Our Cyber CEO, Gareth Wharton, explains how businesses can use findings from The Hiscox Cyber Readiness Report 2020 to become ‘cyber ready’ in the post-COVID-19 world.
What have we learnt from COVID-19? If anything, it’s taught us to prepare for the unexpected. However, this should be the stance all prudent businesses adopt towards the current cyber threat. While our 2020 Hiscox Cyber Readiness Report findings were gathered before the pandemic, many of the learnings are entirely relevant to the challenges businesses have faced due to COVID-19.
A good example of this would be COVID-19 related phishing attempts. Many commentators have suggested that there has been a massive rise in phishing attacks, but when we dig into this in more detail, what is actually happening is that the overall levels of phishing attacks haven’t significantly increased, but the percentage using COVID-19 related lures has.
Recently, Google says it blocked 18 million COVID-19-themed phishing emails targeting Gmail users1. This would represent about 2.5% of the 100 million phishing emails Google said it blocked daily in 2019. In addition, Microsoft said recently “of the millions of targeted messages we see each day, roughly 60,000 include COVID-19-related malicious attachments or malicious URLs”2.
While that number sounds very large, it’s important to note that it‘s less than 2% of the total volume of threats we actively track and protect against daily, which reinforces that the overall volume of threats is not increasing. Attackers are, however, shifting their techniques to capitalise on fear.
The Hiscox Cyber Readiness Report, now in its fourth year, surveyed a representative sample of over 5,500 private and public sector organisations in the US, UK, Belgium, France, Germany, Spain, the Netherlands and Ireland. Each firm was assessed on its cyber security strategy and execution, and ranked according to a cyber readiness model.
So, what can we learn from the experts?
- Do the basics well: Identify every device in the organization. Back data up off-site and learn from each incident or breach. Experts are more likely to up their game following a breach through regular security evaluation, ensuring additional security and audit requirements are in place and increasing crisis management.
- Follow a framework: Make sure that all the virtual doors and windows are shut. A framework, such as the one created by the US National Institute of Standards and Technology, is built around five imperatives – identify, protect, detect, respond and recover – and provides a useful checklist. On average, experts pursue twice as many initiatives in all five areas as novices.
- Don’t penny pinch: Cyber experts direct a larger portion of their IT budgets to cyber security and more of them plan to lift spending in every cyber-related area in the year ahead. In simple terms, the more people a company devotes to cyber security, the more likely it is to rank as an expert.
- Invest in training: Novices suffered more breaches resulting from successful phishing and malware attacks. Regular training to drive awareness throughout the workforce is vital. This is only partly an issue of resources. Nearly three quarters of the micro businesses ranked as experts intend to prioritise the roll-out of effective employee training in the coming year.
- Get management involved: Nine out of ten experts agree that cyber security is a top priority for executive management. Only half of novices feel able to say the same. When it comes to priorities for the coming year, only a quarter of micro firms ranked as novices recognised the need to enhance executive management engagement in cyber security policies.
- Build resilience: No business will ever be completely secure. But all can build resilience by preparing for a breach, testing for it and having the capability to respond quickly and effectively. A standalone cyber insurance policy helps build that resilience through certainty of cover and specialist expertise such as risk assessment, crisis management and training.
While it’s important that we keep the threat in perspective, there are examples where COVID-19 has created new threats. These include:
- Remote working increases attack surface: As companies roll-out remote working solutions, not only are potentially less secure devices being connected to corporate networks, but rapidly rolled out remote access solutions may lack the thorough security testing that would have taken place in more stable times.
- Lack of co-worker conversations: Typically when we receive suspicious emails, we might turn to a colleague and ask ‘I just got this email, did you get it? Do you think it’s suspicious?’ This isn’t an option currently, so there’s a chance that more phishing emails will succeed.
- We are all looking for information: In these uncertain times, we are all looking for answers, and there’s an increased thirst for information, which means we’re more likely to click on links or articles that we find online or are shared through our social networks.
The forced digital revolution that is taking place – driven by remote working, and retail stores needing to create a robust online presence – also brings new risks:
- Constrained budgets may reduce headcount and new projects. Fewer people supporting cyber-security and/or a pause on updating or purchasing new security systems may have harmful outcomes. Hopefully, however, cyber security budgets remain fixed in the short-term to ensure there‘s no degradation in security practices.
- Many companies are scrambling to create an online presence for trading with customers. Security risks may arise as traditionally bricks and mortar shops move online quickly. They may not have time to do full product review, nor the experience to run a web shop, which creates security vulnerabilities. This is true for businesses of all sizes.
Finally, I wanted to share examples of two claims we have seen that are specific to COVID-19:
Example one - In March, a UK-based small-medium-sized enterprise (SME) had data stolen from a database estimated to contain approximately 2,000 personal records. The data belongs to a third party who the insured was developing a website for. The attackers requested a ransom in Bitcoin in return for the data. The attack appears to have made use of an open database connection on a desktop machine that was taken home by an employee to work remotely during the COVID-19 lockdown.
Ordinarily, the corporate on-premise network firewall would have prevented this connection from being made, but once the machine was physically moved to the home of an employee this firewall protection was no longer applicable. Instead, network security became dependent on the security features of the employee’s home router.
The ‘so what’…
This case highlights the need to consider the security impact of moving devices which under normal conditions would not leave a corporate office, and to give consideration for the use of host and network-based firewalls at all times.
Example two - In March, a US company experienced a ransomware attack where all of the servers on its network were encrypted. Although this was discovered in mid-March, investigations show that the attack may have spread from a single infected PC that had been dormant since January 2020. The infected PC was given to an employee (so they could work at home in response to the COVID-19 lockdown) who connected it to the network, which unknowingly caused the ransomware to spread.
The ‘so what’…
This is a good example of why it is important to inspect decommissioned or dormant devices before re-commissioning them for use, even if they’ve been previously wiped clean by internal IT teams or a third party. It’s especially important during this time when many additional and potentially less secure devices are being issued to employees for remote working.