Cyber Liability & Risks

As a result of COVID-19, many of you are managing the transition to new working arrangements, which include working remotely from home. Hackers often exploit large scale events, such as COVID-19 to strike, seizing opportunities that are potentially more stressful, busy, or when staff are away.

Hackers look for all kinds of ways to access employee credentials and data. Once they have access to computer systems, they will cause havoc, both in downtime and expense (extortion and ongoing money transfers).

An example of an increasing trend in Cyber-attack is unauthorised access to valid purchase order invoices and email addresses (often very subtle changes to the address are common). They will amend the invoice bank accounts to their own. You then receive this email from your ‘supplier’ and the result is a mis-payment to the hacker rather than your supplier. It may be days or weeks until this theft is known, at this time it is then too late for your bank to recall funds from the incorrect account.

Another example is receiving an email from a supplier advising you that they have changed their bank account for invoice payment. How do you know if this email is legitimate? The key difference is that with this kind of circumstance, your supplier should communicate with you well in advance. If you receive this kind of email and are ever in doubt, ensure you speak with the ‘sender’ before clicking on any links or changing any bank account details.

Here some steps you can take to reduce cyber risk.

• Ensure all bank account changes require a second means of verification – this being a phone call or text to your verified contact at the business to ensure the change is valid.
• Where applicable, a minimum of two internal persons within the organisation to verify the change is valid, this includes the above process and to contact your own bank if required to acknowledge the change. Large one off transactions should have this in place already.
• Record all changes, dates and signatories involved.
• Have the above processes documented including staff training, to ensure that in the event of annual leave or a staff member being away from their duties, this doesn’t provide an opportunity for the process to be missed.
• Be extra diligent, take a bit of extra time to consider the request and its legitimacy.

Covid-19 for cyber criminals is like the holiday period for burglars – their business model is thriving! Aon has seen a rise in phishing-style attacks and Cyber liability claims targeting all businesses, even the small ones. Some ‘digital hygiene’ is prudent:

• ‘Bring Your Own Device’ and remote/agile working have the potential to create situations where claims will arise.
• Stay alert for phishing emails and websites – be on the lookout for emails or websites that ask you to click on suspicious links or request sensitive information. Criminals are skilfully crafting communications which can be very difficult to identify as a phishing email or website.
• Test remote working capabilities and policies: this should be part of a regular Business Continuity Plan. Ensure that all staff understand the protocols they must adhere to when working remotely.
• WiFi may be your enemy: public and personal WiFi networks may be compromised in certain circumstances. Delete WiFi credentials from your device as soon as you disconnect and enforce a strong password to your router and, where possible, operate within a VPN.