Skip to main content
Article

Keeping vigilant against increasing cyber risk during Covid-19 crisis

Cyber Risk Management
COVID 19 Coronavirus

By Jessica Wright | April 16, 2020

The outbreak of COVID-19 leaves many organisations vulnerable to cyber-attacks, with many cyber exposures coming to the forefront.

Most organisations and their employees will find working from home to be an untested and uncertain environment. Why not log in via an accessible open network while your children are using all your home bandwidth on their devices? Or simply use one of the alternative conferencing tools or collaboration platforms out there which are free for download. Will the organisation’s VPN be able to manage potentially thousands of remote log-ins, and will employees be able to identify social engineering campaigns which prey on their curiosity to know more about the virus?

This pandemic has brought to the forefront numerous risk considerations for both individuals and organisations across all industries, and questions on whether existing cyber insurance policies are adequate.

Opportunity for hackers

Opportunistic malicious actors are exploiting people’s concerns and desire for information about the COVID-19 pandemic by directing them to open attachments or weblinks designed to install malicious software or steal personal information. This new environment has created a perfect opportunity for hackers adept when it comes to identifying vulnerabilities in infrastructure and defenses, to spread ransomware infections, malware and launch other cyber threat campaigns.

According to the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC), Advanced Persistent Threat (APT) groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months. Key threats observed include:

  • Phishing, using the subject of coronavirus or COVID-19 as a lure;
  • Malware distribution, using coronavirus or COVID-19-themed lures;
  • Registration of new domain names containing wording related to coronavirus or COVID-19; and
  • Attacks against newly and often rapidly deployed remote access and teleworking infrastructure.

Most notably, these threats are commonly administered via basic social engineering techniques targeting employees by enticing them with COVID-19-related information to click on links and attachments containing malicious payloads.

Humans are naturally curious and understandably concerned about the pandemic. We have already observed malicious emails which appear to be sent from Dr. Tedros Adhanom Ghebreyesus, Director-General of WHO, which if opened will deploy the “Agent Tesla” keylogger malware. Similarly, emails targeting Japanese individuals purporting to contain information from disability welfare service providers and public health centres in fact contained a malicious attachment which deployed “Emotet” malware, a banking trojan which uses worm-like capabilities to spread to other connected computers. The DHS concluded that Emotet is one of the most costly and destructive malware, affecting government and private sectors, individuals and organisations, costing upwards of $1 million per incident to clean up.

Mitigating cyber risk when working from home

In addition to an organisation being more susceptible to a cyberattack due to employees’ coronavirus fears, it is also possible that their defenses will be more vulnerable than usual. As the coronavirus is causing more employees to work remotely, it is possible that those individuals are logging in remotely from a less secure network and perhaps using less secure hardware via Bring-Your-Own-Devices.

High volumes of employees logging in remotely may make it easier for cyber criminals, infiltrating a network through remote desktop services, to stay hidden in an attempt to identify and access systems with sensitive data. One has to wonder whether an organisation’s crisis response, in the event of an actual cyberattack, will be compromised with less employees on site.

With many employees now working from home now, some might have transported hard copies of company or client documentation from a secure office environment without the company’s knowledge. Sensitive information may not receive the same protective measures at an employees’ home and disposing of these documents may not be secure without proper access to secure destruction bins.

A work-from-home environment also limits the ability for employees to communicate with ease. Unable to merely check with your colleague across the office divider as to whether an email sent by them instructing a transfer of funds is legitimate, the risk of successful spear-phishing emails has increased. With face-to-face communication not possible in the current environment, we now rely on employees to pick up the phone to check if these directives are from a verified and authorised source.

With all these increased risks, company IT resources are being stretched to their limits. Patch management has also presented itself as a challenging issue for many organisations. With IT running short on manpower and time, this is resulting in system patching not being prioritised. Additionally, patch management tools typically have administrative access to target systems and unrestricted access to network segments on corporate systems. However, with some employees now using their own devices, deploying patches to these remote systems can be problematic.

The advice to offer employees working remotely due to coronavirus concerns is no different than what has been offered previously when it comes to general cybersecurity hygiene. Anyone working remotely should ensure corporate laptops and other devices are locked when in public places and are using patched and updated software and operating systems, encrypted hard drives and automatic screen locks. Organisations should urge their employees to use a virtual private network (VPN) whenever working remotely, as well as multi-factor authentication to log into work-related services.

How would cyber insurance apply?

Despite our best efforts, the pandemic will stress existing defenses and protections in turn leading to a greater likelihood of loss. It is important to recognise that an organisation would likely be protected for the above-referenced exposures by a stand-alone cyber insurance policy.

We expect coverage would be in place for claims and losses arising due to security failures and privacy events caused by the increased risk environment created by the pandemic situation. For example, a ransomware event or other cyberattack could undoubtedly lead to a plethora of costs, including as business interruption losses, forensic investigations, legal advice on how to respond to an event, notification costs, public relations and costs to restore or recreate data. For such events, we do not foresee any coverage issues caused primarily by the new pandemic environment.

On the other hand, limited coverage would be provided by a cyber insurance policy for a slowdown of company network due to difficulties supporting the increased demand arising from telecommuting arrangements. “Overuse” of the network would not likely constitute an unintentional or unplanned outage, administrative error, or programming error, and therefore the insurance policy would not be triggered.

Similarly, any elective coverage purchased for the voluntary shutdown of systems must be for the purpose of limiting the potential loss following the discovery of a security or systems failure. Therefore, any general shutdown of business operations due to the pandemic would not be covered by the organisation’s cyber insurance policy.

Sources:

Threat Update COVID-19 Malicious Cyber Activity 27 March 2020 -
https://www.cyber.gov.au/sites/default/files/2020-03/ACSC-Threat-Update-COVID-19-Malicious-Cyber-Activity-20200327.pdf

Alert (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors -
https://www.us-cert.gov/ncas/alerts/aa20-099a

Alert (TA18-201A), Emotet Malware, CISA –
https://www.us-cert.gov/ncas/alerts/TA18-201A

Malicious Cyber Activities Leveraging COVID-19 Situation -
https://www.csa.gov.sg/singcert/alerts/malicious-cyber-activities-leveraging-wuhan-coronavirus-situation--

Author

Cyber Leader Asia, Corporate Risk & Broking at Willis Towers Watson

Contact Us
Related content tags, list of links Article Cyber Risk Management COVID-19 (Coronavirus)