McGriff Homepage

Examining Cyber Security Risks

Learn more about cyber security risks caused by the coronavirus

SUZANNE GLADLE: Hello, everyone. This is Suzanne Gladle, and I'd like to welcome you to the McGriff Coronavirus Advisory Series. I'm the cyber practice leader in McGriff Executive Risk Group. And joining me today is Aarti Soni, our cyber director and product innovation counsel.

And today's forum is going to focus on examining cybersecurity risks and the evolving coronavirus environment. And joining us today we have an expert from G2S Global. G2S Global is our trusted cybersecurity partner that many of our clients have come to know through the demonstration of our jointly developed proprietary tool, which is used to assist our clients in cyber risk quantification.

The highly specialized G2S team comes from a variety of commercial and government experience in various cybersecurity operations. Their focus is making business decision based on the return on investment rather than a patchwork compilation of endless products and tools. And with that, I'll turn it over to Aarti to ask her question.

AARTI SONI: Thank you, Suzanne, and thank you all for joining us. So our first question today is really when we're looking at the COVID-19 and the coronavirus risk, I think most people are thinking of physical health. And with social distancing and the other measures taken in place, I'm not sure that a cyber threat sort of comes our top of mind. So can you tell us what kinds of threats you're seeing or what kinds of threats we should be anticipating?

MARK: Yeah, sure. First, thanks for having me. A nice break from what is quickly turning into everyone's day to day working from home here. Not sure what you guys have going on, but mine has turning into a distinctly Lord of the Flies feel with the kids and family all in the same house.

It's funny we kind of talked about these questions yesterday. And we talked about what threat do we expect to see. And just in 24 hours, it's changed to very clearly what are we seeing? So I'd probably start there and then maybe backtrack into what we still expect to come down the pike.

But the first and foremost that we've absolutely seen an uptick in, that's just an uptick. It's a hockey stick curve, because it didn't take long for the kind of traditional business process fraud—the one that's telling you, hey, we have to pay a vendor differently, et cetera, to just skyrocket.

And they're trying to take advantage of the gap of a suddenly—they've got accounts payable who has, hopefully, a two-person sign off on any changes to supplier payment. But there used to be maybe in the cubicle next to them or in the office next to them. And now they're suddenly distributed.

And we're seeing a lot of incoming well-written business process fraud type social engineering scams with the typical theme being something around, hey because of xyz from coronavirus, we're going to have to pay some of our suppliers mid-month. And in order to process that payment, we've changed some of the payment terms. Can you please process a March 1st and March 15th payment to this account?

I mean, they do it better than I just—I didn't do it justice with how I just described it. So that's first and foremost. And that's not hypothetical. That's happening now. They were happening before this. But now we're seeing them specifically pulling on the strings of AP.

There's a new process everywhere. You're working from home. You're coming in hopefully through a VPN. You've got suppliers that maybe you have to stop or extend payment terms. And so when something comes in that says, we just need something mid-month here, it doesn't seem so out of place versus what maybe a month ago would have been normal. That's the first place I'd start is the business process fraud that is absolutely happening today.

SUZANNE GLADLE: What about other phishing schemes that you're seeing, perhaps taking advantage of employees' guard being down because they were expecting communications from their school's principal or other folks?

MARK: Yeah, definitely. And that's the one that we are already seeing some from work-related and from what we've just bucket as personal-related, like schools, et cetera. So definitely increased phishing scams in that sense as well, our social engineering.

They seem to be simply right now preying on the idea that there's a thirst for information, which is hard to believe, because to me, it's almost too much information. But like you said, a principal or an e-learning, like our kids are going through right now-- click on this link, reset your password-- all that stuff where I'd say it's a modest uptick.

But we should just expect it to continue, because, really, if I could segue into another thought that we're having here is they might be taking advantage of this kind of instability right now, not just in the US, but globally with these distributed workforces. But it's also a new normal. And so that's what we need to expect here.

It's a new normal in that there's going to be, I think, a switch in the volume of people that end up working remotely. And as such, if business process fraud since it was already a big business, they really only have to be right once or twice a day to make significant amount of money with almost no repercussions based on the geographic distances and lack of prosecution.

Well, now they've got a much more fertile ground to go after. And you've got companies that are worried, including us, right? And everyday companies who are worried about operations and cash and keeping customers happy and getting new customers and our projects going to pause-- all of a sudden and mentally if you think about it as a human, you're much at lower guard of the other things that you've been taught or learned to behaviors rather than innate. And one of those learned behaviors that people are already poor at is not clicking on those things. I mean, we hear the failure rates all the time.

