Staying cyber safe in lockdown

Published on Thu, 14/05/2020 - 12:19
Ben Hobby, Partner, Baker Tilly
Ben Hobby, Partner, Baker Tilly

The cyber threats arising from a growing work-from-home global workforce was addressed in an Airmic LIVE webinar on 27 April, by Ben Hobby, Partner and Bernard Regan, Head of Forensic Technology at Baker Tilly - a leading forensic advisory firm and Airmic partners.

The webinar, which you can watch back here, was hosted on 27 April and below Ben Hobby expands on how an organisation’s response to a cyber breach may materialise and/or be impacted by the restrictions in work practices and travel that we are all experiencing today.

Over my 15 and a bit years of working in London, I have been fortunate to have: a) never needed to compete with fellow commuters on the Tube each morning, and b) always had a short walk of less than five minutes from the station to the office.  

While we have recently moved offices to London Wall Place (very nice they are too), this has not resulted in any substantial change to my commute. The downside, though, is that with the coronavirus crisis, I have only spent a single day in them! When I will get to see the office and my colleagues again is anyone’s guess.  

As of now, like so many people, I am working from home, my commute being the lengthy stroll from the kitchen, up the stairs, to the study.  

For those clients who I will be speaking to by phone in the coming days and weeks, do not worry, I am properly dressed and not just sitting in my pyjamas… 

The impact of coronavirus on the world economy has already produced extensive comment. For those of us who work in business interruption (BI) insurance, there has been a great deal of analysis on whether property insurance policies will actually pay out and how specific policy extensions and wordings will apply. While not discussed to the same extent, the issues for cyber policies are just as significant. 

Secure home working 

For those employees who do not have a company laptop, it is likely that they are using their own computer and an open internet gateway to access their emails to allow them to work from home. These types of machines will potentially have access to sensitive corporate data, but are often without the protections that the corporate IT network provides.  

While many companies operate mobile device management (MDM) tools as a matter of course, it is unclear if every company will have had time to install these onto every personal machine that is now being used for work.  

As for those companies that don’t have MDM tools, there is a strong possibility that the window of opportunity for installing this has closed. 

Most companies nowadays use a virtual private network (VPN) to ensure that employees can securely log in to the company network from remote locations, with any traffic between the employee and the network being encrypted. However, if all employees are trying to login through the VPN, there is a potential impact on traffic speed.  

This issue has already been seen by Netflix, which has lowered streaming quality in Europe to reduce strain on internet service providers. The temptation for companies may be to alter the VPN and firewall rules to counter this issue, but the risk of doing so is that this makes it easier for hackers to gain access to the network. 

Not everybody has a Wi-Fi connection at home and there have consequently been instances of people utilising public internet connections. Putting to one side for the moment the question of how consistent this is with self-isolation, the security of these networks is not always guaranteed.  

In addition, it is then easy to forget a computer, phone, USB stick or physical documents when leaving the public space where you have been using the available internet connection. If the left-behind laptop is a personal device that has been used for work, then this machine may not be appropriately encrypted, meaning the company is left exposed to a data breach risk. 

One certain thing with hackers is that there is no limit to their ingenuity. Any news item can be turned into a phishing opportunity. Emails may be sent to unsuspecting individuals with a link to access, say, new information, never before published, or just a really good deal on hand sanitiser gel.  

The coronavirus crisis is no different – there have been numerous comments on LinkedIn warning of the various scams that are currently out there. 

Cyber response 

All these issues are clearly a million miles away from what counts as normal. However, the premium that cyber insurers will have quoted and then received will be based on what constitutes business as usual. However, cyber insurers now face an increased risk of claims occurring, albeit with no associated increase in premiums. 

As we know from claims experience, it only takes one person in a company – even if they are working from home – to click on an inappropriate link for hackers to get access to a company’s network, thereby enabling them to employ ransomware, bringing the company to its knees.  

However, in an environment where people are locked down, either by government recommendation or by police and military “encouragement”, what would a cyber incident response look like? 

For those businesses that operate on a single site over a small, uncomplicated network with a couple of servers, I suspect that the incident response will look pretty much like it did before coronavirus. The teams that respond to these incidents are generally small in number, making it easier for the team to keep the required distance from each other. These consultants will also usually be based near the company’s location, meaning that any travel is limited. 

Furthermore, the time taken to rebuild an active directory and restore applications is usually a couple of weeks. This period may be extended by a few days if certain key personnel are working from home or self-isolating, but this should not cause significant delay. 

The bigger picture 

However, life gets more complicated for companies at the other end of the scale. Many multinationals operate networks where there is minimal segregation between countries and business units. This is because of the need for plants in Germany, say, to talk to plants in France – either because they make the same products and are looking at the allocation of production capacity, or because Germany supplies France with product for further processing. 

In our experience, losses of this type require a significant number of external consultants to assist with the investigation itself and the subsequent network rebuild. Many of the company’s own staff will also be involved. 

These consultants and employees are often based in different countries, increasing the need for travel between multiple locations in multiple countries. However, in an environment where international and domestic travel has been severely curtailed, this is simply not going to be possible. 

The consequences may be that the time taken to restore the network, and therefore allow the company to return to business as usual, will increase, as will the extent of any BI loss. By how much though is really up in the air.  

Stronger cyber security 

While this article is not meant to offer any policy advice, providing that companies employ their best endeavours to restore the network as fast as possible, as far as circumstances allow, then it seems unlikely that the increased BI loss would not be covered.  

However, given that the sums insured under cyber policies often bear no resemblance to the actual underlying financial exposure, there is a question as to whether this increased loss would be insured in any event. 

Ultimately, no company wants to be the victim of a cyber attack, but this is doubly the case at present. What this highlights is the increased need for strong cyber security, heightened awareness of the current cyber threat and extra vigilance by all employees. 

During these uncertain times, may you all stay (cyber) safe.

This article was originally printed in the Insurance Insider.