Many businesses have been encouraging and / or supporting home working with their employees during this latest crisis, but many may not have considered cyber security, and whether it is as strong at home as it is at work.
The background to the risks
With the advent of the Covid-19 lock down and with the elderly and infirm at particular risk, the cyber-criminal “community” is trying to take advantage. The internet is awash with stories of phishing attacks designed to extort personal credentials and money from individuals and from our businesses.
Criminals copy bona fide organisations logos and styles to show convincing credentials, these could be those of banks, governmental bodies, the NHS or even, we understand, the World Health Organisation.
Criminals know that, in these times of crisis, people are desperate for information. With this in mind, hackers and criminal gangs construct phishing emails and bogus websites to lure people in with the promise of information and even financial incentives, known as “baiting techniques”, all associated with the pandemic.
None of this is particularly surprising, even if it is distasteful. Britain did this in the second world war, convincing the Nazis that an invasion would come from Dover rather than Normandy!
Cyber criminals have been at this for a long-time taking advantage of the vulnerable through basic social engineering techniques. The use of Malware, Computer Virus and blackmail is very well documented. After Covid-19, I am sure that criminals will look to exploit the next disaster, whether that be climate change, other future diseases or financial crashes.
As an example, we recently had a claim for just short of £100,000 for a spear phishing attack, fortunately cyber crime was insured and the insurer agreed to pay within 24 hours, but it is so much better not to get caught out in the first place.
We want all of our clients, staff and friends to be safe!
Communication networks
In some cases, employees are left to use their own equipment to connect to the Internet. Even where the use of a Virtual Private Network (VPN) is compulsory for access to remote company or organisational resources, unsecured and poorly configured Wifi networks are often evident at home. This could potentially lead to theft of sensitive data, poor network quality (affecting productivity) and huge exposure to cyber-crime involving the infection of home equipment.
Personal Devices
Increases in home working can lead a relaxation of standards when it comes to “which” devices are used to conduct business. Many of our homes are now littered with internet accessible devices any of which could potentially be used for work. The failure of a mobile phone or a laptop can force workers to look for alternatives and the alternatives, perhaps a child’s device, will usually not have been configured with security in mind. A malware infection is not such a big issue whilst all that was available to the criminals was last week’s homework, but now that device could have confidential information on it, matters could go very wrong very quickly.
Risk Management
When it comes to network and device use, you should consider making the following compulsory:
Strong passwords on home routers and devices
Compulsory use of VPNs when conducting business from any device
Multi-factor authentication for use of corporate applications
Compulsory use of a reputable Anti-Virus software with firewall protection
Compulsory and provable updates to Operating Systems including latest security patching
Mandated and managed system backups for all home devices that may be used for work purposes.
There are no easy answers, the risks are very much about people as they are about technology.
Staff education
Employees are exposed to different and more cyber threats at home than they tend to be in the office. This is because whilst at work, they are within the relatively secure confines of a “firewall” environment, physical security is tight, and they have the support of the IT department or provider.
It is different at home. Device and network issues create opportunities for a cyber-criminal to exploit and these, together with a lack of knowledge concerning the origin of such threats and what to do to avoid them, can wreak havoc on the home network and therefore business resources.
People are often referred to as the “weakest link” in cyber security but in reality, when they are well-educated and engaged, they can form a strong part of your cyber defence. To get them to engage we suggest:
Creating custom-built cyber security training that is engaging, competitive, fun and specifically tuned to the home-working environment.
If necessary, and some of our insurer partners help in this area, engage third-party specialists.
Train families. Our children are just as exposed as we are.
Tell your staff to be sceptical, they should not just clink on links without thought.
If in any doubt, either do some research prior to opening a link or speak to your IT provider / department.
We need to ensure that our employees, our families and our friends are alert and ready to spot these types of attacks.
Insurance Options
You can insure your cyber risks. These can be for damage to your computer systems, for damage that you do to others, for instance the onward transmission of a virus, or indeed against the costs of cyber-crime. We have a wealth of experience and expertise in this sector and would be happy to discuss your requirements with you.
Finally, stay safe, be aware and stay indoors. Together we can all stop this pandemic and life can return to normal.