We’ve all watched the wildlife documentaries and know what happens when animals get separated from the herd.
Don’t do it we can hear you scream,
there’s a lion hidden in the grass!. Separation from the herd is extremely dangerous in the wild.
There’s a human experiment going on right now of a very similar nature. Hundreds of thousands, if not millions, of businesses have closed their offices as a result of the COVID-19/coronavirus pandemic, and sent their employees to work from home for the foreseeable future.
One of the unintended consequences of this is that it creates vulnerabilities in your cyber security framework, and there are predators out there taking advantage.
Working from home creates vulnerabilities in two main areas:
Your company has probably established a process for you to access its network and data from outside the local (office) network. You may be using a Virtual Private Network (VPN) and using one of many Remote Desktop Protocols (RDP) to connect with your computer at the office. Theoretically, there are a number of viable and secure ways to do this.
However, if you are at home, doing this from your personal computer or laptop, it has likely not been secured to the same degree as your company equipment. You may be using fairly low-grade, free anti-virus software on your personal computer which may not have the latest upgrades and patches, and is unlikely to offer the same level of protection.
In addition, your company may not have set up Multi-Factor Authentication, which adds a much needed layer of protection through a separate device.
In the course of using your personal laptop or computer you may have picked up various pieces of malware such as a key-logger, or other spyware which lets hackers know exactly what you are doing on your machine. From this, they can determine your company username, password and how you access your company network. They can then recreate the same access to your company’s network, and once inside, are free to cause damage.
So although in theory your company may have deployed a very secure remote entry to its network, the point of entry itself becomes the biggest vulnerability.
Similar to in the animal kingdom, we’re stronger and better defended in herds. When you’re at the office, if you receive an email with a suspicious looking link, or an e-mail from the president of your company asking for an urgent favour, it’s easy to turn to the person next to you and ask for their opinion before clicking or replying.
Many people will be working from home for the first time. Perhaps they’re even new to the organization so still relatively unfamiliar with normal practices, and may be keen to impress. Even in a typical office setting, the human factor is reportedly accountable for over 80% of cyber crime as people fall prey to standard phishing or social engineering scams.
What happens then when they are at home with no one to physically turn to and ask for a second opinion? What happens when cyber criminals make use of the coronavirus pandemic to create hoax e-mails targeting unsuspecting people.
CFC Underwriting, a global and Canadian pioneer and leader in cyber insurance, have already discovered new scams of this precise nature. One such scam relates to e-mails impersonating the World Health Organization, asking recipients to
click the button below to download Safety Measure, leading to the capture of the user’s personal credentials. CFC also reports an increase in fraudulent websites claiming to sell protective equipment (e.g. face masks), which simply take money and do not deliver the promised goods.
It seems likely that the current situation will continue for at least the next month if not longer. Once the dust has settled, and people get used to the benefits of working from home, perhaps the toothpaste won’t go back into the tube, and increased working from home will be with us to stay.
There are a number of steps you can take to limit your exposure and keep your network and data safe, and avoid costly cyber crime:
The general answer to this question is “Yes”. If your business has moved to 100% work-from-home as a result of this pandemic, your cyber insurer should continue to protect you, and you should not need to call them to change your policy.
In fact, we asked Lindsey Nelson, Cyber Development Leader at CFC Underwriting for her thoughts on this point. According to Lindsey:
“Clearly terms and conditions of all policies vary and the specifics of any individual case must be considered under the exact wording it has been placed upon. However, as a general view, nearly all our clients already engage in remote working and this is a normal part of their business operations. Data is routinely passed over the corporate network and beyond, including to employees’ personal devices. An increase in remote working is not typically something we would seek insureds to declare mid-term, and as such our policies will continue to be interpreted in the same way as they have always been for this situation.
It is a good time however to look at other cyber policy wordings if not a CFC policy – there are still a lot of conditions or exclusions around this in the market when referring to what’s defined as a computer system, and warranties around system conditions, back-up procedures, etc.”
To be sure that your coverage is sufficient in the current environment, please refer to your cyber insurance policy or speak with your broker. Of course, if and when you next renew your policy, it’s important to update your broker and insurer about any changes to your business, including a shift towards working from home.
Want to add to this story? Let us know in comments below! Mitchell & Whale is a fast-growing insurance brokerage in Ontario, striving to make insurance _not suck_ one customer at a time. Give us a call today to discuss any of your insurance needs at 1.800.731.2228.