How has cyber security had to adapt to the impact of COVID-19?
Across all areas of business, the coronavirus pandemic has disrupted and destroyed what we once knew – and this is indeed the case within the cyber security sector. Already an industry that moves at breakneck speeds of innovation and counter adaptability to new threats – COVID-19 has, once again, turned the industry upside down.
Business Leader spoke to some of the UK’s leading authorities on the matter, to find out how the nation has coped, and what the future holds for the safety of digital businesses.
When it comes down to analysing what is needed to run a successful company in the modern world – having the latest and most secure cyber protection in place has become crucial for today’s business leader.
Following the outbreak of COVID-19 and its devastating impact on businesses around the world, is now the time to take stock of whether your business’ security is up to date?
Morten Brøgger, CEO of international secure collaboration platform Wire, comments: “Cyber threats are a global problem that are set to cost the global economy $6tn by 2021. That’s immense, even before you consider the impact of a post-COVID recession, which will undoubtedly result in an increase in financial crimes (including cybercrime). In light of this, it’s important that companies are using the right tools to proactively protect their important company data against cyber threats.”
Companies of all sizes and sectors are affected by cyber threats each day. In the UK alone, SMEs suffer 10,000 cyber-attacks daily.
What threats are most prevalent right now?
With the onset of COVID-19 affecting all industries, and with technology advancing at a faster rate than any point in history – cyber threats have increased to worrying levels for business owners.
Founder and CEO of Cybsafe, Oz Alashe MBE, comments: “Our own analysis of data from the Information Commissioner’s Office shows that phishing dominates the UK cyber threat landscape, accounting for 45% of all reported data breaches.
“Phishing is so popular because it’s easy. If I can convince you to give me your credentials, then that’s it. There’s nothing more that I need.”
Further analysis from Wire shows that a staggering 97% of employees are unable to spot a phishing email.
At a time where the focus of leaders and management will be on other areas of a business, this highlights how easy it can be on the wrong side of a cyber breach. And it isn’t just phishing scams that a business needs to prepare for.
The extent of cyber security threats has increased – and the nature of cyber-attacks are constantly evolving. According to a recent survey conducted in March 2020 by the Department of Digital, Culture, Media & Sport, almost half of UK businesses (46%) and a quarter of charities (26%) report having experienced cyber security breaches or attacks in the last 12 months.
There has been a fall in recent years in businesses experiencing attacks caused by viruses or other malware – but among companies who experienced cyber incidents in the last year, 86% of those were phishing attacks, up from 72% in 2017.
Guy Lloyd, Director of Cysure, said: “Phishing attacks where employees are tricked into opening an email, attachment or link to a rogue website and then encouraged to provide sensitive information, remain the most prevalent cyber security risk. Google announced that during April 2020, it prevented 100 million phishing emails daily from reaching their targets. More recently, they have seen 18 million daily malware and phishing emails related to COVID-19.”
COVID-19 has increased the level of threat towards cloud services within companies in the UK by 630% – further putting credence to how opportune cybercriminals are, and how adaptable a business must be to counter this.
Andrew Clarke, Chief Strategy Officer of Assured Cyber Protection, comments: “As technologies advance at an extraordinary rate the cyber security landscape changes and cyber adversaries exploit the vulnerabilities caused by confusion or poor management. Hackers change their MO to adapt to the changing situation, if they do it faster than their targets then they may prevail. Because of the rate of advance the level of cyber risk has dramatically increased. The 400% increase in attacks during the first month of the COVID-19 pandemic typically demonstrates how hackers take advantage of a chaotic situation.”
Other than phishing emails, the other main weapon of choice for cybercriminals is ransomware scams.
Tom Draper, Associate Director, Technology and Cyber Practice at global insurance firm Arthur J. Gallagher explains: “Ransomware – a malicious software that locks and encrypts a victim’s computer data and demands ransom payment in order to regain access – is an ever-present threat to businesses of all sizes.
“Although it was originally developed as a means to extort money from individuals, it wasn’t long before cyber criminals realised it was just as effective – and far more lucrative – to use against organisations as well – with local governments, universities and healthcare providers among the list of institutions which are frequently targeted.
“Following a ransomware attack, the costs associated with system failures or downtime can be hugely detrimental to organisations – affecting their bottom line and often causing them significant reputational and operational damage.”
However, before any business looks to prevent an attack happening, it is worth considering how the cybercriminal has evolved in recent years.
Russell Henderson, Director at Trustack, comments: “Cyber espionage and attack is big business generating a serious amount of money either in terms of ransoms, reputational or direct costs to businesses. Highly skilled people operate on both sides of the battle. It is predicted globally that companies will spend in excess of $137bn in 2020 to protect against cyber threats. However, whilst there are varying estimates and predictions of the global cost of cyber-attacks on businesses in 2020, the highly regarded technology research company Gartner predict it will be around $3.9tn.
