Rising Cyber Threats: How to remain resilient
There is no doubt that cyber attacks are likely to continue to plague the headlines for the remainder of 2020. Marsh has seen an uplift in malicious activity claims including ransomware, which is crippling organisations and their operations. It is evident, that cybercriminals are exploiting companies that are already under tremendous stress, proliferating malware inside coronavirus news and desperately needed information packs, and extorting organisations through ransomware payments, which they must pay to ensure business continuity through the pandemic crisis.
Cyber threats have grown so large that their consequences can potentially significantly influence companies’ valuations. Boards need to not only devote more attention to this ever-increasing risk but also evaluate their corporate readiness for such attacks.
Due to the pandemic environment, there may have been less time for companies to create the defences they need. Whilst many organisations are now reconfiguring networks and systems to serve the needs of fully remote workforces, the success of these transformations is often being limited by less-than-optimal technology capabilities, which can potentially leave organisations exposed to vulnerabilities.
The Australian Cyber Security Centre is in the midst of responding to a large-scale cyber incident affecting both public and private sector organisations and have detailed detection and mitigation recommendations here.
Although the COVID-19 pandemic has created enormous and swift changes, companies cannot ignore the cyber challenges associated with a largely, or entirely, remote workforce.
The recommendations below provide non-exhaustive examples of risk and governance, IT infrastructure, operations, and employee education that can assist companies in their abilities to work more securely and efficiently through these challenging times. In the long run, changes made in response to the pandemic should ultimately be viewed through a resiliency lens, with an eye on building to more flexible and secure future states.
Risk and Governance
- Update and communicate acceptable use policies for employees
- Identify functions requiring secure IT environments
- Anticipate how entities on which your business depends — cloud, network infrastructure providers, and others — may be affected by COVID-19 disruptions, and develop resiliency options
- Refresh and update cyber incident response and disaster recovery plans to address current operational needs
- Regularly communicate cybersecurity awareness messages to employees to reinforce security procedures
- Offer security protection on endpoints
- Reassess rules such as geo-blocking that could prevent remote access
- Increase IT help desk capacity and hours of operation to handle the increase in services
- Ensure that cybersecurity alerts and audit logs of critical systems — for example, VPNs, firewalls, endpoint security tools, and critical business applications — are centrally collected and analysed to detect and respond to suspicious/malicious activity
- Review/update VPN profiles and firewall rules to ensure employees are assigned appropriate privileges based on their roles
- Implement procedures requiring approval from data/system owners for provisioning and de-provisioning of remote VPN and other accounts related to critical business applications
- Enable multi-factor authentication for VPN and critical information systems
- Disable split tunnelling for VPN profiles to ensure that remote employees cannot access the internet directly from their laptops while using VPNs to access corporate information systems
- Ensure patching is undertaken regularly and all software is updated to their latest versions
- Create a shared channel — for example, #phishing-attacks — or email address where employees can report suspicious emails.
Advice for Your Employees
Develop tailored cybersecurity awareness messaging for remote workers and deliver it online to all employees. Include topics such as:
- Detecting and avoiding elevated phishing threats, including COVID-19 scams and fraudulent websites
- Ensuring secure use of Wi-Fi, both at home and in public
- Not using company computers for personal email, file sharing sites, or social media without approval
- Saving and securing necessary printouts of work files or emails and shredding others
- Confirming screen locks are enabled to ensure workstations are secured when not in use
- Never leaving laptops and mobile devices unattended in public spaces
- Using company-approved cloud services or data center storage instead of local storage, particularly for sensitive information such as personally identifiable information, protected health information, financial data, and trade secrets
- Avoiding the use of USB sticks and other removable storage
To assist clients with understanding their vulnerabilities and strengths, Marsh has created a Cyber Self-Assessment tool, which provides a maturity analysis of an organisation’s cybersecurity program based on user responses. Marsh Cyber Self-Assessment is built using key elements from multiple cybersecurity frameworks, including the NIST CSF, CIS CSC-20, and ISO 27001. Results are presented using the five traditional NIST CSF functions: Identify, Protect, Detect, Respond, and Recover, and can be used as a diagnostic for all stakeholders in the firm. Take the Cyber Risk Self-Assessment test now.
Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983). This article and any recommendations, analysis, or advice provided by Marsh (collectively, the ‘Marsh Analysis’) is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Any statements concerning information security matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as information security advice, for which you should consult your own professional advisors.