COVID-19 has created unprecedented working situations for businesses. Many are rapidly trying to grapple with their employees working from home.
Cybercriminals are using these unprecedented times as an opportunity for online scams and attacks. Businesses need to be hypervigilant.
There are many ways a cyberattack can cause business loss; data loss; hacker theft, business interruption; breach response costs and consultants' costs; privacy complaint costs and potentially third-party liability amongst others.
If you don't have a Cyber Insurance or Cyber Liability Insurance policy, different insurance policies in your suite of business policies may respond to different types of loss. Even if your business does have a specialist cyber policy, the best option is to avoid cyberattacks altogether, if at all possible.
This article identifies common risks arising from your workforce working remotely, some things your business can do to minimise the risk of a cyberattack and, in the unfortunate event you suffer a cyberattack, how to respond.
Where do the risks lie?
There are significant risks from so many employees working from home for the first time:
- Network vulnerability – employees may use unsecured home networks, single factor authentication or weak passwords when working remotely.
- Reduced ability to monitor employees – to check employees are following the business' best security practices (for example, calling a client to verify invoices or bank account details).
- Removing data from secure location – employees may transfer electronic files from business devices to less secure personal devices.
- Increased number of scams – CERT NZ has sent out an alert detailing the opportunistic attempts of cybercriminals to use the COVID-19 pandemic to scam people. They include downloading malware from COVID-19 maps and entering usernames and passwords into phishing websites.
How can you minimise these risks?
Your aim should be to prevent a cyberattack. Proactive steps to minimise risk include:
- Improving your IT security, particularly for remote network access. Ensuring all anti-virus software is up to date is crucial.
- Reviewing and strengthening IT security policies and procedures may require input from external IT security professionals. Some Cyber Insurance policies include the cost of pre-loss security consultation, so check this.
- Creating a response plan in the event of a cyberattack.
- Keeping cybersecurity at the forefront of employees' minds. Remind staff of your security policies and what to do in the event of a breach or suspected breach. Encourage vigilance, and regularly test employees' awareness and understanding of your IT security policies.
- Putting extra security measures in place to protect vital data and backing it up in the event that it is lost or stolen.
- Ensuring your employees only access business information on their business devices.
- Setting up logs to alert your business to any suspicious activity or incidents, e.g. for multiple failed login attempts or a login from an unknown IP address in an unexpected country.
What should my response plan include?
If your business does suffer a cyberattack it is important to take the following steps:
- Take immediate steps to respond to the attack and mitigate any potential loss, by seeking help from your IT security provider. Loss mitigation costs are usually covered under Cyber Liability Insurance Policies.
- Notify your insurance broker or insurer immediately, even if you don't know what, if any, loss you've suffered. Failure to notify your insurer promptly could compromise a future claim. Your insurer can approve consultant and other costs you incur in responding to the attack and it is better to ask first than retrospectively seek approval of costs incurred.
- Keep a record of the circumstances surrounding the cyberattack and the steps taken in response.
- After checking with your insurer, notify all relevant bodies such as the New Zealand Privacy Commissioner and any affected individual if the cyberattack has resulted, or is likely to result, in a breach of that individual's privacy rights. If you are unsure whether an individual's rights have been affected, notify anyway.
If my business is attacked, will it be covered by my insurance?
Whether you are covered for a particular attack under any of your insurance policies is, of course, dependent upon the particular policy wording or wordings.
Most specialist Cyber Insurance policies cover costs and losses associated with a broad range of situations including network security and privacy breaches, data recovery, some security, liability and defence related costs, business interruption, and consequential loss.
However, there will be policy exclusions that limit the cover available. These usually relate to infrastructure failures (power, telecommunications infrastructure or services), or shutdowns for network access / functionality improvements.
If you are unsure about how your insurances will respond to a cyberattack, or what steps you need to take in the event of an attack, you should speak to your insurer or insurance broker. This will help your business implement the correct procedures to ensure compliance with policy obligations and safeguard your business should anything go wrong.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.