Emerging trends and cyber risk from COVID-19

Risk continues to increase as companies become more reliant on technology. Isolation and remote working brought on by COVID-19 further exacerbates these risks. Consequently, businesses are more vulnerable to cyber losses. This article adds to our April 2020 release regarding cyber (located here) and commercial crime (located here) by looking at the emerging trends with cyber losses during COVID-19 and suggests some further steps companies and directors may take to mitigate against these.
System vulnerabilities

Many businesses admit to being under prepared in terms of the ability for the majority (if not all) of their employees to work remotely. Companies have been forced to rapidly adapt their systems and network capabilities, with Business Continuity Plans being fully tested.

Given the haste in which businesses have had to adapt, network security policies may not have been properly implemented. Technical and administrative network issues (such as slow processing, poor internet connectivity, improper VPN configurations, varying versions of software and a failure to install regular updates and patches) are common. The affect to productivity is real, but more concerning is the risk to network security.

Employees are now accessing company data from a range of devices, including personal devices, which, in turn, creates an increased risk of exposure for organisations, in the event that these personal devices and accounts are compromised.

There has also been an unprecedented surge in the use of third-party virtual conferencing applications, which are likely to attract opportunistic cyber criminals. For example, there has been well documented criticism laid publicly towards Zoom, having regard to its security vulnerabilities at a time where usage is at an all-time high and continuing to surge.

The existence of smart technologies in people’s homes also presents an increased risk and vulnerability to attack by cyber criminals. This increases the risk of a data breach via the inadvertent disclosure of sensitive information.

Phishing scams

It has been well publicised that there has been a surge of COVID-19 themed phishing campaigns detected since January 2020. These scams include malicious messages purportedly sent on behalf of the Australian Medical Association and also global bodies such as the World Health Organisation (WHO).

The Australian Competition and Consumer Commission’s (ACCC) Scamwatch has reported that it has received more than 2000 reports of COVID-19 related scams since the outbreak of COVID-19, with the figures continuing to increase [1].

One of the most common scams include “phishing” for personal information. In most instances, phishing scams are sent via email or text message and claim to be providing official information on COVID-19. In reality, these are attempts by fraudsters “phishing” for personal information and ultimately financial gain.

Claim trending

Insurance industry data indicates that during 2019 there was a 131% rise in the number of ransomware attacks compared with the previous year. Of the ransomware incidents in 2019, 35% of attacks were attributed to the healthcare sector, more than any other sector. Financial institutions were targeted in 16% of the attacks, while 12% targeted the education sector and 9% occurred in professional services. The potential for further ransomware and other cyber-attacks on the healthcare sector in 2020 is also of growing concern.

It is predicted that over the coming weeks and months cyber-crime claims will increase. Increased attacks have already been reported from commencement of the COVID-19 pandemic. Remote working exposes the network and the company to heightened risk.

Public authorities may also be targeted. Although the reported Denial of Service (DoS) attack on the MyGov website on 23 March was later determined as false, increased dependency on online services is likely to lead to a rise in DoS attacks. Indeed, any businesses operating websites providing information or assistance, culminating in an increase in visitors are likely to become key targets.

The Australian Cyber Security Centre (ACSC) has issued guidance on working remotely in connection with COVID-19. It recommends a number of security measures to prevent cyber threats. Their recommendations include the implementation of multi-factor authentication for remote access systems and ensuring systems are up-to-date with the most recent security patches.

Risk management

Based on our experience of cyber incidents and, during the course of management of related claims, we observe that many businesses do not have the security measures recommended by the ACSC.

The Office of the Australian Information Commissioner (OAIC) has provided some useful guidance to help businesses understand their privacy obligations in the context of COVID-19 and ensure ongoing compliance despite the unprecedented challenges that are currently faced [2].

Businesses should continue to be mindful of their notification obligations in Australia under the Privacy Act 1988 (Cth) and in other jurisdictions. Businesses are still required to comply with such legal obligations during this pandemic.

Steps you can take:
  • Keep up to date with the latest advice from the Australian Cyber Security Centre.

  • Stress test your network. Vulnerability and penetration testing is recommended by an external independent provider.

  • Review terms and conditions with your outsourced third-party technology service providers. What are their obligations in the event of a breach? Do they have adequate insurance? Only access trusted networks or cloud services.

  • Ensure all devices, Virtual Private Networks (VPNs) and firewalls have necessary updates and the most recent security patches (including to operating systems and antivirus software)

  • Ensure a strong password policy is in place and is enforced. Implement multi-factor authentication for remote access systems and resources (including cloud services).

  • Secure mobile phones, laptops, data storage devices and remote desktop clients. Make sure devices are stored in a safe location when not in use.

  • Use work email accounts not personal accounts for all work-related emails that contain personal information.

  • Ensure you circulate guidance to your staff about network security including direction about “social engineering” (if someone ask for a funds transfer, speak to the person seeking same. When contacting the instructing party, use contact details that exist in the company’s system, not contact details obtained in the course of communications instructing the transfer).

  • Consult with your Bellrock representative. We engage experts to assist our clients comply with network security and privacy best practice. We can also assist with placement of adequate cyber and crime insurance that will cover losses which your company may be susceptible to in the event of a cyber event.