Insurance firms inadequately protected against cyber risks of hybrid working

Some 44 percent of UK insurance firms and underwriters admit to having inadequate cyber threat visibility and detection systems to protect employees working remotely, with firms unaware of the volume of cyberattacks and data breaches impacting their remote workforce. This is according to new research by Doherty Associates.

The research found that a third of firms feel their IT environment is more vulnerable to a cyber or data breach with employees working outside the office, yet 58 percent expect the hybrid office to stay.

The study examining the cyber and data security practices of 750 UK insurance firms and underwriters, and 500 employees since the start of the pandemic, also found that 1 in 5 employees are closing more deals and winning more business since working remotely with over a third attributing this to “being able to work faster at home.”

Some 52 percent of the insurance firms and underwriters polled by Doherty Associates for its report ‘Who Moved My Moat? say their organisation has yet to experience a cyberattack or data breach since transitioning to remote working since March 2020 lockdown.

A quarter of employees, however, said they have been the victim of a data breach or caused one themselves since working remotely, suggesting that employees are not reporting all of the mistakes they make to the firm. One in seven experienced a phishing attack or similar cyberattack and 46 percent admitted to emailing confidential client information or unencrypted attachments.

Only half of the firms surveyed have carried out a cyber risk assessment since working remotely, and 25 percent admit: “We can’t guarantee security on every device used out of the office.” Yet one in five said the cost of a major cyber or data breach to the business could be anywhere from £10 million to £50 million or more.

A third of employees in the insurance and underwriters sector surveyed by Doherty Associates said they have had no cyber awareness training since the first lockdown, and over two thirds admit to ignoring virus security scan requests or computer update alerts to safeguard their company’s systems and sensitive data.

Some 82 percent confess to working on a blend of work and personal devices when working from home, with 53 percent admitting to saving confidential corporate information to these devices. But only 13 percent of firms have put a block on personal devices for work use.

Terry Doherty, Doherty Associates CEO, said: “Operating a remote workforce in the cloud has many benefits, including greater flexibility, diversity and lower overheads, but it’s critical to ensure that teams continue to operate safely, securely and are fully compliant with FCA and GDPR regulations wherever they are working from.

“With the Government’s lockdown roadmap underway, employers are starting to plan for when restrictions ease with many reporting that hybrid working is here to stay. With employees working outside of the office, using a blend of personal and company devices, firms no longer have a single ‘front door’ to protect but a multitude of entry points to secure against cyber criminals. This is why it’s critical for firms to have excellent cyber hygiene.

“For maximum security but minimum disruption to teams, firms should also carry out a cyber risk assessment at least every six months, including penetration testing, to uncover any critical vulnerabilities or compliance issues. They should also ensure that all devices have multi-factor authentication, so employees keep their identity secure while working remotely. And they should build in comprehensive cyber awareness training for every employee, especially if they’re working outside of the office for the first time. Restrict use of personal devices and ensure that no company information is shared via personal cloud storage platforms where documents can easily be forgotten, and just as easily hacked.

“Your company is only as safe as your weakest link and by empowering employees with the knowledge to identify threats in real-time, they can become your greatest security asset and help prevent cyberattacks.”

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.