11 March 2020

Going Remote? Know the Cyber Risk

It’s become clear as the coronavirus outbreak accelerates that it will impact nearly every business in some way. Leaders are working to determine how operational hiccups, added costs, and lost sales will affect their organizations, and how to mitigate the impacts. 

What about cybersecurity? Are we in a unique threat environment? 

We’ve already discussed how attackers are leveraging the natural desire for official information to launch phishing attacks, so in at least one sense there’s an elevated threat of intrusion. But when considering security posture, it’s not all about the external threats. Even if threat activity was completely unchanged by the coronavirus situation, a company’s overall risk could still be adversely affected by factors that relate its ability to protect itself and respond to an incident. 

Let’s look at a couple of ways that could play out for your clients.  

Every remote worker is a variable

First, take the influx of remote workers. Some businesses are already well equipped for remote work, with workforces that are accustomed to the security measures. Others aren’t. 

There are well-understood methods to ensure that a remote workforce can replicate the security environment of an office, using VPN or remote desktop technologies. The problem is that these environments are like any other aspect of the security apparatus: they can be complex; they require adherence to best practices on the part of users to maximize safety; they must be diligently set up and provisioned; and they can harbor software vulnerabilities to keep up with and mitigate. 

In other words, it’s not a utility where you can flip on a switch and get safe access. 

Will a company rushing to equip its workforce properly configure its VPN to replicate the security of its in-office perimeter network? Will its employees find “shadow IT” workarounds because of the difficulty of using certain systems? Or worse, will the company eschew a VPN or other measure altogether, allowing for unencrypted access from home or public networks, in the name of expediency?

The wrong answer to any of these questions would represent a security gap that had previously not existed, and an opportunity for any attacker who discovered the soft spot. Moreover, even with a well configured, properly rolled-out remote environment setup, a fully remote workforce means that that system has suddenly gone from a business-enhancing technology to a critical point of failure, where an outage could lead to substantial lost productivity or business interruption. 

Then you must consider how a worker outside of the office could expose data in a more physical sense. This could mean revealing passwords to a lurking over-the-shoulder looker at a coffee shop, having an unencrypted laptop stolen, or divulging information verbally while on the phone when they think they are alone. These factors all exist today for any business that has employees on the road traveling, or working remotely. But you can multiply any of these low-percentage risks by hundreds or thousands of workers in a fully-remote scenario — especially with those cabin-fevered remote workers seeking new environments to be in. 

More drastic scenarios: not off the table

While we’re not there yet in the U.S., restrictions on movement and gatherings could come into force. In an even worse scenario, the outbreak could become so widespread that meaningful numbers of employees cannot work, even remotely, because they are sick. This kind of chaos has downstream implications for cybersecurity as well.  

Attackers will seek any soft spots they can find, and businesses dealing with a severe outbreak in their area will be much more likely to cut corners. If much of the IT staff is off-site or too sick to work, what happens to the backlog security maintenance items, like software patching? Or to the business’s cyber incident response capacity? 

If that business happens to be an IT vendor for other businesses, those weaknesses are extended to thousands that rely on it for basic processes. These are seemingly drastic scenarios, but the idea of restrictions on movement within a country like Italy would have sounded laughable a few weeks ago, and yet here they are. 

What your clients can do to mitigate risk

One piece of unique advice given the situation would be to test out remote access systems with a “trial” day where everyone works from home, as a test, before it’s mandatory. 

Otherwise, vigilance is the name of the game. Not many of the pieces of IT security advice that existed a few weeks ago have changed based on the outbreak; it’s about a business’s wherewithal to continue following them. Introducing 2-factor authentication for applications. The use of VPNs for remote access. Proper system hygiene for things like closing unneeded open ports and patching older software. These all applied before, and do so now. 

All that, and transferring risk. If you’re a broker you don’t need to be reminded of the insurance angle, but it bears repeating that the incident response planning and post-breach services that are available to help insureds during a cyberattack could be particularly helpful if their team is stretched by the circumstances on top of an incident.

Mike Karbassi

Mike Karbassi is Vice President and Head of Cyber Underwriting at Corvus. He specializes in Network Security, Privacy Liability, Technology E&O, Media Liability, and Miscellaneous Professional Liability. Karbassi has over a decade of experience in insurance and is a graduate of the Boston University Questrom School of Business.

Gerritt Graham

Gerritt is the Chief Commercial Officer at Corvus. He has over 20 years of sales and marketing experience, primarily focused on technology and data solutions for the financial services industry.

James McElhiney

James co-founded Corvus and is the company’s Chief Technology Officer. A 30+ year technology veteran, Jaimie most recently served as CTO of Iora Health and previously co-founded Gazelle.

Mike Lloyd

Mike Lloyd is the Co-Founder and Chief Product Officer of Corvus Insurance. Previously, Mike co-founded Poncho, a personal lines agency InsurTech startup, and was a venture investor at FJ Labs. Mike has an MBA from Harvard Business School and engineering degrees from Virginia Military Institute and MIT.

Phil Edmundson

Phil is the founder and CEO of Corvus. A 30+ year insurance veteran, Phil co-founded broker William Gallagher Associates (acquired by Arthur J Gallagher in 2015) and was an active leader in both the Worldwide Broker Network and Council of Insurance Agents and Brokers. Phil is the Managing Partner of Edmus Ventures where he invests in InsurTech companies including Verifly, Wellthie, Agentero, and Cover Wallet, and serves on the board of Cover Wallet.

Play Video