please call on us for assistance. We’re a member of the Professional Liability Agents Network (PLAN). We’re here to help.