by Jim Taylor | Apr 27, 2023 | Business Insurance, Cyber Security
As workers increasingly use personal devices in the course of their workday, an inviting pathway has emerged for cybercriminals seeking access to your company’s sensitive data. Research shows that a significant number of data security personnel, as well as many senior executives, are aware of the possible security risks that come with the increasingly popular remote and hybrid work options.
According to the FTI Consulting report, “The Most Valuable, Vulnerable Commodity: Data Establishes a New Era of Digital Insights & Risk Management,” 91% of data security personnel have personally experienced the negative implications posed by remote and hybrid work.
The report further states that:
- 45% believe that working remotely or using the hybrid model has increased the risk of data breaches.
- 41% have reported data shared on devices, networks, and systems that do not comply with their security standards.
- 38% of respondents felt their business is more vulnerable to malicious acts due to remote working and the potential avenues for unauthorized access to company data.
In fact, the digital risk is quickly becoming a higher concern than other, more traditional sources of company risk.
Research Shows…
During the COVID-19 pandemic, many companies drastically switched to remote work schedules in a very short timeframe with the primary goal of safeguarding their employees’ well-being. Employers reluctant to lose valued workers by forcing them to return to the office have allowed remote work to become a standard option in many occupations.
Unfortunately, this has had the predictable effect of causing a corresponding increase in cybersecurity incidents by 238%, according to a 2022 Alliance Virtual Offices report.
Available online data is increasing not only in terms of quantity but also in terms of variety. With more sophisticated tools and platforms supporting remote collaboration, a diversity of new data types and formats has surfaced. This can be a great resource for businesses if it is handled responsibly. However, it also has the potential for disastrous consequences without proper precautions.
Companies with remote employees frequently allow their staff to use their own devices instead of those provided by the company. These “Bring Your Own Device” (B.Y.O.D.) policies present huge security risks. Unfortunately, personal devices can be a security risk as they usually come with vulnerabilities like outdated software and insufficient network controls, making it difficult for security specialists to protect company data from potential threats.
Cybercriminals can find methods of getting personal data from devices faster than the companies can protect it, as is indicative of their advanced tactics and strategies. Criminals are shifting their efforts to exploit those vulnerabilities by altering how they target employees.
Where businesses have spent decades safeguarding their digital assets from cyber threats like ransomware attacks and data breaches with firewalls and intrusion detection systems, employees are now working outside the perimeter of those protections. Therefore, it may be necessary to have BYOD policies allowing employees to access company networks on their personal laptops, smartphones, or tablets, provided they have sufficient protection.
Remote Working Cybersecurity Risks
Telecommuting increases the chances of data breaches, as there are multiple threats associated with working from home. Businesses should be aware of the most common potential cyber risks and have sufficient protection measures in place.
The areas of growing concern include the following:
- Increased attack surfaces
- Shortage of security talent
- Insufficient security staff oversight
- Risky data practices
- Susceptible to phishing
- Vulnerable unsecured hardware
- Vulnerable unsecured networks
- Access and enabling technology vulnerabilities
The effects of poor security practices can be extreme. Studies show that companies with more than 80% of their employees working remotely incurred a loss of $5.1 million due to data breaches in 2022. Companies with a smaller portion of their staff (20%) working remotely paid an average of $4 million, which is still significant.
Although it may not be possible for companies to do away with remote work schedules, there are things that companies can do to protect themselves. Cybersecurity should be a priority.
What Is the Answer?
Businesses that prioritize cyber-safety should analyze their cyber-liability insurance policies. These policies usually contain detailed security procedures that companies must follow to be eligible for full coverage, making them a great source of info on the most up-to-date practices.
Staying protected in the era of BYOD is an ongoing challenge. To address this, businesses should create incident response playbooks that describe how to handle and contain data security incidents when they occur. By doing so, it’s possible to minimize the damage and get back on track more quickly. Following that with practice runs can take the strategy to the next level.
The pandemic brought remote working to a greater number of businesses and that isn’t going anywhere. Therefore, it is wise to embrace it and take steps to protect the company.
by Carolyn Kick | Apr 28, 2020 | Business Insurance, COVID-19 Resources, Cyber Security
The COVID-19 outbreak is changing how companies operate. While it is having a profound impact on supply chains and the nature of demand, the most direct impact is the fact that most people are confined to their homes. Many companies are now working fully remote, including some that had never had remote work policies in the past.
There are many considerations around the transition to remote work. The first ones that come to most employers’ minds are generally how to maintain productivity, communication, and morale while team members are working in isolation.
But working remotely also comes with significant cybersecurity risk ramifications. Company networks are inherently spread thin and ultimately rely on employees’ home network security to keep company data safe. Many companies’ cybersecurity practices just aren’t built around remote work and they will have to adapt to keep themselves safe.
