The Insurance Edge themed feature this month is Cyber: New Trends, Working From Home and New Technology.
We had such a good response it terms of comments that it’s been spolit into two features. This first one rounds up some comment and feedback on working from home (WFH) and the potential problems arising from it. Home working is a great step forwards in many ways, saving a fortune on commuting for millions of people, and saving the planet by reducing UK carbon emissions overall. But there are downsides for insurers, brokers and the wider bsuiness community.
CYBER RISK AWARE
Here are some opening thoughts from Stephen Burke at Cyber Risk Aware, on the challenges facing working from home:
“Remote working has been one of the biggest challenges since the start of the pandemic last year and continues to impact businesses around the globe. The transition into remote working was very sudden, leaving businesses with very little time to prepare and also vulnerable to heightened cyber security risks and attacks. With cybercrime rising and 25% of all employees noticing an increase in fraudulent and phishing emails in their corporate email since the beginning of the pandemic, businesses must be vigilant and aware of increased cyber risks when employees are working from home.
Employees using personal devices or sharing their device. Using a personal device can leave employees much more susceptible to cybercrime compared to using an authenticated company device with patched applications, password protections and VPNs to access the company’s internal systems.
Communicating online. Employees should be aware to not use social media when discussing work or revealing sensitive data, as this can breach security and risks exposing sensitive data.
Working in new ways. Cyber criminals prey on vulnerabilities. Many employees working from home are operating in ways they are not accustomed to, away from IT support and line managers, embracing new online working best practices. With so many new learnings underway, unaware employees are far more likely to accidentally provide a cyber criminal the information they want, unwittingly clicking on a phishing email for example, exposing a corporate network to potentially devastating consequences.
Shadow IT, a term used for unauthorised downloaded technological systems. Examples of this type of software include free Macros for Excel or software to grab screenshots. These may not come from a reputable source and can lead to a significant cyber incident. Considering each employee averages access to 17 million files on a corporate network, one wrong move is a hackers haven.
It’s incredibly important businesses are educating and empowering their remote workforce, which is why Cyber Risk Aware created industry-leading phishing simulations and the world’s first real-time cyber security awareness training platform which is multilingual and can be delivered remotely. Without the right education and training, employees are left exposed to the increasingly sophisticated cyber attacks which successfully hack SMBs every 19 seconds in the UK.
Through ongoing cyber awareness education and training, a cyber culture can be created within the workplace, where all employees are aware of best remote working practices and empowered to identify and deal with cyber threats should a malicious email drop in their inbox.
PROTECTION GROUP INTERNATIONAL
The ongoing risks of home working are on the mind of Steve Mair, Senior Cyber Security Consultant at Protection Group International;
Not every organisation has fully addressed the security concerns brought on by the rapid change in working practices due to COVID-19. Because home is, for many people, a more relaxed environment than the office, staff may be less wary, less prepared and, as a result, their guard may be down. The common attack vectors we have been seeing and expect to see more of in 2021 include:
Phishing and scams
As we know, phishing increased significantly in 2020 and that’s not going to change in 2021 because it’s an effective technique that relies on distracted victims and lack of awareness. Add into the mix, COVID-19 related scams—such as taking advantage of the public’s desire to get vaccinated—are also likely to continue. Although many of these target individuals—usually to capture credit card details or similar—there are certainly risks to the workplace (e.g. ransomware) if the person is clicking on malicious links from work devices. COVID-19 isn’t going away anytime soon, and criminals will make the most of a bad situation.
Sensitive data leaks
One of the areas often forgotten about in the digital age are risks with a physical aspect. With employees working from home, organisations have little or no control over how printed output is handled (if permitted at all) and they may never have even considered creating a policy about how to deal with confidential waste. When staff don’t have the office shredder handy for sensitive documents, are they included in the household waste? And lastly, it isn’t unlikely that a work device gets used for something other than what is intended e.g. for home schooling. This significantly increases the risk of data being changed, deleted or inadvertently emailed to an unintended recipient.
As working from home becomes the norm for a large number of people, it’s important to consider long term process implementation. Companies can protect against these risks by having clear policies and processes, and ensuring all employees have been made aware.
SHOULD EVERYONE AT HOME SIGN A NON-DISCLOSURE AGREEMENT?
Meanwhile Keith Buzzard, Chief Security Architect at PGI, also makes this point;
We wouldn’t usually have non-employees wandering around the office, but that’s exactly what we have at home. In an ideal situation, staff working from home have somewhere isolated where they can take sensitive calls, keep documents locked up until the paperless office arrives and no-one can view the content of their screen. Sadly, not everyone will have these options available to them.
As a security professional I’m used to the concept of ‘shoulder surfing’ because it’s part of the Red Team/penetration testing process. But what about at home? Many employees are working alongside their children or housemates, potentially exposing them to sensitive business information that they might discuss further afield. This might be as simple as a child saying to their friend, “Hey, my daddy works with <insert famous person here>”. Or perhaps a housemate mentions to another friend that they overheard you talking about a specific business deal, without realising they’re passing on information they shouldn’t.
Perhaps we should we ask everyone in the employee’s home to sign an NDA.
In practical terms, this in unlikely to happen, but the risk should be considered and managed. There’s no easy solution, but mindfulness and allowances are important.
For conference calls, it might be asking if it’s appropriate to discuss sensitive content and letting the recipient know of the potential of it being overheard and providing the option to reschedule if need be. Likewise, with screens, solutions like polarised shields exist to ensure no one else can see sensitive information. I know we’ve been working from home for a while now, but so many of us are still in the ‘this won’t be for long’ phase that long-term solutions are yet to be implemented.
For those in the Cyber and Commercial insurance sector there is still lots to think about in terms of emerging risks. Part Two of our Cyber Special will be posted later this week.