Since businesses have been facing significant interruption and heightened cyber-risk by working from home, many companies have asked security questions during the current COVID-19 crisis. The key security question is whether companies have taken proper technical and organizational measures to protect personal data. While data regulators will be easy on companies suffering data breaches or cyber-attacks during the COVID-19 pandemic, they will also be considering the technical and organizational measures that were taken to improve cybersecurity and incident response procedures in efforts to deal with new ways of working.
How have attackers taken advantage of the situation? It’s too early to say whether COVID-19 has for sure caused an increase in cyber-attacks, but attackers are certainly taking advantage of interest in COVID-19 and using fears and the desire to remain current. Themed phishing and malware campaigns, as well as impersonation of COVID-19 authorities have been a major concern.
Are remote devices secure enough? With the rapid increase of remote work, more and more people are using their personal devices for business purposes. These devices and WiFi networks are often poorly-secured. Your clients must be certain that sensitive data stays separate from personal IT equipment and encourages the use of secure systems for remote work.
Are companies properly prepared to deploy remote access systems? IT teams must move quickly, ensuring the continuity of operations and paying close attention to shipping/ordering logistics. A strong security checklist for new systems and system changes can help, including testing all remote access systems.
How will incident response be managed? Incident response playbooks should be reviewed and updated to be applied remotely. It may be necessary to draft a new short-form policy to handle the current situation. Also, your clients should carefully consider how all technologies are being deployed.
What does proper staff oversight look like now? The method and style of communication to staff is crucial as lengthy emails about cybersecurity may not be thoroughly read. It’s important to stick to the main points, such as phishing awareness and device security, while considering the most engaging way to get the message across.
What actions should your clients take to minimize cyber risks? Companies should be proactive with their suppliers and contractors regarding bolstering their cyber defenses to better respond remotely to incidents. Companies should engage with their suppliers and contractors to obtain further assurances and guarantees in this respect, including how incidents will be managed remotely and how the information will be shared.
Do crisis policies need to be amended? Most companies do not already have a crisis plan and security documents with prolonged policies regarding working from home drafted. It is advised to revisit relevant crisis and cyber incident response plans to check that they are adequate for current times and whether any short-term additional policies should be enforced.
How will documents be shared without compromising confidentiality or legal privilege? Face-to-face meetings are vital in crises to avoid misunderstandings that occur via email. While multi-person video calls can be a helpful alternative, they can also be complicated and suck up valuable time. This is why it is so important to have clear written communications that places an emphasis on legal privilege issues. It is crucial to use a project name to separate communications, have a summary of key issues, communicate daily with the crisis team, and have an updated fact sheet securely available from any device.
About PL Risk
In addition to bringing you the latest news from the insurance industry, PL Risk provides Resources for Agents and Brokers nationwide. We’ve recently implemented Hiscox Now, which allows agents their own access to Hiscox and instant quoting. To learn more about our operations, contact us today at (855) 403-5982.