Luckily, just a few additional measures can greatly mitigate your cybersecurity risks during the COVID-19 outbreak. Let’s take a look at the risks and how to tackle them, including:
- Why the outbreak creates openings for cyberattacks
- How to mitigate your company’s risks
- Protecting employees and their devices
- Business insurance coverage for cyberattacks against remote networks
Why COVID-19 Creates Opportunities for Cyberattacks
The main reason why the COVID-19 outbreak is changing the nature of cybersecurity is that just about everyone that can is now working remotely. Instead of operating as a closed system, companies’ networks now include each employee’s home networks and devices. And a distributed network is inherently harder to protect: you can’t just throw a firewall around it. Not to mention, most existing strategies and policies are focused around protecting the company networks and do not work for distributed or bridged networks.
Employees’ home networks are the most significant gap in your cyber protections. Unfortunately, VPNs and other standard protective measures only cover communications between home devices and company networks. They do not protect the home devices themselves or home networks. That means any company data stored on the devices is much more easily compromised by cyberattacks.
But on top of the technological challenges posed by the COVID-19 outbreak, the coronavirus is also creating opportunities for successful cyberattacks that rely upon the fear, isolation, and ignorance of people amid the outbreak. Phishing attacks related to the virus have increased more than six-fold in the past month and tens of thousands of people have clicked on malicious links that used the topic of the virus as bait. As a result, the total number of hits on malicious links nearly tripled from February to March.
What this means is that your employees are simply more likely to fall victim to malware, eCommerce fraud, or other cyberattacks thanks to the COVID-19 outbreak. And when they do they may inadvertently compromise their devices and your company data.
Minimize Your Risk
Cybersecurity risk management is a multi-tiered process that starts with avoiding and defending against attacks. If that fails, then you need to mitigate the damage from successful attacks and transfer the risk away from the company. While it is always better to stop an attack from being successful in the first place, you should still have plans and processes in place to handle the situation in the case it occurs.
So, how do you stop cyberattacks from compromising your remote work operations? The first step is to implement strong endpoint protection on all employee devices that will be used for work. Endpoint protection software is a bit like antivirus software evolved and takes a more comprehensive and proactive approach to threat prevention, detection, and defense.
Next, you need to educate employees and set standards for their home networks. Employees should use networks secured by a strong and unique password. Then, you should make sure that only authorized IP addresses can access your data and networks. IP blacklists, multi-factor identification, and identity management solutions can go a long way towards protecting your data during the outbreak. Finally, make sure that all of your standard protection measures are also in place and up-to-date. This includes VPNs and firewalls that protect your company networks from any attacks.
But if these measures fail, it’s time to mitigate the damage. That means implementing effective intrusion detection to discover a breach and start addressing it as quickly as possible. Ideally, these systems will tell you not just that there has been a breach but what systems were accessed. That can help you diagnose the damage and formulate your response. Another option is a managed detection and response system that combines software with hands-on attention from security experts for added protection.
It is just as important to minimize disruption to your systems and workflow. Many attacks try to damage or destroy data not just steal it. So, regularly back up all data in multiple locations to ensure that you don’t lose anything.
Finally, transfer the risks through business insurance coverage. As we’ll explore in detail later in this post, your business insurance will likely cover the damage from a successful cyberattack even if the attack was against an employee’s device or happened while the employee was working remotely.
Protect Your Employees
As we discussed earlier, remote work is not the only driver of cybercrime during the COVID-19 outbreak. Most attacks have to do with the virus itself, using outbreak-related lures to get people to click malicious links or even taking advantage of CARES Act stimulus payments to steal information and money from susceptible businesses.
While many of these attacks will target the individuals themselves – trying to gain access to their bank accounts or vital identity information – employers should still do everything they can to protect employees from falling victim to such attacks. Not only is it the right thing to do to take care of your team members, but the attacks can also compromise employees’ work devices and present cybersecurity risks. Just because an attacker planned to go after an employee’s bank account doesn’t mean that won’t pick up some valuable company data along the way, especially if it is low-hanging fruit.
So what can you do to protect your employees? In addition to providing powerful antivirus software, you need to educate and reassure. COVID-19 cyber-attacks feed on fear, isolation, and misinformation. Providing support and correct information about both the COVID-19 outbreak and common scams is the best countermeasure once your technology solutions are all sound and in place.
Work with your IT team, business insurance broker, HR consultants, and any other stakeholders to put together resources to inform employees about how to identify possible scams or malware attacks, and what to do if they think they may have clicked a malicious link or compromised their device. And work with your HR advisor to create outbreak-related resources that will fill the COVID-19 information gap so that employees are less likely to click the links in the first place. Finally, do everything that you can to minimize fear and isolation by keeping employees connected, engaged, and healthy in mind and body during the quarantine. Not only will this help minimize cybersecurity risks, but it will help your remote team work more effectively as well.
Know Your Business Insurance Coverage
If things do go wrong, will your business insurance protect you from the damages?
