With millions working from home in what was an almost instantaneous move to remote working in March, the cyber landscape changed overnight, while many were focused on other priorities says Mark Brannon, Commercial Director, Towergate.
This sudden, unforeseen and drastic change, combined with multiple distractions, presented a huge challenge for many organisations; and a prime opportunity for the cyber criminals.
In addition to the weakened ‘offnet’ infrastructure, home wi-fi and personal device vulnerability, employees’ remote workings are more prone to human error. Many people will already be feeling vulnerable without colleagues around them to sense check an email, or may be multi-tasking care commitments and general distractions not faced in an office.
This shift in behaviours is pivotal, given around three quarters of cyber claims are caused by human error.
Like most common criminals, cyber criminals are opportunists and quickly exploited the situation, launching phishing attacks that prayed on employees’ fears and vulnerabilities, including emails offering Covid-19 related tax relief, offering hand sanitisers and face masks, together with warnings about breaking new lockdown rules.
As Graeme Newman from CFC Underwriting has said for some time, “businesses in the cyber world are not targeted because they’re valuable, they’re targeted because they’re vulnerable. And that is what a lot of smaller businesses miss.” He has been proven right again.
Ransomware is a primary concern, which has become much more common and far more sophisticated. What used to be scattergun approached focussed on encrypting systems and preventing access is now more targeted and criminals are likely to also steal personal data held by the company. Threatening to publish it if the ransom isn’t paid, this presents reputational risk, as well as a potential data protection fine and notification costs.
Another notable change is the ransom demands; not only has the amount substantially increased, but with the hackers often having accessed company accounts, they are also ‘realistic’ in the sense that the hackers know the company have the funds to pay and often make this known. As recently as three years ago the value of a typical extortion demand would average the low thousands but are now routinely high six-figure or million-pound extortion demands.
Another emerging trend this year has been cyber-attacks on managed service providers (MSP’s), meaning there are huge vulnerabilities for businesses who outsource hosting or services to third parties now getting attacked where they become the victims caught in the crosshairs. Blackbaud was a perfect example of that in action in May, a socially good charitable hosting platform for charities, hospices and educational institutions globally, but the UK was disproportionately hit.
As always, prevention (or at least strong mitigation) is better than cure and is now crucial. Big data and the capability to scan customers, and scale within the market are becoming essential from an underwriting and performance perspective. It will not be sustainable for insurers to fund the losses being seen with a limited pool. Some markets that had dipped their toe are pulling out of cyber as the losses build against low price.
Risk management and claims infrastructure and response are key parts of the proposition; risk assessments, bulletins, best practice guidance and training are invaluable to ensure cyber-security really forms part of a organisations culture. Education is key.
Many believe the pandemic is a blessing and a curse for the cyber risks faced with organisations going through short-term pain as they adapt to future working. It will lead to greater adoption of cyber-security and is also changing perspective on insurance spend.
We will likely look back at this as a sea-change moment.