QBE’s ‘Business Resilience’ series is dedicated to providing relevant and up-to-date information on a swathe of subjects to assist businesses with building their resilience by safeguarding trade, managing their people risk and leveraging technology.
One of the most essential supports that can be offered by insurers at this time is in the complex area of helping businesses understand the full extent of the cyber security threat that they are facing, and also how to mitigate this threat. As the cyber portfolio manager for the European operations of QBE, Erica Constance (pictured above) has seen first hand the intense and rapid change in working practices that the coronavirus lockdown has caused, and how cyber criminals are capitalising on the resulting uncertainty.
“The cyber risk for most businesses hasn’t really changed, even for those with reduced operations, as their networks are still vulnerable to hackers,” she said. “But for the majority of businesses where employees can work from home, they have had to change the way they work and the way that they use their network overnight.”
Most of these businesses would have had working technology in place to support their employees in working from home but it simply would not have been at the scale needed for all employees to do so. A lot of companies have been strengthening their remote connection capabilities or putting these capabilities in place since the coronavirus outbreak occurred. Having these remote connections means ensuring that these connections are secure and the increased reliance on these has led to heightened cyber risk exposure for many businesses.
Misinformation has been another powerful challenge during the pandemic. While major cyber events in the past, such as Notpetya, caused an aggregation exposure to the cyber insurance market, Constance said, the coronavirus has been the most substantial instigator of widespread misinformation that she has seen throughout her career to date. Cyber criminals are taking advantage of the widespread uncertainty within society to put out misinformation and to trick people who are already stressed and anxious into opening phishing emails.
With businesses forced to implement new strategies within a very limited timeframe, there is a question of balance between utility and security. For a lot of businesses, when the lockdown first occurred, the emphasis would have likely been on simply getting the network working so that employees could gain remote access, and security measures may have been overlooked as a result.
“There will probably be companies that have prioritised this utility first,” she said. “But it is important to look at this security element and, if this has not been put in place, then that is really what should be next on their priority list.”
Businesses must do all they can to protect their employees from these phishing attacks and to consistently remind them of how to access the business’s network securely and safely. Insurance companies also have a part to play and QBE has been providing several support measures to its brokers and customers. From in-depth blog pieces detailing how employees can stay safe to webinars aimed at discussing this risk in further detail, QBE is finding new means of supporting its customers and partners.
Among the top tips that Constance has for businesses looking to decrease their cyber exposure during this tumultuous time are:
- Identify: Staff must be educated to ensure that they can identify a fraudulent email.
- Ease of accessibility: Businesses must ensure that they have a way of easily connecting through a VPN with multi-factor authentication.
- Explain: It is easy for employees to forget about the extent of cyber risk that does exist, especially when they are so concerned about the change in their working arrangements. They should be consistently reminded of this and provided with all the information required to help them keep the network safe.
For QBE itself, the seamlessness of its switch to a remote access environment was aided by the cyber resiliency plans that it already had in place. The business has established multiple channels to provide its employees with support regarding any remote access issues, and a service desk to ensure that staff are provided with continual business updates.