The COVID-19 pandemic has forced a major migration of office workers to working at home, suddenly changing the landscape of attack for cybersecurity. It’s a good time to review your cyber insurance coverage, in fact, all your business insurance coverage. So, we asked one of the FAIR Institute’s leading insurance experts, Chip Block, Vice President and Chief Solutions Architect at Evolver, and Co-Chair of the Washington, DC, area chapter, for some advice.
“I’d be talking to your insurance provider to find out what’s covered and not covered in the world as it is today,” Chip says. “For instance, I don’t think many companies were considering a pandemic in their top five business risks.’
“Similarly, we have to think about how we now are even more dependent on our computing resources than we have ever been.”
“In a lot of businesses, a ransomware attack might bring things down, but you were still able to communicate because you could just walk office to office. We can’t do that anymore.’
“So, I think it changes the business impact equation, and I think people have to look at that in terms of what’s covered and not covered.”
“I have no idea what’s going to happen when every company who has been impacted by the coronavirus puts in a business interruption claim. And if you had a cyber attack that’s also related, is that a cyber issue or a coronavirus issue? There’s a lot of uncertainty on how exactly that’s going to play out.”
The major change to risk factors comes from employees working at home, Chip says. Some implications, he sees:
- Large numbers of employees have never worked from home and have never had to give much consideration to security practices—like being on guard for phishing emails.
- More employees sharing data who have never shared it before, raising the possibility of privacy violations. As Chip points out, employees may transfer sensitive files to home computers just because working on an overloaded VPN is slow or they need to print out documents on their home printers.
- Employees protected at home just by routers (and security attacks on routers are increasing) while data loss prevention (DLP) or other controls aren’t working outside a corporate architecture.
- A major uptick is happening of “in the wild” ransomware – not the usual targeted approach, but criminals trolling for employees who are not protected very well, then leveraging that for an attack on a company.
How can FAIR analysis help?
Chip says “the most important thing in the FAIR approach, and the most important thing a company can do right now is to figure out exactly what are most critical vulnerabilities to the business--not to the technology, but to the business--and how do you address those vulnerabilities.
“In particular, one of the greatest values of FAIR is that a lot of times the best cybersecurity action is not an action for the cybersecurity staff but for other parts of the organization. For example, changing privileges of who can see what or moving data from one server to another or even changing contract language with a supplier. FAIR reveals those things that won’t be revealed just doing a technical evaluation.
“FAIR will also tell you that you may have a major risk that’s of low likelihood, but the impact could put you out of business. That’s what insurance is there for.
“So, review the risks and see if there are things you want to add to your policy or at least check with your insurance company, to see if those critical areas are covered.”