Interview: Cyber exposures for a coronavirus age

We’ve seen a shift towards companies encouraging home working in recent years, but the COVID-19 pandemic has massively escalated this. What cyber exposures does this introduce?

Many organisations are not prepared because they haven’t really embraced remote working up until now. Either they do not have the resources or tools in place to enable widespread remote working or their staff have never used the resources that have been given to them and are now being forced to do so, maybe without preparation.

We’re at an inflection point. What you’re seeing now is a whole legion of staff who would never have considered home working previously now embracing the change. We’re not going to go back to where we were pre COVID-19. We’re going to see a much quicker move to home working and you’ll see much more use of personal devices.

A good analogy when you’re starting to think about what cyber exposures that introduces is the big shift in risk we saw a few years ago when organisations went to the cloud. In the 1990s and noughties most organisations would have their own IT infrastructure. They had a wall around their IT and their data and it was all protected.

But all that infrastructure was expensive, clunky and difficult to scale up. The cloud made scaling up, updating and upgrading somebody else’s problem. But it entailed a massive shift in risk. Because now there is no wall, there is no barrier.

That had a big impact and most organisations are still catching up, which is why business email compromise (BEC) is such a prevalent attack for us to be dealing with. And this home working shift is doing the same thing.

We are routinely seeing BEC attacks costing in the millions of dollars, either because attackers have diverted funds or they’ve compromised a large number of email accounts and none of them are then safe so organisations then face a significant cost to investigate and mitigate the attack and usually a significant business interruption cost too.

Why are remote workers more at risk to these types of attack?

With BEC, what you’re relying on is fooling somebody into thinking an email is from a trusted contact. These scams can be even more effective if there is the level of disconnection that you get with remote working. For instance, if you have an invoice coming in from accounts, it’s more difficult to check with your colleague whether it is legitimate or not if the level of effort required to make that out-reach is higher.

These attacks also rely on distraction. Speaking personally, I now have four more daily meetings in my calendar that I didn’t have when I was based in the office, because various teams feel that they need to replace informal interactions in the office with scheduled meetings. These changes in working practices creates additional stress that the scammers behind BEC can exploit.

There are also the issues surrounding ‘shadow IT’. Staff just want to get their job done and if slow home WiFi speeds or the lack of certain resources such as printers get in the way, staff will likely find ways that help them get the job done but may constitute a risk to the organisation.

Perhaps they are a junior member of staff with a limited amount of bandwidth and they start using the unencrypted Wi-Fi of the cafe across the road. Another issue is the use by staff of consumer-grade hardware such as routers, home IoT devices like smart speakers which are vulnerable to attacks especially if not frequently patched against vulnerabilities.

Less than half of the incidents that Beazley’s incident responders handle are malicious attacks by outsiders. Many times it is the well-meaning but unfortunately risky practices of staff who just want to do their job but aren’t aware of the heightened risks of those practices.

Say you want to do some work on a PowerPoint at home and maybe your remote connection facility is really slow, so you email it to your home email address. It’s a common thing that people do, but often home email accounts are secured with very poor passwords. They might even be shared with multiple family members. Or you might type the wrong address into an email.

What we have found is that if you make somebody’s job difficult to do, they will find an easier way to do it. And you are not going to fix that by aggressively implementing unrealistic policies. Where we really see a difference is when organisations actually help their staff comply.

Staff need to feel they have a safe forum in which to ask for help and report issues. That is where you’re going to get much better visibility into what is happening. I used to work at an investment bank where if we successfully reported a phishing scam you received a voucher to use in the cafe downstairs. It was a carrot rather than a stick approach.

It’s such a good return on investment if you can involve staff in cyber security discussions and make them feel they are part of the solution.

Much has been said about the need for different departments - risk, IT, HR etc - to work together on cyber. How relevant is this collaboration right now and what should risk managers be doing?

Cyber risk is all about information and the malicious or accidental disclosure of information in some way. Calling it ‘cyber risk’ leads to some essential stakeholders switching off. It’s not just an IT issue. As soon as you have a BEC you have a marketing, legal, operational and/or finance issue as well.

Managing the technical elements of a cyber incident are actually pretty straight forward. The difficult part is acting swiftly so you do not lose the trust of your clients, staff and other stakeholders important to your organisation. If organisations are buying cyber insurance, they really need to be asking their partners for help in how to best communicate these risks to their colleagues and other stakeholders in the business.

Risk managers in particular need to lean more on their vendors and service providers to help them to effectively communicate these concepts in a way that a non-executive director with no background in technology, for instance, is going to understand easily.

Insurance companies, technology vendors and risk consultants all have a role to play in helping their clients communicate these risks effectively .