Cyber security may not have been a ‘hot topic’ among insurers pre-COVID, but several high-profile cyberattacks over the past year have made many businesses reflect on their vulnerabilities – particularly with the rise of employees working from home, and them often forgetting to practice good ‘cyber hygiene.’
Deloitte director of cyber, privacy and resilience Rajesh Pradhan recently spoke to FSC members about the importance of protecting business data, and noted that the ‘digital ecosystem’ has become very broad. Protecting your data now means protecting every tool or system that you give your employees – something Pradhan says businesses need to be aware of when conducting their security reviews.
“When we think of cyber security, what we’re talking about is the compromise or disruption of any of your services to consumers, and also the breach of confidential data,” Pradhan said.
“Attackers are usually trying to grab that confidential data – it could be financial data, intellectual property, personal information, or anything else that could be important to the business.”
“Attackers will try to monetise that, sell it on the dark web, or potentially commit identity theft,” he explained.
“From a cybersecurity perspective, we’re really trying to protect that ecosystem, and that can be tricky, because it has become quite large. The introduction of things like cloud services can be good if you’ve put a lot of effort into making them secure, but it can also open up the enterprise.”
“You have a lot of data going up into the cloud, and so that whole ecosystem is now quite wide,” he added.
“You also have people coming and going from the organisation, so controlling access to that data can become really difficult. That’s why you need the executives and board to really understand what the risks are, so that you can collectively try to fight against it.”
When it comes to protecting your business against cyberattacks, Deloitte’s manager of cyber, privacy and resilience Werner Swiegelaar said one of the most common misconceptions employees have is that working from home means they do not need to report suspicious activity, or to do things like secure their network.
He said things like multi-factor authentication can also be invaluable in guarding your accounts against potential breaches, and the benefits of such tools will usually far outweigh their inconvenience.
“Now that the new normal has settled in and the majority of people have the ability to work from home, there are a few things to be aware of,” Swiegelaar said.
“If you’re receiving suspicious emails, just because you’re not in the office, that doesn’t mean you don’t need to report them. Whether it’s coming from a CEO, CFO or one of your colleagues, if it looks suspicious, then give that person a call and check. When you’re at home, you should also be aware of your wireless network – pay attention to whether anyone else could be signed on to your network, and if they could be monitoring any of your traffic.”
“There’s a lower adoption rate for things like multi-factor authentication as we become older, so if your account does have the ability to enable this – it’s a couple of seconds of inconvenience, but it could potentially save you from a financial or other kind of loss,” he explained.
“Finally, just be vigilant when you’re at home. If anything looks suspicious, report it. Make sure your systems are up to date and that you’re regularly patching everything, updating your antivirus, etc.”
Swiegelaar noted that when the COVID-19 pandemic hit, most businesses had all of their attention focused on setting the right tools up, but not necessarily on securing them. Now that everyone is comfortable with the ‘new normal’, he says now is the time to revisit those new tools and systems, and ensure that everything is as attack-proof as it can be.
“From a business perspective, be aware of the services that you’re exposing your employees to when they’re working from home,” he said. “Do you have the necessary controls in place to actually protect those services?”
“As COVID-19 ramped up, a lot of people were just trying to get those services available so that employees could just start operating, but a lot of the security and protection of those systems had not been forethought, and those organisations now need to go back and protect those services they’re offering.
“It’s all about maintaining that vigilance, and if you’re not sure, it’s always better to ask.”