By and large, the answer is yes. There are several “triggers” that will cause your business insurance to kick in and which apply in the case of a cybersecurity breach from a remote employee.
A privacy insuring agreement may cover any damages if the attack results in the following privacy triggers. First, illegal access to company information is likely covered because your company will have been the victim of a crime. Secondly, if company information is compromised due to a cyberattack on an employee’s device that may count as violating an NDA, a common privacy trigger in business insurance policies.
But a security insuring agreement will often also apply. When someone is working from home, their computer and network will generally count as the company’s computer and network and thus be covered if attacked. This is especially true if they use a company device while working from home.
Keep in mind, though, that some insurers require a formal “Bring Your Own Device” policy with employees for them to cover the damages. This policy needs to outline safety measures and proper conduct that employees have to follow when using their device. So it is a good idea to have your employees sign such an agreement now that they are working remotely.
When in doubt, ask your insurer and business insurance broker about your cyber insurance to find out the details of your coverage. But if you have the correct policies in place, there is a good chance that you will be covered if your security measures fail.
Key Takeaways
There are many considerations when it comes to protecting company data, networks, and devices during the COVID-19 outbreak. Hopefully this article has given you a solid roadmap to start formulating your defense strategy and helped you figure out the right questions to ask your IT and business insurance providers. Just remember:
- Remote work means a distributed network for added security risks and possible entry points for attacks
- The outbreak has many people scared and looking for help, creating opportunities for attacks
- Educating employees about proper security measures, real information about the outbreak, and how to avoid falling victim to cybercrime goes a long way to protecting their data and the company’s data
- IT considerations to protect against cyberattacks during the outbreak include endpoint protection, intrusion detection, regular backups, home network security, and up-to-date antivirus, firewalls, and VPNs
- Working with your business insurance broker to ensure you have the correct cyber liability policies in place is crucial during this time
by Tim Taylor | Apr 11, 2018 | Business Insurance, Cyber Security
It’s not uncommon to hear about large cyber attacks on high-profile companies like Target or Sears. For many organizations, hearing about these attacks has raised awareness about the potential threat of a cyber attack.
However, recent surveys by the Small Business Authority and the National Cybersecurity Alliance suggest that many small business owners operate under the false assumption they are safe from the threat of a cyber attack.
A common misconception is that hackers only target large organizations. The truth is, businesses of any size can be targeted. And when it comes down to it, small business are less likely to have the correct processes in place to protect themselves from a cyber threat.
Studies by the Small Business Authority indicate that many small businesses are grossly underprepared to prevent and/or diffuse a cyber threat. For example:
- Less than 50% of small businesses have cyber security measures in place
- Of the 50% of businesses with cyber security measures, a majority of the protections are rudimentary at best
- Only 25% of small business owners have had an outside source test their computer systems to ensure they’re hacker-proof
- 40% of small businesses do not have their data backed up in more than one location
Small Doesn’t Equal Safe
More often than not, small business owners believe they are not at risk for cyber threats. In fact, despite wide-spread cyber attacks in recent years, 85% of small business owners believe their business is safe from hackers, viruses, malware, or a data breach.
Although many business owners mistakenly believe hackers would prefer to target large organizations, this is entirely untrue. A cyber attack can affect any organization of any size at any time if the appropriate protective measures are not taken. In fact, a study by Symantec found that 40% of cyber attacks are against organizations with fewer than 500 employees.
The Effect of a Cyber Attack on Your Bottomline
The fact of the matter is that a cyber attack can have devastating consequences for your organization. According to Kaspersky Lab, the average cost of a cyber attack to a small-to-medium-sized business is +$200,000. This same study found that 60% of businesses that experienced a cyber attack closed permanently within six months of the attack.
The unfortunate truth is that a majority of these attacks could have been prevented with the appropriate precautions in place.
10 Steps You Can Take Today to Prevent Cyber Attacks
Even if you don’t have the resources to overhaul your cybersecurity measures, there are many steps you can take to increase your security. Here are ten steps you can take today to lower your risk of a cyber attack:
- Train employees in basic cybersecurity principles.
- Install and regularly update antivirus and antispyware software on every computer used at your business.
- Use a firewall for your internet connection.
- Download and install software updates for your operating systems as soon as they become available.
- Make backup copies of important business data and information.
- Control physical access to your computers and network components.
- Secure your Wi-Fi networks. If your workplace has a Wi-Fi network, make sure it is secure and hidden.
- Require individual user accounts for each employee.
- Limit employee access to data and information and limit authority to install software.
- Regularly change your passwords, and make it mandatory for all employees to change their password every three months.
Cyber Security Key Takeaways
- Any size business can be affected by a cyber attack
- Most small business owners do not have the appropriate procedures and precautions in place to protect their business from cyber threats
- A cybersecurity attack can have a detrimental financial impact on your business
- There are small steps you can take today to reduce your risk of falling victim to a costly cyber attack