10 cybersecurity issues to tackle with reopening business work locations
Published 18 August 2020
For businesses reopening locations around COVID-19 changes in Australia, managers must first focus on the obvious priorities of health, safety and core day-to-day operations, and cybersecurity concerns may be among the next group of issues to be addressed. The usual dynamic balance between IT operational priorities and cyber security safeguards may be tested in an already challenging and stressful environment.
Possible cybersecurity concerns with reopening of business locations
Initial cyber security concerns will relate to the reopening of closed offices and factories, and to the resumed use of dormant computers and industrial control systems. Other concerns may involve companies’ collection of additional personal health information as part of the effort to protect their employees’ wellbeing.
As many companies will have a divided workforce, with some employees back in offices, factories or worksites, and others still working remotely, there will be cyber security concerns associated with this division. Additionally, vendors and other business partners, as well as customers, are likely in the same position with partially remote workforces.
10 cybersecurity issues to attend to during COVID-19 disruptions
Here are 10 cybersecurity concerns that are commonly prevalent as organisations adapt to new ways of working:
To protect the safety of people on the premises, companies may collect additional health and medical information from each employee who plans to enter an office or factory. Such information may be subject to different legal requirements from the rest of the employee’s HR records. Companies failing to comply with these requirements could face regulatory investigations, substantial fines and breach of privacy lawsuits.
Office computer equipment may not have been regularly scanned for viruses, nor received all patches and updates necessary to eliminate cyber vulnerabilities discovered since offices were closed. Unpatched networks are prime targets for cyber thieves.
Corporate VPNs may receive less attention than they did when all employees worked from home, but with many employees continuing to work remotely for a sustained period, it is important for companies to attend to any security concerns.
In order to smooth the return to work transition, companies may not adequately vet the use within the corporate network security of employees’ personal devices that had been used while offices were closed and may now contain viruses or unsafe programs.
The very human desire to make things less difficult for employees struggling toward normalcy may lead to the relaxation ‒ or non-implementation ‒ of cyber risk management practices widely perceived as protective but annoying to employees and a hindrance to workflows. For example, in order to facilitate remote work many companies have increased the number of remote desktop protocol (RDP) ports that they keep open without making sure that their security settings are adequate, using multi-factor authentication and shutting down extra open parts when they can. RDP attacks have grown substantially since the widespread onset of remote working, according to security specialist Kaspersky.
Employees may send sensitive data to personal accounts on their home computers, as it is often easier to print documents on home printers from outside a corporate VPN.
Employees may transfer work documents to unsecure USB thumb drives to facilitate occasional remote work.
Employees still working remotely may take advantage of eased restrictions to work from coffee shops or other places with unsecured public Wi-Fi.
With some employees working in information-sensitive departments (such as HR and finance), working at the office while others work remotely, there may be a greater risk of employees being victimised by phishing emails requesting sensitive information than when such requests might otherwise have been made face to face.
There may be less consistent practices for dealing with vendors and other third parties that also have split home/remote workforces.
Adapting to COVID-19’s new normal
At this point the cyber insurance issues relating to the COVID-19 pandemic seem not to have changed from what we have noted elsewhere. As businesses adapt their cybersecurity practices to address issues arising in connection with the return to work in business locations following absence, they need to be alert to certain matters that could affect their insurance coverage.
For example, while few cyber insurance carriers require that an insured business maintain a level of security at least as strong as what was described in the application for coverage, companies should check with their insurance brokers to make sure they don’t need to meet this requirement.
It will also be especially important in this environment for companies to ensure that all relevant stakeholders are appropriately involved in the cyber insurance process for both initial placements and renewals, as statements in the application regarding a company’s cyber security practices constitute representations that could compromise coverage if untrue when the policy period begins.
Companies will also need to make sure that their public disclosures about their cyber security, whether on their websites or in SEC and other regulatory filings, are materially consistent with their practices.
Cyber security professionals are already accustomed to quickly adapting to cyber thieves’ changing methods. They can also now expect a sustained period of continuously adjusting their cyber security practices, and the balance between security and operational ease, to reflect the new ways that people will work.
Talk to a Gallagher cyber specialist today, and learn more about how you can efficiently and effectively manage and transfer these increased risks.
Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient’s industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers’ control.
Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312