So now, maybe you're distracted. You're tired. You've got somebody pulling on your leg asking you to help something, help you with homework. Whatever it might be-- whatever phase of life you're in, you're now going from 25% of the workforce if you were lucky clicking malicious links. And maybe it goes up to 45%. Well, 20% is a huge jump when you only need to be right once in order for something bad to happen.

AARTI SONI: You mentioned a couple of times more people working remotely. And just following the news, it looks like a lot of US governors, at least, are mandating that companies of certain size don't have over 50% of their workforce in any sort of physical office. What is that doing to the overall system that, for example, we're using Webex right now. What is that doing for overall technology systems that are being more widely utilized?

MARK: Yeah, great question. So our products that just in case I use the term, it's Cybeta, right? And I'm going to give you a real example here with real numbers to hammer home what it's doing. So our Cybeta products, that includes a portion of it that has to do with monitoring and reporting on connections and alerting on potential problems with connections. And I'll leave it at that for what we're talking about here.

We have one particular customer who on a typical day up until a week ago, I guess, not even a week now, had 3%. This is a customer with, I think, 4,000 employees worldwide—something along those lines—or 3,000 employees worldwide. They had 3% of their workforce working from home.

So not necessarily remote because they had a lot of people traveling too. But actually tagged to work from home. So 3% of 3,000 is-- let's just call it-- what's that? 100 people—something like that. Then last Wednesday, a week ago today, they sent 50% home-- exactly like you just said.

So now they go to approximately 1,500 people. As of last Friday starting with two days ago, then, it's 100% except for maybe a few production facilities for what they do that they need to keep running some food, right? So we don't want production of food to stop. That be the worst thing.

So they do have some of those still going into their factories. Well, so now you've gone—let's call it—2,700 out of 3,000. And they had to set up a system for their VPNs that they figured a surge which could take them from 3% to 10%.

So what they immediately faced and one of the reasons they reached out to us because we helped them with their security, not necessarily their infrastructure, but we have save it as partnerships in this field is they had availability issues. They had volume of user issues. They had people that were saying, well, I can't get on the VPN. But I need to do this work. So now they're bypassing protocol and attempting to do things through personal computers or through insecure connections.

And so from a pure just numbers perspective, if you had a VPN license that said you could have up to 100 concurrent logins in a 24-hour period—you go from 30 to 300 or whatever the number worked out to—it might work for a little bit because of time zone differences. But now you go from 300 to 2,700—it doesn't matter if you're spread across the entire world.

You're going to be over your limits. You're not going to be able to transfer data. Now, and I'll keep going on that thought because it hadn't occurred to me until it started happening to this client. We think of it as, oh, I can't get to my email, right? Annoying, but you can always call and or maybe call and get things done.

We're talking about systems here that have to send orders. It's a supply chain issue-- have to pass payments-- have to receive orders from vendors and from customers and then send them to vendors and suppliers. We're talking about very important things that are well beyond email. And if those start to shut down, now you've got an increase of email saying, hey, I can't get onto this system.

So it's kind of a snowball effect when these systems can't handle it. And then you add in Webex and all the free conference call, other tools that we use that are suddenly seeing this increased volume. So on the flip side or on the positives, though not to paint a picture, it's not like the technology doesn't exist to suddenly go from 100 licenses the 3,000. It does, but it also takes 48 to 72 hours to get it set up.

Those companies are being inundated with requests for us. They've got to open up the pipes. They have to work with the IT shop to set up the right landing spots for the VPN. So a lot of the business functions that people are used to getting set up with really little urgency over the course of a few days are suddenly being rushed into, can you do it tomorrow because my whole workforce is remote.

And those are just a couple of the examples that we're seeing. Then you layer on top of that everything I just said, we didn't even talk about security yet. What happens when you start putting 3,000 people on a VPN? Are they doing safe surfing practices? Are they using reliable internet? What order are they connecting to? Or in, what process are they taking to connect to the VPN?

Are attackers going to be looking more closely or insecurely set up VPN connections? And the answer to that one I can tell you already is yes. It was happening before anyway. But if you've got a particular transport layer that's insecure and that's how you set up your VPN, you've gone from 30 out of 3,000 chance that somebody notices and attempts to exploit it to 2,700 out of 3,000. And that's just for one company. So security is on top of the actual productivity issues that we're seeing.

SUZANNE GLADLE: So to that point, is there any way that we could be more resilient through this time period?

MARK: For sure. And that's kind of why I was trying to be a little positive at the end there. The technology exists to get through this. And that's what I think will become the new normal. I think what you're going to see are like the VPN product that we work with through Masergy. The licensing going to 3,000 or 6,000 or 9,000—they're going to sell it in those nodes. And it's going to allow that kind of upward capacity.

