- Cybercrime reports have jumped from about 1,000 per day pre-pandemic to almost 4,000 per day, according to the FBI.
- With more employees working from home, companies are more vulnerable than ever to cyberattacks, which can be costly for businesses.
- Companies should invest in cybersecurity tech to protect remote workers, including tools to control access, encrypt and protect data, detect attacks, and backup and recover data from cybercrimes.
- This article is part of a series called Risk and Resilience, which focuses on identifying some of the growing risks that companies should be aware of to help them build more resilient companies in the coming year.
More people are working remotely these days, as businesses strive to keep their employees safe and help stop the spread of COVID-19. But with so many employees working outside the office, organizations may be opening the door to a different kind of threat: a cyberattack.
The FBI’s Internet Crime Complaint Center (IC3) has seen an uptick in cybercrime reports during the coronavirus crisis, with 3,000 to 4,000 a day compared to 1,000 a day before the pandemic. As of May 28, IC3 had received 320,000 complaints for the year, almost as many as the 400,000 or so for all of 2019.
Cybercriminals tend to take advantage of crises, like COVID-19, and the shift to remote work has made businesses more vulnerable. When employees are working from home, they’re likely using their home internet and not protected by a company’s on-premise firewall, creating ripe conditions for a cyberattack, said Doug Matthews, vice president of data protection and compliance at Veritas Technologies, a data management company.
Many companies simply aren’t prepared and lack a cybersecurity configuration capable of fully protecting their data while employees aren’t in the office, he added. That’s why there’s been an “alarming rate” of cyberattacks during COVID-19, according to an Interpol report from August, with the most common cyberthreats being online scams and phishing, ransomware, data harvesting malware, malicious domains, and misinformation scams.
Investing in cybersecurity tech is good for business
Too many organizations mistakenly believe they’re not a target, and that puts them at risk, said Richard White, an adjunct professor of cybersecurity information assurance at the University of Maryland Global Campus, “There’s no reason why any responsible business owner, regardless of size, should say, ‘Cybersecurity doesn’t matter to me,'” White said.
Cyberattacks cost businesses in more ways than one. In 2019, victims lost more than $3.5 billion due to reported cybercrimes, according to the FBI. Business email compromise alone led to $1.7 billion in losses.
Businesses could lose customers, too, said Sara Jodka, an employment and cybersecurity attorney at law firm Dickinson Wright, "[Cyberattacks can] become a customer-experience and brand-reputation issue that no amount of money can usually account for, especially if it's made public," Jodka said.
Consumers expect companies to protect their information. According to a 2019 survey by digital payment platform PCI Pal, 83% of US consumers said they would stop doing business with a company for a few months after a data security breach, and 21% would never do business with the company again.
A company's cybersecurity program could also help with hiring and employee retention, as a company's brand increasingly factors into the decisions people make about where they want to work.
Factoring in all of these costs, White said the price of cybersecurity is "worth its weight in gold." The cost of cybersecurity technology varies widely, but he said investing $10,000 to $15,000, though it may seem like a lot to some businesses, will protect your most valuable assets.
What an ideal work-from-home setup should include
The first step in creating a cybersafe remote-work setup is to provide employees with a laptop with the correct security configuration for access control, encryption, and a perimeter firewall, White said.
Access control refers to a two-factor (or multi-factor) way to authenticate, encrypt, and grant access to employees working from home. It requires users to provide multiple pieces of information before access is granted and protects their credentials.
Encrypting all data ensures confidentiality and privacy, and a firewall protects the network, he said, "So you can allow access remotely and control it and monitor it."
A VPN (virtual private network) is also needed to secure data and ensure that it's transmitted through an encrypted path. Without a VPN, White said, "data would move through clear text across the hostile internet, and there'd be no way to control the path that the data would take."
Malware scanning technology should be included to protect systems from a variety of attacks, including ransomware, Matthews added. "If you do it effectively, that's going to stop 99+% of the problem," Matthews said. "But sometimes something is so new, those tools haven't detected it yet and aren't ready to detect it."
A detection capability is another must for identifying problems as they happen. Early detection of a cyberattack lets you remedy the situation immediately and pinpoint exactly when your data was compromised if an attack occurs, Matthews added.
Backup and recovery technologies are vital, too. Matthews suggested relying on a "three, two, one rule" to protect and recover lost data. "You need three copies of every bit of data in at least two locations, one of which is completely air-gapped," he said.
Everyone within an organization must embrace cybersecurity protocol
Employee negligence, such as clicking on a suspicious link, is the biggest cybersecurity risk for businesses. So for a cybersecurity program to be successful, it must be a top-down initiative with ongoing communication from the C-suite to all employees, Jodka said.
Employees also need to know who to call and what to do if they're faced with a potential cyberattack, and if there's disciplinary action for negligence. Organizations should hold regular training on cybersecurity, including testing employees' abilities to recognize phishing attempts, White said. Training should also cover industry-specific data protection regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare sector. Regular reminders about cybersecurity will keep it fresh on everyone's mind, too.
According to PwC's Workforce Pulse Survey from July, just 30% of employees said they received training on protecting company and personal data and information, even though about 70% of technology officers said they increased cybersecurity training because of the pandemic. And 23% of employees said their organization didn't offer a "compelling case" for good cybersecurity practices, and less than 30% said their employer provided a device for them to use while working remotely without having to use their own personal equipment.
Data breaches from cyberattacks could land company leaders in legal trouble, Jodka said. In January 2019, former officers and directors of Yahoo agreed to pay $29 million to settle claims that they had mishandled customer data during several cyberattacks from 2013 to 2016 that compromised three billion user accounts.
The Yahoo case "changed the game," Jodka said, showing that cybercrime could be seen as a breach of the duty of care and duty of loyalty that officers and boards of directors have to their organizations.
As the transition to remote work continues, cyberthreats will likely intensify, and investing in cybersecurity to tighten security remains a critical issue for businesses of all sizes.
"The issue is still significant as thousands and thousands of dollars continue to go out the door in response to these phishing and other schemes," Jodka said.