“Cyber-attacks are no longer just from individuals sitting in bedrooms, today businesses operate as ‘hackers for hire’, state and political sponsored cyber-attacks shape global economies and political landscapes. The skills behind the attacks are increasing, the rewards for those committing the tasks are increasing, either in monetary terms or notoriety and the uses for the data that is stolen are increasing.
“Therefore, it is reasonable and sensible to forecast more volume and more complexity of future attacks. Attacks are becoming harder to trace and defend against due to the skills behind creating subtle attacks, breaches that sit quietly for days, weeks or months simply monitoring systems, creating backdoor accounts with elevated privileges using legitimate processes and the sheer speed of attacks morphing from previous versions make it a challenge for security companies to keep pace.”
Issues with remote working
COVID-19 has forced many businesses to have their workforce continue with their jobs from home – but does that create further troubles for firms? And more opportunities for hackers?
Draper comments: “With much of the UK workforce currently working from home, organisations of all sizes have seen a marked increase in phishing attacks in particular, with cyber criminals exploiting the pandemic to try and trick victims into opening infected attachments and links, or to enter their credentials via email. The emails can be very deceptive and may appear to be sent from a trusted source or familiar brand – often asking recipients to open a link to a new company policy related to the COVID-19 pandemic.
“Additionally, the increase in videoconferencing, remote access, and virtual private network (VPN) services in the home are also expanding the attack surface that cyber criminals can exploit to gain entry into a corporate network.”
So, why has the threat increased?
Alashe continues: “Remote working does make it more likely that you will fall victim to an attack. To understand why, we need to understand a bit about human psychology. Our environments influence our behaviours – what scientists might call ‘schema theory’. Schemas influence our behaviours in all areas of life. For example, we shout at football games, but we whisper in libraries. We dress to impress in offices, but we dress casually when we’re at home. For the most part, schemas are extremely useful.
“In the context of cyber security, our usual schemas at home often aren’t appropriate for keeping our employers and the data that we’re handling safe. For instance, we might instinctively use personal devices when working from home. Similarly, we might take phone calls without disabling our Google Assistants, or we might forego software updates that would otherwise be automatic. The cyber security conscientiousness that comes more naturally to people in the office, often feels unnatural when we’re at home. And that can be dangerous.”
And this is why the phishing scams have risen to such prominence over the last few months – along with malware attacks (this is where cybercriminals install malicious software on someone else’s device without their knowledge to gain access to personal information or to damage the device).
Patrick Burgess, the Technical Director at Nutbourne comments: “In the wake of the coronavirus, around 20% of the global workforce has been working from home. That in turn has seen a spike in the number of phishing attacks and malware attacks, placing organisations over the world at greater risk of a data breach.
“Most commonly, these attacks are coming in the form of COVID-19 themed text messages or emails. These contain a fake link that, if accessed, installs malware on your system or steals your credentials. The types found and detected have been designed to specifically access banking details or financial information.
“Malware is an opportunistic form of attack and works best when people don’t have good systems to repel it. People are working from home, many at fairly short notice, and the new systems aren’t well set up. Additionally, people are reading as much as they can about their current situation and so users are now more likely to click on links and access content, making it a good time for malware to hit the mark. Consequently, the people who make money out of that are using it more. The whole situation has thrown many company’s IT security off kilter.
“The malware is more extensive now for two main reasons. One is that people are worried, and it’s easy to target things at them. The other is that people are working from home, with hastily set up systems in some cases, which are resulting in issues.”
With the increased number of devices and endpoints using company-sensitive data, the threat of a cyber-attack is increased because of remote working.
Sandy Gilchrist at Director of priviness ltd explains: “It is now more likely that you will receive an attack because of a spike in end-point security flaws due to the increase of employees working from home. This is leading to a significant increase in hacking opportunities due to out-of-date web-browsers being used at home on employees’ own devices to access Cloud services – household resources not stretching to the same level of security spend as in the office – and insecure Wi-Fi networks that allow bad actors to jump from one infected, connected device belonging, say, to a flatmate or family member to the employee’s connected device.”
Protecting your business
Even without the additional challenge of COVID-19, and its impact on the way company’s IT systems and securities operate – it is clear to see that firms must adapt to this new world, and have certain plans in place to protect the business and its staff.
Brøgger comments: “The commitment to security has to start from the top level of leadership. The CTO and CISO must be aware of both their company’s specific needs, as well as of the latest tools in the market to meet those needs. In addition, the CEO must also be on board with the decision to lead with security. If security is an afterthought, it will never be implemented properly, and the business will inevitably suffer as a result. Trouble is, 40% of employees believe that their CEO undervalues cybersecurity and our own recent survey found that 83% of UK business decision-makers fail to prioritise security when it comes to remote working. These findings serve as a stark reminder that leaders must take cybersecurity more seriously.”