So I think the companies who are really starting to get it right now are limiting the use of their current environments to the critical thing to keep the business running while the IT and tech shops are working with whatever company they're using to up that total ceiling bandwidth and just get it above or to your total employee level knowing that you should never really go above that.

And then we can deal in three, six months or whatever this takes to go back down. Do we need to lower that ceiling? Or do we just keep it there so that we always think of it more of as a contingency planning or business interruption planning to use some of your insurance language.

Maybe that's the new normal. Maybe my own company instead of thinking of saving $7 a month on licenses said let's get licenses for every single employee. And if we ever need it, we know they're there. And I think that's probably the best way that companies can, not only get through this period, but think of it moving forward as the way to operate.

AARTI SONI: In looking at our sort of standard pie chart of threat actors, who are the standouts here? Where do you see the uptick in a particular group of actors sort of taking advantage of the global vulnerability?

MARK: Currently it's definitely the criminal element-- that business process fraud I was referring to. That's for sure. And that's annoying, right? We're seeing hospitals—what [INAUDIBLE] already happening. But you're seeing hospitals and ransomware at a time where you're basically vulnerable. We're seeing on a concerted focus on those types of things.

So that's without a doubt the one staring us right in the face, and it's worrisome. But the one I worry about and we're not seeing yet-- I know Suzanne already knows this about me—but I don't have much faith in humanity particularly on politics. I'm worried about the idea that never waste a good crisis from a geopolitical perspective.

Without pointing any fingers, I'm making a hypothetical statement here. But I'm more worried about the long-term or even medium-term focus meant for maybe state actors who can thread the needle of this chaos and maybe not create damage now but get a foothold onto networks maybe at a time of increased exposure and decreased security to do potential attacks down the road.

We have an election coming. We all know the potential things that could happen there. So for me, we've got to deal with the criminal element now. But we need to also be mindful that there's always the state element looking for the opportunity, particularly if their country either isn't fully affected or has it under control looking for the opportunity to exploit maybe when our guards are a little bit doubt on those types of risks.

SUZANNE GLADLE: Well, to that point, more and more people are going to prefer to communicate with their physicians and health care providers through telemedicine tools. Is that going to create an greater attack surface? And are there things that our audience needs to be mindful of both from a business perspective as well as a patient perspective?

MARK: Yeah, for sure. So you guys would be the experts on the business side in terms of the insurance. But I was just talking with some colleagues this morning. I imagine that we're going to see some sort of PHI loss—story in the next who knows how ever many months. And, frankly, if that's what we're talking about in a few months, there would be almost a sigh of relief.

But I'm curious if there will be a pause on kind of the normal way that that creates a financial penalty, because what a PHI loss is because you had to kind of change this protocol for telemedicine, right? You're trying to respond to a crisis. And in doing so, you've set up some sort of patient portal or an exchange of data. Or you're not masking social security numbers in an email. But you're just trying to get patients rescheduled.

And kind of that war time feeling of, do we just suspend all that kind of risk? So from that corporate side but from the personal side that's not comforting, because the loss of your PHI has to come down to, do I really care if someone looks at my medical record? No, not from a knowing what my medical issues are. But I do care from a future fraud perspective and that effect on me.

So I think the increase in telemedicine kind of like the VPN issue, we already knew there was insecure, whether it's IoT or just telemedicine or insecure processes being followed in health care in any industry but in health care for this discussion. And now we're, again, going from maybe you had 10% of people doing telemedicine. And that's going to jump up tremendously here.

So if you just take the same percent as being insecure, in my example, you quintupled the amount of instances where there could be PHI data loss or something else. So for consumers, it doesn't really change what you should be looking for. It just means you should be looking to make sure the websites and apps are communicating a secure fashion.

You should make sure that if you're using a secure connection, you should make sure you're not transmitting over open communications insecure, sensitive information. So it's all the same types of best practices, except there's just a lot more people that are going to are already doing it. And so you increase your chance for error.

SUZANNE GLADLE: All right, well, those were some very insightful observations, Mark. And I think we're, oh, like, going to be a little bit more guarded and hopefully a little bit more thorough with our conformance to all of the cybersecurity protocols that our employers expect us to adhere to.

I think that this series will probably be the first of many to come. So we'll invite folks that are listeners to this Webex that if they have questions, they can direct them to me or to Aarti. And we're more than happy to explore those questions in our next forum. Thanks for joining us. Goodbye.

Insurance products and services offered through McGriff Insurance Services, LLC, a subsidiary of Truist Insurance Holdings, LLC, are not a deposit, not FDIC insured, not guaranteed by a bank, not insured by any federal government agency and may go down in value.

McGriff Insurance Services, LLC. CA License #0C64544