Cyber risks have increased during the pandemic and the proof is in the numbers, with the FBI seeing a 400% increase in reports of cyberattacks since the onset of COVID-19 in the US. Moreover, ransomware attacks are increasingly targeting smaller businesses that don’t have the same defenses as their larger counterparts.
“Remote working has accelerated during this time, but a lot of businesses – especially larger ones – have been prepared because they have incident response plans and are able to respond to a breach quickly by going through their policies and procedures,” said Robert Pizarro (pictured), vice president of commercial specialty at AmTrust Financial Services. “Small businesses oftentimes don’t have incident response plans, so if their employees are working remotely and an employee has been breached, it’s very difficult for them to respond, in terms of what policies, procedures, and incident response plans that they should follow.”
Many smaller businesses may also have ‘bring your own device’ policies, which further expose them to cyber risks and make enforcing company-wide security policies that much more difficult. Likewise, small businesses could be missing a dedicated IT security department to police malicious activity, not to mention the fact that their cyber insurance take-up rates haven’t aligned with those of larger businesses.
In fact, Pizarro calls the cyber insurance take-up rate that AmTrust has seen “fairly low for small businesses,” and while this number has steadily increased since 2016, it continues to lag the cyber insurance take-up of mid- and large-sized firms – and even those companies have struggled to maintain strong cybersecurity defenses during the pandemic. Just look at the recent Twitter hack, which experts say was made possible in part by the social media giant’s work-from-home environment.
“When we send our employees home, they are still accessing corporate data and corporate systems,” said Darren Thomson, head of cyber security strategy for CyberCube.
At the same time, he noted, the IT infrastructure that remote employees are relying on is typically not as secure as if they were in the office, where there’s enterprise-grade network infrastructure in place. Thomson continued, “While I’m at home, I’m probably relying on a router that I set up myself, I’m surrounded by IoT devices, all of which provide potential attack vectors for a criminal, and I may well be sharing devices with my family – and that potentially could allow the criminal to get to corporate information.”
With remote working likely to continue long into the future, companies need to implement several best practices to arm themselves in this evolving and intensified cyber threat landscape. Thomson expects that we’ll see a dynamic where criminals that have never dealt with cyber before decide to go down the cyber path because doing so today is easier than it’s ever been.
“You don’t need to be an expert coder or programmer to be a hacker,” he explained. “There are plenty of off-the-shelf products available on the dark web that allow any individual to become a cybercriminal, and I think corporations are going to need to seriously review their security best practices and governances in order to accommodate more of their workers working remotely to mitigate some of that risk.”
Brokers and agents can play a role in preparing their insureds for worst-case cyber scenarios by educating them on the various risk mitigation and insurance solutions currently on the market. After all, with the many privacy laws in the US that are in place now, legal fees can add up quickly should a breach occur, says Pizarro, alongside the costs associated with getting back up and running after a hack.
“As we like to tell our agents and insureds, every business is at risk of a cyber incident,” said the AmTrust leader, adding that the carrier offers sample policies and procedures on its website that clients can download, as well as sample incident response plans and breach assessment tests to determine whether businesses are prepared for a breach. “In addition, for the small business side of things, all of our claims handling, as well as our forensics, is handled in-house, so the claims experience is more streamlined and expedited.”