By Bruce Penson, MD of Pro Drive
But rather than going fully remote, many companies will likely take a more hybrid approach, with workers dividing their time between home, the office and even co-working spaces.
Sounds like the best of both worlds. There’s just one problem: cyber security.
Remote working leaves gaps for increasingly sophisticated cyber threats to creep in. So, if home working is going to become a permanent feature of business — even on a flexible basis — the ‘temporary’ arrangements deployed in haste at the start of the pandemic will need an overhaul. Especially for regulated industries like insurance, where there’s even more at stake…
What are the risks?
The pandemic has changed the way we work. But it has also paved the way for hackers to target the new wave of home workers and exploit the growing use of technology.
Pre-COVID, most forward-thinking insurance companies would’ve implemented various measures to secure their IT equipment and systems. But these measures were based around an office IT setup — designed, installed, monitored and maintained by professionals — not home IT setups installed by people with little or no IT expertise.
Now, resources are stretched. Organisations are struggling to keep hardware, software and systems up to date. Fewer businesses are deploying security monitoring tools, network firewalls or malware protection. At the same time, remote workers are using home networks (an open invitation to cyber criminals), and companies are failing to train staff in preventing cyber crime.
No wonder working from home has become the new gateway for cyber criminals. These criminals saw their opportunity and grabbed it with both hands.
The stats don’t lie. Cyber crime has soared since the start of the pandemic as attackers help themselves to the feast of vulnerable IT systems available. According to McAfee, cloud-based attacks increased by 630% between January and April 2020. The UN also warns that malicious emails have spiked by 600% since the end of February last year, with a phishing attack now taking place every 39 seconds.
Then there’s the issue of productivity. If staff can’t work effectively in this hybrid manner due to slow or cumbersome IT systems, how can firms expect to remain competitive, attract top talent and maintain client relationships?
Businesses — particularly those in regulated industries like insurance — are now also under closer scrutiny than ever before. Clients rely on these firms and their technology and will likely conduct increased due diligence due to tightening their own cyber processes. So, you can bet they’ll be looking at security when making buying decisions.
What can you do?
Going out and spending a fortune on security software isn’t the answer. Yes, software solutions play a part. But cyber security is, ultimately, a people-centric problem that requires a review of processes and procedures — as well as proper technical configuration.
In fact, according to Cybint, 95% of cyber security breaches are caused by human error. An annual survey conducted by Apricorn also found 58% of UK IT decision-makers believe remote workers will expose their organisation to the risk of a data breach, yet 15% have no control over where company data goes or where it’s stored. A telling takeaway about the cyber security landscape in the post-pandemic world.
So, what can insurance companies and other regulated industries do to secure their equipment and systems? Government schemes such as IASME Governance and Cyber Essentials are a good place to start. They help firms understand where risks lie so that they can adapt accordingly.
Cyber Essentials is a UK Government standard that can help insurance firms reduce the risk from the most common cyber threats, including remote workers, by up to 80%. A Cyber Essentials certificate demonstrates that a business has made a serious commitment to tackling cyber security and will help to reassure business and private clients that their data is in safe hands.
However, even with all the right intentions and certifications in place, it’s almost impossible for businesses that don’t specialise in IT to keep pace with cyber security developments. So, it’s well worth enlisting an advisor — either internal or external — to help.
Why should you care?
Considering Statista’s recent findings that the average cost of a security breach for UK businesses is £2,670 (increasing with business size), it’s not something companies can afford to neglect.
Even a simple virus or malware could disrupt business productivity — or worse, result in the loss of company or client data, severe reputational damage, hefty fines or even prosecution.
The General Data Protection Regulation (GDPR) requires organisations to have measures in place to protect all personal data. And regulated industries such as insurance and finance services also come under additional scrutiny from the likes of the Financial Conduct Authority (FCA) and Prudential Regulatory Authority (PRA).
But why wait until a governing body or client demands action following a breach? Once the attack has taken place, it’s already too late. The damage is done. Instead, insurance companies should be taking a proactive approach to securing their equipment, systems and data — particularly as staff continue to work remotely. Other firms will be doing it; those that fail to do so will send a clear signal that they don’t care about cyber security (or their clients’ data!).
Few companies would even consider not taking out business insurance. Now, it’s time that firms start thinking of good cyber governance as another insurance policy — one which is vital to doing business in the modern world.
|