Cyber Risks for All-Virtual Commercial Ventures

    It’s been over a century since the world last saw a pandemic comparable to the COVID-19 crisis. The rise of digital connectivity and tools have expanded the range of options people and businesses have to connect to one another and continue certain essential functions while remaining mindful of public health.

    Advances in the digital realm, however, have also created new risks. As businesses shift online, they must weigh the need to stay in business with the risks of fraud, malware, data breaches and harm to remote workers. Insurers who understand these risks can better help customers obtain the coverage they need.

    The Rush to Virtual

    Digital tools made it possible to carry out a number of everyday tasks, like shopping and work, while also maintaining the physical distance from others necessary to help control the pandemic. As a result, online sales and work have exploded.

    Online Shopping and Customer Service

    As COVID-19 precautions shuttered businesses, many of these companies shifted their availability into the digital realm. Global e-commerce retail sales were 209 percent higher in April 2020 than in 2019, according to an ACI Worldwide study.

    An IBM study estimated that due to the pandemic, trends in digital versus in-person shopping have accelerated by five years beyond their previous trajectory. More people are shopping online, and they’re doing so more often than they did pre-pandemic, writes Sarah Perez at TechCrunch.

    Online shopping is expected to further increase through the winter holiday season. This year’s online holiday spending is projected to increase 33 percent over the previous year, according to a study by Adobe Analytics. Online appointment-making and scheduling of curbside pick-up of purchases has also become more popular, writes April Berthene at DigitalCommerce360.

    A Rapid Switch to a Remote Workforce

    Businesses have built customer relationships online since the pandemic. They’ve also maintained connections with their own staff online.

    Examining work patterns between March 30 and April 24, 2020, the Global Work-from-Home Experience Survey found that 88 percent of office workers worldwide worked from home at least one day a week during this time. Prior to the COVID-19 pandemic, 69 percent reported that they had been regular office-goers, rather than regular remote workers.

    Many business leaders expect the rise in remote work to remain permanent. An April 2020 Gartner study found that 74 percent of responding CFOs planned to move at least 5 percent of their previous on-site workforce to remote-only positions. And “nearly a quarter of respondents said they will move at least 20 percent of their on-site employees to permanent remote positions,” says Alexander Bant, chief of research, finance at Gartner.

    Both remote work and remote efforts to connect with customers offer a way to reduce viral transmission in a pandemic without sacrificing business relationships. Both options also increase business’s risk of facing cyber attacks, however.

    Even before the pandemic, cyber risk was an ongoing issue with the smallest commercial enterprises being the hardest hit. Verizon’s 2019 Data Breach Investigations Report found that 43 percent of data breaches targeted small businesses.

    Risks for Businesses Switching to Online Operations

    The digital world opens up opportunities during a pandemic that simply weren’t possible a few decades ago. From connecting with customers online to leading all-remote teams, businesses have a wealth of digital tools at their disposal. Unfortunately, use of those tools also comes with certain risks.

    Fraud and Malware

    Increased online shopping is convenient for customers, but it can “also attract fraudsters, resulting in a significant uptick in attempted fraud,” says Debbie Guerra, executive vice president at digital payment systems provider ACI Worldwide.

    In the first quarter of 2020, 26.5 percent of all online transactions were an attempt at fraud or abuse, writes Filip Truta at Security Boulevard — a 20 percent increase over the last quarter of 2019. The rapid worldwide rise in digital traffic came with an increase in attempts to take unfair or illegal advantage of that traffic.

    Hacking and similar activities were able to spike rapidly because much of the necessary infrastructure for credit card fraud and other malfeasance was already in place before the pandemic struck. In an October 2019 article for Forbes, for instance, Lee Mathews noted that Magecart, a popular credit card skimming malware program, had been detected in over 2 million transactions, and that it continued to affect over 17,000 domains.

    Magecart domains are now so popular there’s even a secondary market for them, writes Mathews. Others may adopt a domain after Magecart has abandoned it in order to continue preying upon visitors.

    In some cases, hackers are stealing data and then holding it for ransom. A Coveware report estimated the average ransom payment at the end of 2019 was $84,116. Companies, not individuals, were being targeted more often and the demanded payouts from them were higher.

    Attacks on Remote Workers and Data

    Workers are also feeling the pressure of increased cyber attacks. Workers who now work remotely are “being bombarded with attacks based on COVID-19-crisis themes that are taking advantage of delayed updates to email and web filters, and using social engineering to prey on workforce concerns,” write Venky Anant, Jeffrey Caso and Andreas Schwarz at McKinsey.

    “One quarter of all employees have noticed an increase in fraudulent emails, spam and phishing attempts in their corporate email since the beginning of the COVID-19 crisis,” write Klaus Julisch, Florian Widmer and Michael Grampp at Deloitte. This increase suggests that companies must consider cyber risk not only from attacks to customer transactions, but also from increased pressure on workers who are now working remotely.

    Many businesses are already aware of the increased remote-work risk. A survey of 350 top risk experts worldwide found that 50.1 percent list cybersecurity among their top pandemic-related concerns, writes Emilio Granados Franco, head of global risks and geopolitical agenda at the World Economic Forum. These respondents, however, focused on the cyber risks involved in moving their workforce to a remote, digital work environment, rather than on the risks involved in an increased online presence for customers or clients.

    Opportunities and Challenges for Cyber Risk Management

    “While business continuity, and even survival, has become the key priority, companies and employees are now exposing themselves to significantly increased cyber-risk,” write Paul Mee and Rico Brandenberg, partners at Marsh & McLennan Companies. Rushed digital launches, combined with physical and mental fatigue from navigating the uncertainties of a pandemic, mean increased chances of mistakes that could lead to a breach or other cyber risk event.

    Chief information security officers and other business leaders “must balance two priorities to respond to the pandemic: protecting against new cyberthreats and maintaining business continuity,” write Jim Boehm, James Kaplan and Nathan Sportsman at McKinsey. Striking this balance means finding and implementing the right tools and insurance coverage to keep remote teams working without unduly exposing the business to digital attack.

    Companies can address cyber risk management by identifying key assets, examining the vulnerabilities they face and prioritizing changes accordingly, writes Gidi Cohen, founder of Skybox Security. Developing clear policies and procedures through this process can help keep everyone in an organization on the same page. It can also help companies understand their needs and communicate more effectively with their insurers.

    “While there is no pandemic playbook for cybersecurity professionals, there are best practices that [chief information security officers] can utilize to manage through the uncharted waters ahead,” writes Cohen.

    There is no single, simple answer to cyber risk. These risks can be managed, however, allowing businesses to continue serving customers and engaging their workforce in a digital environment.

    Images by: rawpixel/©, Cathy Yeulet/©, ferli/©

    Bridging the gap between traditional insurance distribution models and today's digital age.