Skip to main content

As the situation in Ukraine evolves, businesses should be mindful of potential risks to their people, assets, operations, or supply chains in the region and globally. Marsh, as part of the Marsh McLennan family of companies, has created a page with information, tools, and resources related to the Russia-Ukraine conflict. Please visit the page for the latest information.

May 8, 2020

Cyber risk protection tips while working from home

Tamara M. Stephens

Working remotely from one’s home has become more common in recent years but accelerated earlier this year when companies implemented social distancing practices to protect employees, clients, and others. During times of crisis, such as the current COVID-19 pandemic, cybercriminals may take advantage of the changes and distractions to employ new phishing or social engineering schemes to access either your Personally Identifiable Information (PII), your Personal Health Information (PHI), or entrée into your company’s systems.

While working from home, consider these tips to help protect yourself and your firm from potential cyber risks.

Use VPN security

As its name suggests, a Virtual Private Network (VPN) creates a private network connection between your computer and the internet and helps protect data from being accessed and seen by others. When working from home or any remote location, such as a coffee shop or airport, if you have a company-issued device, always make sure to connect via the company’s dedicated VPN. If that is not available, consider creating your own VPN, which can be done through one of several service providers but be sure to first research how the service provider handles your data.   

Implement multi-factor authentication

Multi-factor authentication (MFA) is an extra step to verify your identity. Many organizations, such as financial institutions, may ask you an additional security question or require an additional code to be entered before granting account access. While this additional verification was utilized less frequently in the past -- perhaps you noticed it when you logged in from a new device or location -- companies have expanded use of MFAs in recent weeks due to the large number of new remote users.

Be sure to follow any MFA steps required by your organization, and check to see if you can turn on similar settings on your personal accounts, such as banks or credit card services, utilities, online retailers, or mobile service providers.

Take a critical eye to your email

The most effective way to avoid fraud starts with you, the email reader. Phishing and social engineering scams conducted via email are becoming more sophisticated and are the main entry point to not only your personal information but information about the firms you work with. Educate yourself and thoughtfully scrutinize every email before opening and clicking any link.

Steve Bova, Vice President of Private Client and Family Office Services with Hillard Heintze, offers this advice, “The attackers are weaponizing language – emotional triggers – that compel you to click on a link or take other action without your usual measure of caution. Don’t fall for this.”

Suspect schemes may be related to the stimulus packages or unemployment benefits, free N-95 masks or other personal protective equipment, or phony emails from HR or your tech team about work-from-home requirements. They may appear to come from your credit card company, bank, or even your employer, but when reviewed carefully, you may realize they are fakes.

To help identify malicious emails, read these five tips from Hillard Heintze. Many insurance carriers are sharing additional insights to help clients protect themselves from cyber risk. For more suggestions, read Ten Tips to Stay Cyber-Safe When Working Remotely from Chubb and Beware of COVID-19 Cyber Scams and Fraud from Cincinnati Insurance Company.

Be smart about virtual meetings

Online web meeting services are one of the best ways to stay connected with your team members, clients, and others. There are many platforms to choose from so make sure you follow your company’s preference and policies when connecting. To help maintain your privacy and that of your clients and partners, be sure to turn off your microphone and camera when you first sign on, and close any documents, windows, or tabs with sensitive information before screen sharing. It’s also important to be sure your background is clear of any personal info that you don’t want others seeing before you turn on your camera. It’s advisable to add a password to all virtual meetings. If your meeting topic is especially sensitive, consider using MFA if it’s available.

Educate your employees

If you are a small business owner or family office leader, your employees and team members are your first line of defense. Develop best practices around account approvals, email safety, and tech-related policies, and be sure to provide structured education around the strategies you implement. It is also important to periodically test your systems to help identify areas that need to be addressed. Business owners concerned about cyber risk can read more in these 10 best practices from Marsh & McLennan Agency.

Consider insurance protection options

Even after following the mitigation steps recommended above, sometimes the unexpected breach happens in the form of malware, ransomware, cyber extortion, or social engineering, which uses deception to trick users into giving away personal information or making security mistakes. This is where insurance could come into play.

For example, a client recently lost more than $120,000 as a result of a fraudulent social engineering scheme. Four separate wire requests appeared to come from an extended family member who had proper authority to do so. The requests did not seem unusual, so the family approved them. However, the family did not know the family member’s email had been compromised and a bad actor had actually forged the requests. Fortunately, the client had a fraud endorsement in place and was able to recoup nearly all of the loss, up to the policy limits. While this was a cyber-related event, it was covered under a fraud solution. Depending on the scenario, coverage may also be available through a crime policy, a kidnap and ransom policy, or a cyber policy.

Cyber coverage may apply in the event of cyber extortion or a ransomware attack with reimbursement for money paid (including bitcoin or other cryptocurrency) to terminate or end a cyber extortion threat. Real-time support may be available to attempt to manage or terminate the threat while in progress.   

In addition to personal cyber protection, family office clients may want to explore commercial cyber policies, which sometimes require consistent cyber education for employees as well as regular testing of their cyber defenses and systems.

Talk to your risk advisor

During such unprecedented and challenging times, it can be helpful to consult with your risk advisor to discuss your current situation. They can help identify and provide guidance around potential new exposures and help you stay safe while working from home.