The sudden shift in the economic landscape has left many organizations feeling unprepared to successfully manage remote operations while mitigating risks from new exposures. COVID-19 has undoubtedly changed the world, leading to a greater dependence on digital workflow and a substantial focus on security and privacy compliance. Cyber incidents are no longer confined to the IT department and they have the potential to cause disruption across an entire organization. It is not a question of “if” you will suffer a cyber incident, it is a question of “when” and how resilient you will be upon disruption.
Resiliency is comprised of several factors including security, processes, employee training, and risk-transfer (insurance). It is important to align all the key stakeholders within your organization in order to create a cohesive cyber strategy and implement the most impactful initiatives to ensure your resiliency. Your team to analyze the various initiatives and impacts might include the CEO, COO, CFO, CTO, General Counsel, HR Director, Chief Risk Officer, Privacy Officer, and Marketing Director.
Here are a few tips to consider as you refine your cyber posture. This list is not exhaustive, rather, it is meant to bring awareness to various components of your security program.
- Identify Assets
- Take inventory of your business assets and identify those that are mission critical. Review (or create) a business continuity plan to ensure those assets remain operational upon disruption to the organization.
- TIP: Check out the NIST Cyber Security Framework (CSF)
- Limit Access
- Restrict user access to the minimum required to perform his or her job function.
- TIP: By reducing the number of users who can access sensitive information, the overall exposure is reduced.
- VPN
- Without using a VPN on public Wi-Fi, hackers can easily steal your transmitted data and log into your accounts or extort you for financial gain.
- TIP: Always utilize a VPN when transmitting data over public Wi-Fi so it is encrypted.
- Multi-Factor Authentication
- Also referred to as “two-factor authentication” (2FA), requires a second form of confirmation that the user possesses, in addition to a password. This greatly increases your security and reduces the likelihood of a hacker gaining access to your accounts.
- TIP: Enable 2FA on every account that offers it. If you have the option, use an authenticator app, rather than text-message based as it is more secure (i.e. DUO, Google Authenticator, etc)
- Payment Confirmation
- Social engineering fraud is on the rise, especially ‘man-in-the-middle- attacks, where a hacker intercepts an invoice, changes the routing number, and then sends along to the recipient.
- TIP: Confirm all outbound payments with a second method of communication (i.e. video call).
- TIP: Your bank will never ask you to send confidential information via email.
- Password Manager
- Single program that stores all of your passwords. Enables you to choose complicated, unique passwords for each login, and you only have to remember the main password.
- TIP: Hackers launch ‘credential stuffing’ attacks with previously exposed credentials from prior data breaches to log in to as many websites as possible. If you reuse any of your passwords, you are at risk and you should update immediately.
- Employee Training
- 9 out of 10 cyber incidents begin with an email. Make sure your employees understand how to report suspicious emails and activity.
- TIP: Regularly perform phishing email campaigns for your employees and analyze the results to improve awareness.
- Vendor Management
- Talk to your vendors and get visibility into their security posture to ensure it is in line with expectations. Don’t be shy about asking questions such as backup strategies, patch management, encryption, user access, etc.
- TIP: Have ongoing discussions with your vendors regarding their security and infrastructure strategies.
- Cyber Insurance
- A cyber insurance policy provides coverage for a wide range of exposures and is a critical component in ensuring your resiliency. Coverage typically includes costs associated with a data breach, ransomware, business interruption due to a cyber incident, network security liability for failure to protect a third party network, media liability for lawsuits against you such as for libel or slander, and legal expenses.
- TIP: Work with you insurance broker to perform a gap analysis on your current policies to determine if you are properly covered for cyber exposures.
Here are slightly less obvious cyber exposures to be aware of, especially as many people are working from home, alongside other family members.
- COVID Links
- COVID-related scams are widespread.
- TIP: Be extra careful what links you click on, webinars you register for, and products you purchase, especially related to COVID-19. Stick with sites you know and are credible.
- Video Conferencing
- Zoom is popular, free, and easy to use, however, it is not secure and many organizations are banning the use of it.
- TIP: If you do use Zoom, make sure to set a password and waiting room so you can manually admit each participant before they enter.
- IoT Connected Devices
- If you own connected devices (i.e. Ring Doorbell, Nest Thermostat, Home Appliance, etc), it is a good idea to put them on a separate Wi-Fi network from your main network and make sure the default password they came with is updated.
- TIP: If a hacker gains access to your IoT device that is on your main Wi-Fi network, they can install malware to capture every computer keystroke as well as data you transmit.
- Sharing Work Computer
- With the increased time spent working from home, it may seem convenient to lend your work computer to a family member to browse the Internet.
- TIP: Avoid the temptation as this substantially increases your threat surface and gives the hackers additional entry points.
- Using Personal Devices for Work
- Risks with using personal devices for work include software not being up-to-date, increased activity on less secure sites, accidentally transmitting confidential information to personal contacts, storing files on unauthorized cloud storages sites, and your employee leaving the company with data stored locally on their device.
- TIP: Re-evaluate your “Bring Your Own Device” policy to consider the new work environment and address security practices that align with your organization’s risk tolerance.
For more information on exposures your organization may face or to explore how a cyber insurance policy can help with resiliency, contact Ari Dolgin, a Senior Account Executive at Gallagher: Ari_Dolgin@ajg.com
Gallagher’s Pandemic Portal contains deep insights pertaining to cyber security, insurance and risk management, compliance, and employee benefits:
https://www.ajg.com/us/coronavirus-covid-19-pandemic/