The COVID-19 pandemic has created an economic, financial and industrial wrecking ball, causing plummeting stock markets, mass job losses, company budget cuts and temporary closures of entire industries. The pandemic has also brought about a drastic increase in predatory cyberattacks, including ransomware and business email compromise attacks that target both businesses and their clients – and SMEs are most at risk.
“Statistics show that over 95% of companies that suffer cyberattacks are SMEs and from the number-one threat: ransomware,” says Chris Anderson, CEO at Australian Trade and Construction Insurance Solutions (ATC), which offers catered cyber cover and resilience strategies specifically for SMEs. “Plenty of small companies are hit by cyber-attacks that are simply not reported; there-fore, we are helping by sharing advice about how to stay cyber secure.”
One of the biggest sources of attacks is business email compromise (BEC); last year, the US FBI reported that BEC attacks accounted for US$26bn in global losses over a three-year period, making the crime the most profitable and prominent cyber threat facing consumers and businesses alike. Anderson says ATC has witnessed a spike in reported BEC attacks during the COVID-19 crisis, whereby cybercriminals are targeting victims by exploiting pandemic fears.
“We have seen a large increase in business email compromise attacks across all industries, particularly healthcare and professional services,” he says. “Fraudsters are particularly targeting BEC messages that use COVID-19 as an excuse, sometimes including fraudulent payment detail as well as other malicious cybersecurity activity.”
Anderson outlines several measures businesses can take to ensure they’re employing the best cybersecurity strategies.
“For best industry practices in terms of cybersecurity, we would encourage all of our clients and brokers to maintain a high vigilance due to the increase in BEC and phishing attacks,” he says. “User training is really important – whilst you can have the best technology and security in place, user error can still allow that threat vector into your network, hence why also buying an insurance policy is key, due to the incident response provided and to ensure remediation in the unfortunate case of a successful attack.
“Further best industry practice is to ensure that implemented throughout any business’s network is the use of commercial-grade anti-virus and firewall – we partner with Avast to offer this for free, should any clients not currently have this – password-protecting all portable media, backup of critical data and attaining PCI compliance where required.”
Finally, Anderson says companies must ensure the use of strong passwords, multi-factor authentication and up-to-date software.
Cybersecurity and remote work
Not only has the COVID-19 pandemic provided fraudsters with a new messaging tactic for BEC attacks, but prominent changes to business operations, such as the increase in remote work, have also provided a new oppor-tunity for criminals to exploit.
“We all need to be more vigilant when working from home, and there are a number of home working practices that we would recommend,” Anderson says. “These include being vigilant of your surroundings, keeping your devices secure and locked when you are away from them, and utilising best practice for password use, such as regularly changing it, the use of strong passwords and never using the same password twice.”
“There has never been a more important time for both insurers and brokers to make clients aware of their risk to cyber perils” Chris Anderson, ATC
Other best practices that should be put into place as employers shift to remote work include ensuring that sensitive data is only released to employees who have a genuine need for it. Anderson also cautions businesses to avoid sending company information to personal emails and to instruct employees to only use remote access solutions provided by the company or a company-provided device.
“As we work from home more, there’s also been a rise in the use of video conferencing,” he says. “We encourage all businesses to stay up to date with the latest cybersecurity Brought to you byadvice and password-protect any conference calls. Zoom has become extremely popular, but there have been a number of security concerns raised about this popular video conferencing service.”
Anderson adds that tips on staying safe while using Zoom can be found on the blog of ATC’s business partner, Avast, which is regularly updating its social media channels with cybersecurity advice.
Even in the midst of the pandemic, education remains the biggest challenge in the cyber arena, Anderson says.“At ATC, we see the biggest challenge currently being education and the understanding of the cyber policy, in particular what to do in the event of an incident – who to call,” he says. “That’s why we’ve been working with brokers and clients to under-stand what the effect of a cyber event would be on their business.”
As part of this effort, ATC has organised broker training, which it will continue to host via video conferencing throughout the pandemic so that “our policy is understood by the Australian market and brokers are armed with the information that they need to advise their clients about their cyber risk,” Anderson says. “We will continue to work with our broker partners and clients in order to provide insurance solutions for the risks they face.”
Anderson says it’s paramount for ATC to give clients the best risk mitigation strategies and incident response.
“It’s an uncertain time, and we will be watching with interest over the next three months how the market adjusts itself on levels of appetite, claim volumes and rate fl uctuation” Chris Anderson, ATC
“We believe that cyber risk has four pillars: the standard of the technology, the standard of the security, the coverage of the insurance and the effectiveness of the incident response team available under the policy,” he explains. “We want clients that have the best risk mitigation in place, but losses still happen, so we are there to provide incident response and pay those losses when they do happen.”
And because cyber risks, especially BEC attacks, are a prominent threat for businesses, Anderson is adamant that both brokers and insurers need to communicate these risks to their clients.
“There has never been a more important time for both insurers and brokers to make clients aware of their risk to cyber perils,” he says. “Every single company can be affected by a cyber loss, and it’s key that each company understands what might happen to their business if they had a cyberattack, from the loss of data to the business interruption. Anyone can be hit by a cyberattack, and it’s a risk that all SMEs face, whether you’re a restaurant, law firm, photographer, manufacturer or a medical professional.”
What lies ahead
Although no one knows exactly what the future holds for the insurance industry as the COVID-19 situation continues to unfold, Anderson says both awareness of cyber risks and uptake of cyber insurance will undoubtedly increase.
“As a reaction to COVID-19, we expect that there will be a heightened awareness into cybersecurity due to the increase in successful attacks during the period,” he says. “Furthermore, market capacity will reduce in some areas as insurers are hit by signifi cant non-cyber losses – e.g. denial of access BI claims under general liability policies.
“From a cyber perspective, we could see a further uptake in the purchase of cyber policies, subject to how well the SMEs weather the lockdown period and manage the reduction of income with costs, in some circumstances remaining at the same level pre-COVID-19, especially with the increase in BEC we have seen during the current COVID-19 crisis. It’s an uncertain time, and we will be watching with interest over the next three months how the market adjusts itself on levels of appetite, claim volumes and rate fl uctuation.”