Maintaining Cyber Resilience in the COVID-19 World
In our February Risk Alert
we outlined the major cyber challenges facing businesses in Asia as the “work-from-home” mobilisation began. Now that COVID-19 is truly global, working remotely is the new normal and the integrity and availability of data and systems has never been more important. In this Risk Alert, we update our advice on managing cyber threats and maintaining cyber resilience.
COVID-19 has transformed the way we work in order to deliver results for clients and stakeholders. For organisations to survive and thrive in this brave new world, maintaining cyber resilience is paramount. In our last risk alert, as COVID-19 swept across Asia, we highlighted these three key areas of focus:
- Defend Against the Phishing Wave: We were already seeing evidence of COVID-19 related phishing attacks in February, and more recently our international colleagues discussed the threat in this blog post. As we discuss below, this has only increased as the virus has spread.
- Test System Preparedness: As “work from home” protocols were beginning to be introduced, we discussed measures an organisation could take to ensure a smooth transition.
- Brace for Disruption: Acknowledging that preventative measures could only go so far, we looked at how companies could prepare for effective cyber incident response.
As the situation evolves, we take a closer look at three major cyber threats currently facing organisations:
- Phishing, Vishing and Smishing – according to multiple reports from companies involved with threat intelligence, there has been a significant increase in malicious email traffic over the last month when compared to the corresponding period in 2019. As many of those emails are masquerading as official correspondence regarding COVID-19, the Monetary Authority of Singapore, the United Nations and the World Health Organisation have all distributed notices about the threat.
Vishing (via telephone) and Smishing (via text message or WhatsApp) attacks have also increased in frequency, and in a work from home environment where colleagues and clients are increasingly connecting via mobile phones, vulnerability increases. Short message attacks will generally seek to redirect a victim to a compromised website in order to harvest user credentials.
- Social Engineering – phishing, vishing and smishing attacks all seek to manipulate individual behaviour but the attack most commonly referred to as social engineering involves a fraudulent request for funds made from either a compromised business email account or an email address masquerading as a genuine account. This has been a popular and effective method for malicious actors and is likely to prove more effective in an environment where it is more difficult for employees to verify instructions (e.g. by checking with a colleague in-person).
This intersection of cyber and crime exposure, which has caused more than USD 12 billion in international losses in less than five years, is discussed in more detail among other major cyber risks in Aon's 2020 Cyber Security Risk Report.
- Non-malicious disruption – while ransomware and denial of service attacks are a threat to system availability, the increased internal and external traffic company networks are facing puts them at risk of non-malicious disruption events, which can be equally costly.
In Australia, a “significant distributed-denial-of-service attack” was initially blamed for a disruption to the MyGov website before the Government conceded that the website had been overloaded with requests. Reports have also emerged out of the US that a system failure caused an online trading house disabled all trading for two days, causing immediate financial losses and erosion of client confidence.
Recognising these threats is an important first step, but companies will be differentiated by how they respond to the increased risk. Technological measures are critical and include, among other things, firewalls, anti-virus and Endpoint Detection and Response Software, the use of multi-factor authentication and virtual private networks, data encryption and load-testing of systems.
From a less technical perspective - taking an enterprise risk view of the threat - these are the three steps we recommend companies consider immediately (and all can be done from the comfort of your own home):
- Training and education – companies should, in the ordinary course of business, be simulating spear phishing attacks against employees on a regular basis, given the prevalence of this threat. Best-in-class phishing training will evolve with the threat landscape and be relevant to the COVID-19 situation. Simulating attacks which promise more information about the situation or which masquerade as IT Helpdesk performing a work-from-home check will allow you to improve the defensive skills of your employees and measure your organisation’s true resilience in the face of a heightened risk.
- Planning – organisations will have discovered that emergency response and business continuity plans may not have anticipated the COVID-19 situation. There remains an opportunity to plan for further risks that the situation presents, including the cyber threats highlighted above. Senior executives working from home will likely be playing out multiple contingencies and should build cyber threats into those scenarios.
Tabletop cyber crisis simulations have been a popular means for companies to rehearse incident response – conducting these exercises remotely adds an element of challenge but may also prove more realistic.
- Tailored insurance solutions – companies bracing for the inevitable economic fallout of COVID-19 can look to risk transfer to minimise the impact of cyber incidents. To meet the threats identified above, a considered approach to the insurance market is recommended.
Most cyber insurance policies will respond broadly to malicious phishing threats, but cover is variable and nuanced around non-malicious business interruption. Similarly, cyber insurance policies can be extended to add a degree of crime cover but this is generally resisted, as insurers look to address this risk via commercial crime policies (and even in those policies, particular language is required to cover social engineering losses).
Aon is here to help through these trying times, be that through sharing information about risk and market trends, making the right introduction to an appropriate service provider, or offering our unmatched range of security, consulting and insurance services to address your cyber needs.