Three cybersecurity considerations for business clients in the COVID-19 era

Small businesses across the nation have been forced to adapt or close as a result of mandated shutdowns to minimize COVID-19’s impact. For many business owners, that meant quickly transitioning employees to a work-from-home strategy. And now as state governments map out plans to reopen their economies, business owners may be weighing whether to return to business as usual or keep at least some employees working remotely until the worst of COVID-19 is in the rear-view mirror.

Early on, the Cybersecurity and Infrastructure Security Agency (CISA) warned that cybercriminals, always in search of victims of opportunity, could take advantage of public concern surrounding COVID-19 by launching cyberattacks. In fact, as early as January, related scams had emerged, and Gmail reported in April that it was blocking 18 million coronavirus-linked phishing and malware attacks every day.

While serving small-business clients, insurance agents can play a critical role in these difficult times. A recent survey of small-business owners by Nationwide reinforced the importance of discussing cybersecurity with clients, with 65% of small-business owners surveyed admitting to having fallen victim to a cyberattack.

Independent agents can help clients understand how their organization’s operational changes, although helpful in reducing exposure to the virus, can greatly increase their exposure to cybersecurity gaps if not appropriately managed.

By talking with clients about cybersecurity measures and steps for addressing potential exposures, insurance agents can strengthen relationships, reduce their business clients’ cyber risk profile, and bring them some much-needed peace of mind. To broach this topic, here are three critical cybersecurity considerations agents should include in client discussions:

Follow best practices to defend against attacks

Encourage small-business clients to follow best practices, like those from CISA, for safeguarding their systems and sensitive data, both at the office and while working from home. Some are easier to implement than others, but any combination of actions businesses take will be a step toward greater security.

Here are some important best practices to start with:

• Utilize antivirus software and a firewall to provide an initial layer of protection between your information and bad actors
• Use secure internet connections and require that employees use a VPN when connecting from public WiFi or working with sensitive data.
• Make sure all software, particularly on your firewall routers and VPNs, is regularly patched and up-to-date.
• Back up your systems to combat ransomware attacks by making sure you can restore your files should an attack occur and keep several days’ backups.

Educate and train employees to work securely

Even the most secure network won’t be effective if employees aren’t trained to defend it properly. Nationwide’s survey showed that only 20% of small-business owners had committed their employees to formal cybersecurity training, despite the reality that employee missteps represent one of their largest threats.

Agents should encourage clients to be diligent in educating employees on the importance of working securely as well as training them to recognize and protect against cyber risks. For example, companies can combat phishing attacks by training employees to use caution when clicking links, opening attachments or sharing personal information. Both business owners and employees should also know what to look for in common cyberattacks, and be familiar with the latest scams.

According to Nationwide’s Information Security team, current trends place coronavirus-themed scams into three categories:

1. Email scams and fake mobile apps impersonating medical organizations, such as the CDC and WHO, that can deliver malware.
2. Financial scams including the sale of fake or counterfeit medical supplies (ex. N95 masks) and collections for fraudulent charitable organizations.
3. Misinformation distributed via social media in order to drive panic, which can increase the shortage of medical supplies and food.

Your clients should also have a clear process in place for employees to report suspected scam activity or raise alarms if they suspect a breach. To be most effective, training employees should contain a testing component, which can help determine what holes might need to be filled.

Review and update remote work security policies annually, if not more often

Hackers are continually evolving the penetration tactics they use, so it’s critical that businesses continually revise remote work policies to keep up and account for changes. Alarmingly, only 50% of the small-business owners we surveyed had updated their remote work security policies in the past year, a gap that is sure to be exploited by cybercriminals in the current environment, so this is a point to reinforce to clients.

Hopefully, these tips can help prevent small-business clients from complicated and costly cyberattacks. At the very least, discussions will increase awareness of the additional risks they may be facing.

Last, but certainly not least, talk to them about their cyber insurance needs, which can serve as a valuable safety net, should the worst occur.

Catherine Rudow is vice president of cyber insurance for Nationwide. With over 25 years’ experience in the (re)insurance sector, she is responsible for developing and expanding the cyber product expertise across Nationwide. 

Related: 

• Combating cyber risks in the time of COVID-19 remote work
• Emerging cyber risks in a connected world
• Working smart: Keys to reducing cybercrime losses