Surge in working from home raises cyber exposure issues
By Judy Greenwald
Companies directing large numbers of employees to work from home for the first time because of the coronavirus pandemic face a host of cybersecurity issues, including concerns over tthe security of workers’ personal computers and vulnerability to phishing attacks.In addition, data lines may be strained as the number of staffing corporate systems remotely surges.While it’s likely that many problems would be covered by cyber insurance or other policies, now is a good time for firms to review their policies, experts say.Meanwhile, employers should reinforce the need for employees working from home to follow best “cyber hygiene” practices, including using two-party authentication; being sure their systems have the latest security updates and patches; that employees back up their data; and that they are warned about the proliferation of phishing scams as cyber criminals try to turn the crisis to their advantage, they say.“The problem is, we’re suddenly pushing out a very large contingent of the folks who work for you, and not all of them may be sophisticated telecommuters,” said Robert Parisi, New York-based managing director and cyber product leader for Marsh LLC.Those who work from home on a regular basis “already know the drill,” but people who are not used to telecommuting are in an environment “that’s emotionally stressful and that’s going to create problems,” Mr. Parisi said.Small- to medium-sized firms that may have not previously addressed remote access and telecommuting may see the most acute problems, he said.
Thomas Srail, executive vice president, cyber risk team, for Willis Towers Watson PLC in Cleveland, said over the past week many employers had a test day for working remotely, keeping staff home for a day and testing remote connections.
The results have been “kind of a mixed bag,” with professional services organizations that have many travelers “probably finding it easier vs. more traditional employers who don’t have a lot of traveling,” Mr. Srail said.
Companies should ensure they have procedures in place, Mr. Parisi said.
Employers must have a secure way for employees to access systems, which usually means a virtual private network, or VPN, said Tedrick A. Housh III, a partner with Lathrop GPM LLP in Kansas City, Missouri, who focuses on data security and privacy.
“If you have a lot of people working off of their own computer devices, you’re of course counting on the fact that they have practiced good cyber hygiene at home, meaning do they patch and update their systems regularly and do they have high-quality protection on their computers,” said policyholder attorney Joshua Gold, a shareholder with Anderson Kill P.C. in New York.
“And, of course, you have to hope that people, when they’re at home, are doing the smart things” by logging out of their computer systems, using strong passwords and keeping their computers in secure places in their homes, even “where obviously the employer is not going to be able to do too much quality control checking,” Mr. Gold said.
Employees should be trained that any sensitive data that is on the network is behind a VPN that is using multifactor authentication, said Stephanie Snyder, Chicago-based senior vice president and commercial strategy leader for cyber solutions with Aon PLC.
Another concern is many people have internet of things devices in their homes, from nanny cams to appliance-based software or hardware, that “can provide an opportunity for someone to overhear, or see, things that the person’s doing at work,” Mr. Housh said.
Mr. Gold said some employers issue company laptops to employees, which is the safest way to address the computer security issue, but that accounts for a just a fraction of organizations. He said the issue evokes the concerns of several years ago, when “bring your own device” to work was a major issue, though it’s now largely permitted.
Employees may also work out of coffee shops, in cities and states where they remain open, which use insecure public Wi-Fi, said Dan Burke, San Francisco-based national cyber practice leader for Woodruff Sawyer & Co.
Lindsey Nelson, London-based cyber development leader for CFC Underwriting Ltd., said 80% of cyber incidents, including ransomware, last year were initiated through remote desk protocols and logins.
“Many cyber criminals are now capitalizing on the opportunity” presented by the coronavirus outbreak with phishing campaigns, sending out emails inviting employees to click on links to malicious software that purportedly presents health safety measures, Ms. Nelson said.
Employees may also be misled by emails appearing to be from their own information technology departments requesting credentials, Ms. Snyder said.
John Farley, New York-based managing director of cyber for Arthur J. Gallagher & Co., said people working from home may be more likely to receive emails purportedly from company officials but actually from cyber criminals requesting fund transfers, where normally this would be handled person-to-person.
Experts say cyber-related events are likely to be covered by corporate cyber policies, even if they stem from an employee working at home. “If it’s going to be a pure cyber incident, such as a breach, or something driven by cyber, working from home wouldn’t change that. That’s typically not excluded,” said Anthony Dagostino, New York-based global cyber and technology practice leader for Lockton Cos. LLC, although firms should check their policies to confirm the definition of computer system is broad enough to include employees working from home.
Scott N. Godes, partner with Barnes & Thornburg LLP in Washington said, “I’m not aware of insurance carriers that have denied coverage under cyber insurance policies for cyber events that happened” while employees were using their own computer, he said.
However, Mr. Srail said if a claim is tied to a home computer, “a forensic investigation may involve people’s home network,” which could add “some complicating factors to the claim,” and “increase the expense and the time it takes to figure out some of the factors involved in a particular incident.”
Mr. Gold said one possible issue is when employees bring unencrypted data home on thumb drives. “I’ve seen some insurance companies have exclusions in their policy where, if storage devices have unencrypted data, they will not pay those claims.” Any sensitive data taken outside of the office on a thumb drive should be encrypted, he said.
Mr. Dagostino said also that the insurance market is in transition with insurers moving to explicitly include or exclude cyber coverage in traditional policies. Because not all these policies have renewed “there’s the potential there are going to be different responses” in the event of an incident, he said.
Employers should review their coverage and make sure their work-from-home policies are designed to ensure that coverage exists should something happen, said Daniel S. Marvin, a partner with Morrison Mahoney LLP in New York, who is co-leader of the firm’s cybersecurity, privacy and data protection practice.
“I don’t know if it’s the time to implement a lot of new processes and procedures, but I do think (companies) should be re-enforcing the ones they have,” Mr. Dagostino said.
As to how many cyber-related claims the coronavirus crisis is expected to create, “it depends on how sophisticated the social engineering schemes are, and how well educated the workforce is to recognize those threats,” Mr. Farley said.
The expansion of telecommuting also heightens the risk of business interruption losses as businesses’ systems, which do not normally deal with a significant number of employees signing in from ahome, become overwhelmed.
Many organizations have only so much capacity available for VPNs, and it is incumbent upon them “to ensure there is adequate security” for any type of alternative network access, Ms. Snyder said.[IA]