When the first UK lockdown hit back in March 2020, it wasn't too much of a jump for Purbeck Personal Guarantee Insurance to adapt to a remote-only operation. The company was young, just four years old. It was already geared up for remote, agile working.

"We were quite fortunate in that respect," explains managing director Todd Davison. "We're primarily cloud-based. We haven't got legacy telephony systems, big servers or big data rooms. And because we have a relatively small team, it's made it easier to adapt. Our office telephone system is VoIP anyway, so it was just a case of downloading a mobile application and rerouting our main number through that."

The company had some data security requirements in place. Remote desktop access requires two-factor authentication, similar to the multi-step verification with mobile banking. Passwords – which must be alphanumerical – are changed every 120 days. Its finance team has also moved towards two-factor authentication for its accounting software.

An increase in phishing attacks

This has been particularly critical during the pandemic. Davison says there has been an uptick in phishing emails during the pandemic, including bogus invoices sent to the accounts payables team. The company is not alone: recent data from the National Cyber Security Centre (NCSC) revealed a fifteen-fold increase in the number of online scams during the pandemic.

In Davison's view, scammers have likely taken advantage of changing working environments, leaving some employees vulnerable to cyberattacks. "There are all sorts of distractions at home which might pull peoples' attention away. Employees may not be as diligent as they would be in an office environment, where they could just ask the person next to them. It's probably led to an increased propensity of people, unfortunately, opening these phishing emails."

Davison's leadership team quickly issued security guidance to the employees, reminding staff that if they received an invoice they were unsure about, check it with someone else first instead of opening the attachment. Alternatively, give the email sender a call. "Scammers can sometimes hack email addresses to send bogus invoices, so it looks like the invoice has come from a known contact,"

Davison says. "Just picking up the phone and calling your contact not only prevents a phishing attack but alerts them to the possibility that they've been hacked."

Security protocols need to evolve with hybrid working 

Continued guidance and robust security protocols are becoming increasingly important since the shift to hybrid working. Davison advises that businesses should have solid cybersecurity policies that outline how to identify phishing emails, how to respond, and where to report them.

There are also specialist organisations that provide cybersecurity audits of IT infrastructure and security to help reduce and mitigate the likelihood of security or a data breach. "Data breaches and cyberattacks are outside of your control. They're an unknown quantity because you don't know the damage they can do until you actually get attacked. A cybersecurity audit can show businesses their weak points and recommend cyber insurance policies tailored to the business."

Factor in the worst-case scenario

Moreover, businesses should look at scenario planning and identify worst-case scenarios of data breaches and their impacts. "The pandemic has really highlighted the importance of scenario risk planning and keeping IT systems up-to-date," says Davison.

When Purbeck carried out client-wide surveys and questionnaires to understand how the small and medium-sized businesses they support have responded to the pandemic, they discovered that, for the most part, it had encouraged a significant proportion to review their IT systems. Not only from data security and compliance perspectives but also because existing systems in some firms just weren't cut out for remote access. 

The Purbeck questionnaire found that while most firms had been proactive in preparing for remote working and had put systems in place as early as February 2020, others discovered their existing systems lacked agility and flexibility.

"Some long-standing businesses were accessing their local office-based servers remotely via Citrix or another gateway which, although it had dual-factor authentication, posed other problems," Davison explains. "If the office-based server is down or it's being updated, you can't access the system, and you can't work. So the pandemic has forced many companies to look at more cloud-based solutions and update their fundamental IT systems. It's probably accelerated the move towards more agile, cloud-based technology overall."

Forced to update

As Davison points out, the pandemic, for all its disruption and human tragedies, forced businesses to adapt to a technology-first working model. There was already a convergence towards hybrid working in some industries long before COVID-19. Still, Davison believes the pace of change has been phenomenal for other long-standing industries such as law or even accountancy. "In a way, we're all fortunate it happened now because the technology was there to support this shift," says Davison.

"Had it happened in 2009, the technology wouldn't have been there, and we might have seen a bigger impact on the economy. So I think current technology has been a huge positive in enabling us to adapt to this new hybrid method of working."