Corporate cyber risks heightened by Covid, warns ex-NSA head

The former head of the US National Security Agency has warned that the coronavirus pandemic has significantly increased cyber risk, with companies likely to face a growing number of attacks.

Michael Rogers said “the attack surface has just exploded” because so many people are working from home rather than in offices, which have better cyber protection.

Mr Rogers was head of the NSA, the US government agency in charge of cyber security, between 2014 and 2018. He is now on the board of directors at CyberCube, which advises insurance companies about cyber risk.

“Remote access is being executed on a level that is nowhere near the historic norms of the past, and that’s pretty much across all business sectors,” he said, adding that the use of the same infrastructure for work and personal purposes was increasing the risk.

He also warned that people searching for coronavirus-related information could inadvertently let hackers into their data and systems.

“There’s a much greater propensity among user populations now to access links or respond to emails that they believe are making them smarter about Covid,” he said.

Roughly two-thirds of successful attacks, he said, originated with “spear phishing” emails in which users click on links or images in an email.

Mr Rogers said ransomware attacks were the “poster child” of the growth in incidents. These involve a hacker accessing and encrypting company data, and only releasing the decryption key if money is paid.

According to insurer Beazley, ransomware attacks jumped 25 per cent in the first quarter of this year compared with the fourth quarter of 2019.

“Attackers are finding they have . . . a higher probability of success,” said Mr Rogers, as there was an increased willingness among companies to pay ransoms. “Financial times are so tough that you cannot afford to shut down.”

“The fundamental things that are powering it are unlikely to change,” he said. “It’s going to get worse before it gets better.”

At the start of this month the US Treasury warned that helping companies to make ransom payments could violate US sanctions laws.

In a public advisory note it said: “Ransomware payments may also embolden cyber actors to engage in future attacks. In addition, paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”

Speaking ahead of an appearance at the Financial Times insurance innovation summit this week, Mr Rogers said some parts of the economy were better prepared for cyber attacks than others.

The financial services industry, he said, had spent “funds in significant levels” on cyber defences.

Healthcare, on the other hand, was much more vulnerable. “It’s got the highest concentration of personally identifiable information . . . there’s a lot of data flowing through hospitals and health systems.”