When COVID-19 began sweeping the globe in the early months of 2020, the march toward remote working gathered pace.
A survey from Gartner HR reveals that 88 per cent of organisations across the globe have encouraged or required employees to work from home during the crisis.
The transition was intended to safeguard human health and keep the economic wheels turning. The unintended risk, however, is a heightened vulnerability to cyber crime.
CYBERCRIME IN FOCUS
COVID-19 has presented significant corporate governance risks — and cyber security must be in sharp focus.
The Australian Competition & Consumer Commission’s Scamwatch has received more than 2000 coronavirus-related scam reports with over $700,000 in reported losses since the outbreak of the virus.
Common scams include phishing for personal information, online shopping, and superannuation scams.
Clyde & Co partner, John Moran, and Senior Associate, Reece Corbett-Wilkins, will be presenting a professional development webinar for ANZIIF on 27 May about the cyber crime landscape arising from COVID-19 and the immediate steps business can take to reduce their risks.
LEADERS IN THE SPACE
Moran is a recognised leader in the cyber security and cyber incident response space. His team has handled a large number of the more than 2,000 incidents Clyde & Co has advised on globally in recent times.
Corbett-Wilkins is a leading member of the team and has experience acting in a range of local, regional and global incidents affecting government agencies and organisations of all sizes across all industry sectors.
‘We both had a natural curiosity around technology, privacy and cyber security issues,’ says Corbett-Wilkins.
‘We observed a gap in the market around seven years ago in Australia when we saw what was happening in the US. Well-established teams in law firms were offering crisis management when it came to cyber or data-related issues.
'The landscape in Australia just hadn't heated up at that point in time.’
CYBER MARKET HEATS UP
The most common forms of cybercrime include ransomware, which is a type virus that usually infects a victim’s computer after they open a malicious email attachment, and credential harvesting malware, which covertly steals a user’s identification when they log onto a website.
‘Even before COVID-19, we'd seen a dramatic increase in the number of incidents being reported across APAC and a marked increase in the severity of those incidents,’ says Moran.
UNDERSTANDING THE PAST
One of the most famous cyber attacks in recent years was the WannaCry virus that infected 300,000 computers across the globe in 2017.
The following year, a hack of Australian National University’s computer system compromised the personal details of thousands of its students and staff.
In 2019, a cyber crime syndicate hacked the medical files of approximately 15,000 patients from a specialist cardiology unit at Cabrini Hospital in Melbourne.
‘It used to be more of a volume play with routine incidents like low-grade ransomware, whereas more recently, we've seen a spike in well-orchestrated, targeted attacks,’ says Moran.
‘They've mapped it out and they understand how to cause the maximum amount of damage.’
PANDEMIC MAKES US MORE VULNERABLE
COVID-19 has presented additional cyber security risks.
The increased use of technology presents more opportunity for hackers and the remote workforce has seen a spike in downloads for collaboration and video conferencing apps.
During the week of 14-21 March business apps topped 62 million downloads worldwide, according to data from App Annie.
This was an increase of 45 per cent from the previous week and a 90 per cent from the weekly average of business app downloads in 2019. ZOOM, Hangouts Meet and Microsoft Team were among the top downloads.
RETURN TO WORK THREAT
COVID-19 also presents security risks when people start returning to the workplace, says Corbett-Wilkins.
‘There's likely to be a privacy leak with the residual amount of data that's sitting outside of the work environment,’ he says.
‘It might be on people's laptops, it could be on their personal emails, or on file-sharing applications that they may have used outside of the office.
'There's going to be a whole heap of corporate and consumer data sitting outside the realm of being protected within the office network environment.’
The worst may be yet to come, says Moran.
‘There’s a threat of hackers already sitting in the systems and just observing for now,’ he says. ‘Much of the fraud or the malicious attacks may not occur for a number of months.
'The aim will be to cause maximum disruption when businesses are back to operations, because bringing a company to its knees right now, when they may already be on its knees, doesn't give a criminal the best leverage.’
IMPLICATIONS FOR INSURERS
Moran says that the greater risk of cyber crime during COVID-19 may lead to heightened claims activity, but that the lift the number of incidents being reported by the media ‘may be a bit heavy handed’.
‘That being said, it needs to be looked at through the lens of latency - some of these incidents might not become apparent immediately,’ says Moran. ‘It might take a couple of months for them to come to the surface.’
The risks may also lead to a change in insurance buying behaviour.
‘We're hearing reports of people actually buying more [cyber] insurance, or those who weren't buying last year are buying now because they see the increased risk,’ says Moran.
‘The penetration of cyber insurance in the Australia market is still relatively low. So, there’s plenty of room for growth.’
REDUCING YOUR RISKS
Awareness and education are the first steps in mitigating the cyber security risks presented by COVID-19.
Data from the Office of the Australian Information Commissioner shows that human error accounted for 35 per cent of data breaches in 2019.
‘Businesses have been quite good at educating employees about fraudulent emails, but hackers are now leveraging the uncertainty and the misinformation around COVID to mask very legitimate organisations,’ says Moran.
‘The quickest way of targeting that is by increasing awareness and education.’
Corbett-Wilkins suggests that companies make their education and training relevant to employee’s personal lives.
‘Rather than raise awareness with employees about defending corporate work assets, focus more on “how do we educate you so that you can protect your family and yourself while working remotely?”
'This approach is more likely to resonate with people and organisations retain the benefits of employees exercising good cyber habits at home.'
He adds that there is a range of government resources to assist with technical aspects of cyber security.
LONG TERM STRATEGY
‘Websites like cyber.gov.au website and the Scamwatch are really useful and I would recommend organisations give their IT team some of the resources as checklists to discuss with external IT providers.’
Corbett-Wilkins adds that now is the time for companies to consider a long-term cyber security strategy.
‘We’re all in a state of flux with COVID-19 and while organisations can probably get away with rushing to a remote workforce solution immediately, they need to develop a strategy for managing this risk over a long-term,’ he says.
‘They're going to be required to do so, from both a regulatory and a consumer expectations perspective.’
Part of this long-term strategy should include investing in cyber insurance.
‘In the current climate, we’re hearing some organisations retreat from their insurance buying behaviour, simply due to liquidity and access to funds,’ he says.
‘While that may help in keeping a business up and running in the short term, at the same time, there is increased cyber risk.
‘Now is the time to consider this as part of their overall insurance and risk management transfer solutions.’