Cyber Risk | How to be cyber resilient during COVID-19

COVID-19 has transformed the way we work in order to deliver results for clients and stakeholders. For organisations to survive and thrive in this new world, maintaining cyber resilience is paramount.

Hackers often exploit large scale events and COVID-19 is no exception. At Aon, we have witnessed a variety of attacks where criminals attempt to exploit the current situation. These include among others:

  • Coronavirus phishing scams preying on fear and confusion about the virus

  • Phishing and scam websites themed around the pandemic

  • Exploitation of leading corporate VPNs with major vulnerabilities

  • Ransomware attacks on hospitals where scammers anticipate the urgent need to function will push administrators to pay ransom amounts

Internationally, London alone had 400 per cent increase in cyber scammers, who are targeting Covid-19, while Google has blocked an extra 18 million coronavirus phishing scams a day, on top of the 240 million already getting blocked before all this.

As thousands of New Zealanders prepare to go back to work during Alert Level 3, the risk becomes even greater.

Recognition | What are the major threats organisations are currently facing?

Phishing, Vishing and Smishing – Many Phishing emails are masquerading as official correspondence regarding COVID-19. CERT NZ, the United Nations and the World Health Organisation have all distributed notices about the threat. Vishing (via telephone) and Smishing (via text or WhatsApp) attacks have also increased in frequency, and in a work from home environment where colleagues and clients are increasingly connecting via mobile phones, vulnerability increases. Short message attacks will generally seek to redirect a victim to a compromised website in order to harvest user credentials.

Social Engineering – This involves a fraudulent request for funds made from either a compromised business email account or an email address masquerading as a genuine account. This is likely to prove more effective in an environment where it is more difficult for employees to verify instructions (e.g. by checking with a colleague in-person). This intersection of cyber and crime exposure, which has caused more than USD 12 billion in international losses in less than five years, is discussed in more detail among other major cyber risks in Aon’s 2020 Cyber Security Risk Report.

Action | What steps can organisations take to ensure strong cyber risk practices?


Recognising these threats is an important first step, but companies will be differentiated by how they prepare for the increased risk. 

Working from home

  • Ensure work-from-home employees understand how to configure and connect to company Virtual Private Network (VPN) providers and avoid split-tunnelling.

  • Plan fall back measures for phone-based and off-net communications and work, as many Virtual Private Network (VPN) providers may encounter scaling issues as large numbers of users join.

  • Ensure the computers and devices work-from-home employees use are updated with the most current system and application versions.

  • Assess cyber security resilience plans/incident response plans and ensure that cyber insurance limits are appropriate for any potential financial impact as the result of a cyber-attack.

Phishing, Vishing and Smishing

  • Look to regular news sites and official government websites for COVID-19 information

  • Be sceptical of advice that doesn’t come from official sources, particularly if it’s been sent to you unexpectedly.

  • If you’re unsure if an email, text or any other communication is genuinely from a legitimate source, don’t click on the link or open the attachment. Contact the organisation via their official contact channels and ask.

  • Protect your passwords and login credentials, don’t enter these into any websites relating to the COVID-19 virus.

  • Keep your devices up-to-date.

  • Keep your anti-virus up to date and run regular checks.

  • Report suspected malware or phishing attempts to CERT NZ.

Communications regarding bank account changes

  • Ensure you speak with the ‘sender’ before clicking on any links or changing any bank account details.

  • Ensure all bank account changes require a second means of verification - this being a phone call or text to your verified contact at the business to ensure the change is valid. 

  • A minimum of two internal persons within the organisation to verify the change is valid, this includes the above process and to contact your own bank if required to acknowledge the change. Large one off transactions should have this in place already. 

  • Record all changes, dates and signatories involved. 

  • Have the above processes documented including staff training, to ensure that in the event of annual leave or a staff member being away from their duties, this doesn’t provide an opportunity for the process to be missed.

  • Ask your IT department if it’s appropriate to assign alarms/audits to go to two managers if a bank account is attempted to be changed at any time. 

Employee training and education

  • Make sure your employees are aware of the increased cyber risk due to COVID-19 so they can stay vigilant.

  • Help them to understand what these risks may look like (as described above) so they can recognise a potential scam.

  • Encourage employees to be cautious and if in doubt, don’t click anything. Instead advise employees to talk to your IT department or take the appropriate steps to verify the sender.

Cyber Risk Insurance

Companies bracing for the inevitable economic fallout of COVID-19 can look to risk transfer to minimise the impact of cyber incidents. To meet the threats identified above, a considered approach to the insurance market is recommended. Insurance provides cover for your own loss and for third party claims against you which arise out of ‘cyber’ events. This is important as traditional policies do not provide a dedicated response for cyber-attacks and risk. A cyber risk policy provides 24/7 access to crisis response IT, PR and legal assistance as well as cover for recovery costs including data retrieval, defence and settlement, profit and income loss and crisis team costs.

Response | What should you do if you think you’ve suffered a cyber attack?


If you have a cyber risk insurance policy

As soon as you think you may have suffered a cyber risk, immediately call the 24/7 crisis response 0800 number which will be supplied to you by your broker. It’s really important you do not attempt to restore, repair or fix a breach until making contact with an appropriate breach coach.

Expert assistance will be available to guide through the process. This will include: 

  • Access to a Breach Coach

  • Legal assistance and guidance as required

  • Forensic support as required

If you don’t have a cyber risk insurance policy

If you suffer a cyber attack without appropriate insurance in place, it’s important to think about an appropriate response plan. Things you need to consider include:

  • Who would you call to assist first?

  • How should your business respond? 

  • What would the consequences of inaction be vs immediate response?

  • Do you have IT support in place for systems breach?

  • Do you have legal support if confidential information has been exposed or is threatened to be exposed?

  • Will your business cope with potential lost income, productivity and profit?

Aon is a leader in cyber risk consulting and we offer a range of risk management solutions to help our clients understand and manage cyber risk. See here for more information.

If you have any questions or need support or guidance, please don’t hesitate to contact:

Finn Jolly | Cyber Broker
09 362 9183 | 027 3217532 |



Other articles you might be interested in

This website contains general information only and does not take into account your individual needs or financial situation. It is important to note that limits, excesses, terms and conditions and exclusions apply to the products and services outlined on this website. Please refer to the relevant policy documents for details of cover, the provision of which is subject to the insurer’s underwriting criteria that apply at the time. Please contact us if you have any questions.