The rapid transition to a remote workforce and online business operations has made it challenging for companies to secure their new IT environments at a time when hackers are seeking to exploit COVID-19.
IT departments, security and digital regulators, as well as business leaders, are stretched thin spending time and resources troubleshooting connectivity challenges, among other digital issues such as overwhelmed VPNs.
“It really is around that safety and awareness… It’s knowing what to look for as the scammers get more sophisticated,” said Kelly Butler (pictured), Marsh’s cyber practice leader.
“Look for those nuances that can point out that it is a scam. It really is a disciplined approach to training staff to be aware of what it is and what not to do and also to report it if they do see something so that the IT department can investigate it and make sure it hasn’t penetrated the systems.”
As a part of raising awareness of cyber security and resilience, Marsh hosted a webinar fronted by Butler titled “Responding to Increasing Cyber Risks from COVID-19”, that identified the greatest threats for businesses amid the pandemic.
SMS phishing, phishing emails, fake websites, malicious attachments and malware were among the greatest threats for businesses, cemented by the 907,000 total spam messages relating to COVID-19 that Marsh’s research identified.
It has become such a ripe source of exploitation for hackers during the pandemic, that the February and March months of this year saw a 220x increase in spam and a 260% increase in malicious URL hits.
“I speak with all insurers and they’ve certainly seen some notifications,” Butler said.
“They’re generally around that social engineering side of things when they’re trying to get them to click on a link and then either put a denial of service on the system or put an extort system to get all the money out of them.”
One sophisticated example of a malicious SMS phishing scam, highlighted by Marsh, is the ‘myGov’ text messages that circulated in March, targeting the most vulnerable through utilising an alpha tag belonging to the government agency.
“In this instance, the malicious actor had utilised an alpha tag of ‘myGov’, meaning the text messages appeared on recipients’ phones below previous official messages from myGov. This adaptation shows how quickly cyber criminals react to disruption and education campaigns by government and business,” said Ben Crowther, lead of strategic risk services for Marsh Risk Consulting.
It should come as no surprise that the main motivator for hackers is financial gain, but Crowther also mentioned in the webinar that politics and ethics played a role.
“Advanced Persistent Threat groups are steadily growing with more than 30 nations waging cyber warfare operations against each other’s political, economic, military and commercial infrastructure,” Crowther explained.
The costs associated with a cyberattack remain one of the most prominent threats for organisations due to how pervasive they are. Cyberattacks cost businesses more than just response costs (investigation, notification and clean-up) – they also account for loss of revenue, legal liabilities, reputational damage and ransom demands.
“First and foremost, it’s the response costs including forensic investigation cost and the financial burden to triage the situation – these costs can be significant. A cyber insurance policy is robust and responds to many of these elevated threats and provides pre-breach loss prevention and mitigation services,” Crowther continued.
While these cyber threats existed before the pandemic, Butler says the situation has been exploited for financial gain. However, she says the industry has been well-prepared.
“[Our research shows the industry] surprisingly stood up well and I think that goes to show that there’s been a lot of preparedness across Australia particularly in the last year,” Butler revealed.
“So, it’s happening but it seems that the state of the cyber security market is that our clients have done their prep and their homework, and they seem to be able to fight off most of these scams.”
Butler says cyber insurance policies are businesses’ best bet when it comes to protection from cyberattacks.
“That’s what a cyber insurance policy is for. It’s really around providing that risk transfer and that protection - if there is a breach to the system it automatically triggers and straight away you have access to the policy,” Butler said.
However, due diligence when selecting an insurance policy is required, as every business has a unique situation and will need specialised support.
“Cyber insurance varies greatly which is quite different to other areas of insurance. So, it’s really critical that you have a specialised broker that advises you… and I should say you shouldn’t just accept something that’s off the shelf,” Butler continued.
“There is no ‘one size fits all’ when it comes to cyber. You really need to have a policy tailored around your specific risk so it’s really about having a specialist broker that understands what that risk is so that they can tailor it for their specific needs.”