In order to protect the business, there are several simple steps that should be adhered to by all employees, at all levels.
Draper continues: “Best cyber security practices – such as ensuring employees have strong passwords in place, conducting regular systems and antivirus and antispyware software updates, providing firewall security for internet connections, and turning on multiple-factor authentication – can significantly reduce the risk of a cyber-attack, although can’t remove it completely.
“Because the risk cannot be completely eradicated, companies will leave themselves exposed to financial and reputational damage if they don’t have cyber insurance in place, in the event they fall victim to a cyber-attack. That’s where the role of a specialist cyber insurance broker comes in – helping organisations to identify, mitigate and respond to any risk of financial loss, disruption or regulatory exposure, in the event that their digital systems or data become compromised, paralysed or attacked.”
But even without a specialist, the need to have the correct people and plans in place could save the business from collapsing.
Lloyd comments: “As the majority of corporate assets, such as customer information, enterprise systems and financial data are now held digitally, in the event of a cyber-attack have a backup and recovery process for your key digital assets. It’s not possible to guarantee an attack will never happen but taking the right measures shows you take cyber security seriously and will help your organisation to recover and survive any penalties, whether they be fines or damage to corporate reputation and customer loyalty.”
Preparing your staff
So, with a constant digital threat to businesses, it is vital that companies of all sizes – and from all sectors – need to prepare their employees. This is especially the case, as they themselves are often the first line of defence against a cyber-attack.
Lloyd said: “You must ensure that all staff are aware of how they can be deceived and what activities they must avoid, minimizing the risk of an attack. A NCSC government report quotes that 90% of attacks are enabled by employees making mistakes or acting irresponsibly.”
So, how can this be achieved in the face of an ever-evolving threat?
Draper explains: “Most cyber-attacks originate from human errors within an organisation, such as an employee opening a phishing email. Companies need to think about all of their employees as members of their cyber security team and provide them with proper training and empowerment to transform their staff from the ‘weakest link’ to the ‘first line of defence,’ when faced with cyber threats.
“To minimise the risks of employees falling victim to cyber-attacks, staff awareness training, such as a compulsory e-learning, is an effective way of educating colleagues on cyber security best practice – covering themes such as acceptable use of company technology, and the importance of locking unattended devices. Regular communications should also be issued to staff about how to identify and respond to cyber threats, ensuring they understand how a cyber-attack could affect the company as a whole, and the role that they can play in preventing any potential incidents.”
Simple steps should be taken to ensure the safety – and survival – of your firm, and constant training is at the heart of it.
Data Protection and Privacy Director, Helga Turku at HewardMills, said: “The first step is making cybersecurity training mandatory for existing and new staff. There needs to be an expectation to keep the training updated and repeated on a regular basis. As part of the training, the aim will be to educate staff on the different forms of cybersecurity threats and making them aware of relevant company policies. Encourage a company culture where people query things that don’t seem right and feel free to flag potential threats to the appropriate teams.”
After your employees are up-to-date on the latest cybersecurity measures, the next step is to investigate the minefield of cyber-related insurance. The worrying statistics show that many businesses are not prepared for an attack.
Clarke comments: “It is concerning that at a time when cyber-attacks are increasing, only 11% of businesses in the UK have specific cyber cover. This may be because businesses can’t afford it – or don’t recognise the value in it.
“Cyber insurance covers loss – it will not fix reputational damage and it will not recover lost business. Insurance alone is not enough; it needs to be complemented by a comprehensive cyber security programme that delivers cyber immunity. Businesses must change their mindset and focus on inoculating themselves against cyber risk. Insurance does not reduce risk, but active management does.”
However, just ‘having’ a cyber insurance policy is no guarantee that all facets of your digital business are protected. Ensuring that the policy you have taken out fits the needs of the business is essential.
Draper concludes: “Cyber insurance can normally be bought as a stand-alone policy or as part of a wider blended policy such as professional indemnity insurance with cyber extensions. In many cases, however, a standalone cyber policy may be the best solution to ensure comprehensive cover. A specialist solution will contain a range of support measures, including help with developing cyber risk management procedures, and access to breach response teams, legal advice and forensic IT consultants in the event of an attack – helping organisations respond to an incident quickly and effectively.
“Specialist cyber brokers can support their clients by arranging a policy that is tailored to the risks faced by their industry, by assessing the specific risks faced by them as an organisation, and then determining what type of cover is appropriate. By engaging with a specialist broker, buyers can run through potential loss scenarios, to gain a better understanding of how insurance might respond in each of those scenarios and then make any adjustments necessary.
“While wordings can vary, there is common cover found in the majority of comprehensive cyber insurance policies, including cyber extortion, business interruption and crisis management, which may be especially helpful in managing financial and reputational losses as a result of a cyber-attack.”