Network security & privacy considerations when organization shift from WFH to office environment

A lot of corporations may overlook cyber security as they’re inviting employees back into the office as shelter-from-home restrictions are lifted.

But according to cloud computing company VMWare, ransomware attacks jumped 148 percent this March from the previous month, and security training firm KnowBe4 reports that Q1 2020 coronavirus-related phishing email attacks are up 600 percent.

Your organization may not be prepared to respond to a security failure or privacy loss. You’re probably also depending more on technology, so malware-induced disruptions can create serious economic damage. Reliance on your supply chain means a disruption or failure could further aggravate financial loss. Even if you have an Incident Response Plan, you face the strong possibility of increased challenges especially with all or even some of your workforce working remotely.

Here are key security and privacy best practices to consider:

• Back up data and critical servers and test resiliency. In addition, run vulnerability scans before employees and their hardware connect to the corporate physical environment.
• Physical connectivity of employee hardware can introduce malware into the corporate hardware environment so it is important to upgrade your cyber hygiene with the latest anti-virus, firewall and endpoint protection, along with timely patching of systems.
• Advise employees to not connect non-corporate managed devices into the corporate environment (i.e. flash drives, USB)
• Implement use of email filters and sandboxing (quarantining) of opened links to prevent malicious links from downloading malware. 
• Remind employees of the proper safeguard protocols of mobile computing devices and paper files in transit.
• Require employees to participate in privacy and security awareness training prior to returning to work.
• Safeguard sensitive individual health information especially if/when employees become diagnosed with Covid-19.  In addition, organizations should be aware of privacy concerns raised with ‘contact tracing’ of their employees.
• Schedule a third-party assessment of your IT environment for a comprehensive audit of your security and privacy controls.
• As ransomware is usually deployed after several weeks of an undetected initial infiltration (upwards of 200+ days according to a recent Ponemon/IBM Study), it is important to ready your incident response plan (IRP) and cyber insurance policy to ensure you know who and how to respond when a cyber incident occurs.
• Review MSA’s of incident response firms such as legal and forensic firms that are approved by your cyber insurance carrier.
• If your organization does not purchase cyber insurance, now is the perfect time to consider coverage.  Working through the application process can act as a ‘mini-assessment’ and the overall budgetary spend is less than many cyber security initiatives.

Why Cyber Insurance Is More Important Than Ever

Threats + Vulnerabilities = Risk

Threats

• Ransomware attacks jumped 148 percent in March from the previous month[1]
• Q1 2020 Coronavirus-Related Phishing Email Attacks Are Up 600 percent[2]
• Ransomware demands have continually increased over the past year due to increased sophistication of attacks (such as infiltrating critical systems and backups) with multimillion dollar demands becoming more common.
• The majority of SMBs (83%) said they do feel prepared for a ransomware attack. Forty-six percent of SMBs have been targeted by ransomware, 73 percent have paid the ransom[3]     
• FBI and U.S. Secret Services have recently issued alerts for the growing threats on Business Email Compromise and Malicious Email Attacks (attached).

Vulnerabilities

• WFH Risks: As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors[4]
• IT and InfoSec budgets are stressed. Furloughs and/or illness of IT staff has occurred and may intensify at corporations and their vendors, adding to their cyber vulnerabilities.
• Wide sweeping InfoSec initiatives are delayed due to implementation issues under COVID-19 and stressed budgets.
• Contact tracing at the “employer/employee” level is at its infancy and has privacy implications (i.e. Think wrongful collection, retention, use, sharing, defamation, emotional distress, etc. in regards to the tracking of employee, customer, vendor COVID-19 diagnoses)

Risks

• Organizations may be unprepared to respond when a security failure or privacy loss occurs.
• Organizations are depending on their technology resiliency more than ever that malware induced network disruptions can exacerbate economic challenges.
• If an organization has an Incident Response Plan, they will face increased challenges especially with a remote workforce.
• Organizations’ reliance on their supply chain is more critical than ever and a supply chain disruption caused by a security failure or computer system failure of their vendors can further aggravate financial losses.

MMA Solutions

• Cyber insurance can help expedite and ensure a compliant response when an incident occurs ensuring balance sheet and reputational protection.
• Cyber Insurance can be a more cost-effective solution, especially now, compared to cyber security and can be put in place quickly.
• Marsh’s proprietary policy forms, cyber risk assessments and analytics can help assess an organizations security and privacy risk profile and build customized coverage for an organization. (See attached for an overview)
• Marsh’s local resources, claims administration and specialized cyber claim advocates provide additional accountability before, during and post incident.

MMA can help

Our proprietary policy forms, cyber risk assessments and analytics can help assess your security and privacy risk profile and build customized coverage. And our local resources, claims administration and specialized cyber claim advocates provide additional accountability before, during and post incident. To learn more, go to the cyber solution page or call your local Marsh & McLennan Agency consultant.

1 Source: VMWare

2 Source: KnowBe4

3 Source: Infrascale)

4 Source: DHS' Cybersecurity and Infrastructure Security Agency