The Cyber Risks of Working Remotely
These are unprecedented times for business as we navigate the pandemic crisis with the continually evolving realities of Covid-19 and its global impact.
Global Pandemic: The Ideal Environment for Cyber Criminals
Millions of people suddenly forced to work from home have created a digitally hospitable environment for cyber criminals to exploit the strained IT systems, weak home WIFI networks, and lack of encryption on home resources. Further, employers are unable to fully monitor employees and their workstations.
Cyber Threats Explained
Phishing: cyber criminals pose as a trusted organization/source in order to acquire sensitive information. Phishing is one of the leading cyber threats. In today’s pandemic crisis, we have already witnessed criminals posing as legitimate health resources such as WHO (World Health Organization), the Red Cross, your local hospital, etc. advertising desperately needed medical supplies. Phishing emails may appear incredibly legitimate with perfectly replicated logos, brand specific wording impersonating top managers/owners of organizations. These emails inevitably apply pressure on the receiver to immediately and urgently provide a payment of some kind. NOTE: many phishing incidents have occurred in the past when employees were working remotely!
Ransomware: malicious actors attempt to encrypt your data and extort a ransom in exchange for the “unlock code” you need to access your data again. Ransomware is typically delivered to you via email.
Hacking: criminals can gain access to IT systems to access financial data and intellectual property. This is often accomplished through social engineering in which employees are conned into providing their names and passwords.
Insider Threat: your employees (past or present) can inadvertently or maliciously leak data.
Data Leakage: data thieves are achieving unprecedented success in accessing the personal devices of employees who are, for example, working from home and using these devices professionally.
Protecting Your Business
The following advice is designed to help protect you and your business from cyber threat. Businesses must take the responsibility for educating their employees, monitoring the safeguards they apply to their home networks, and offering the necessary IT support from your organization to facilitate a cyber-safe home work environment.
- VPN’s, network infrastructure, and all devices must be updated as soon as possible.
- Employees must be notified of the rapidly increasing incidence of phishing attacks and offered guidance and training in knowing how to identify potential attacks.
- It is imperative and the law that businesses report all phishing attacks; failure to do so can lead to significant penalties. Also, banks will not reimburse for a funds transfer loss resulting from your negligence. IT security teams must monitor logs/devices and be prepared for incident reporting and recovery.
- Multifactor Authentication (MFA) should be implemented on all VPN connections.
- The VPN network should be routinely monitored for limitations in its mass storage capabilities.
- Employees should never use public WIFI, even when using a VPN.
- Password management is essential! Unique passwords should be used on all accounts; recycling passwords is never recommended.
- All employees must be vigilant about cyber threats and various ways it is revealed. Daily, new fraudulent apps and websites are being created. Employees should be made aware that it’s a good rule of thumb to NEVER respond to respond to emails or click on links received by suspicious senders.
- Pick up the Phone! Phoning a client or colleague whenever possible is a relatively simple and safe alternative to email or texting.
A Few Words About Cyber Security and Your Coverage:
Today’s pandemic realities make all businesses and their employees working from home potentially vulnerable to IT interruption and cyber security. Assess your current policy’s coverage and speak to your broker about the specifics of your policy and how they relate to your current needs. Data breaches, adequacy of first party coverages and limits, implications of third-party hosting and rogue employees, encryption warranties, and social engineering/phishing call back provisions are all important considerations to discuss with your broker.