As the COVID-19 pandemic continues to encumber the healthcare system, the global economy, and the well-being of every individual, it is also having a strong impact on the cybersecurity of businesses and individuals. As one would expect, cybercriminals are finding ways to capitalize on the burgeoning levels of anxiety and fear resulting from the pandemic.
The governments of various countries have already outlined many of these cybersecurity issues facilitated by the coronavirus pandemic. In Canada, for instance, the government recently updated its list of known COVID-19 related fraud to capture some of these scams, which now include the following:
- Cleaning or heating companies offering duct cleaning services or filters to protect from COVID-19.
- Center for Disease Control and Prevention (CDC) or the World Health Organization (WHO) offering fake lists for sale of COVID-19 infected people in your neighborhood.
- Public Health Agency of Canada providing false results claiming you have tested positive for COVID-19, tricking you into confirming your health card and credit card numbers for a prescription.
- Red Cross and other known charities offering free medical products (e.g. masks) for a donation.
- Government departments sending out coronavirus-themed phishing emails tricking you into opening malicious attachments and revealing sensitive personal and financial details.
- Private companies offering fake COVID-19 tests for sale and selling fraudulent products that claim to treat or prevent the disease.
The theme here is that cybercriminals are trying to exploit people’s heightened levels of reasonable concern around COVID-19, trying to promote misinformation and scam people out of their money or personal data. This, inevitably, translates into cybersecurity issues for organizations as well, as company and customer data can easily be put at risk.
What’s more, while many organizations had already embraced the growing trend of remote work before the pandemic came into the picture, all others have suddenly had to transition to fully remote companies in order to survive. And with a company-wide transition to remote without any prior training on cybersecurity, the likelihood of successful cyberattacks and losses for businesses is high, especially amid the current increase in cybercriminal activities.
Given these amplified risks, it is more critical now for organizations big and small to be aware of the top cyber threats they may become a target of, and take proper steps to protect themselves and their employees. For the most part, these cybersecurity issues can be classified into two categories, as discussed below. Even if your organization is based completely online (say, if you’re an e-commerce brand running on Shopify Plus), you must take steps to ensure the following two pillars of cybersecurity are put in place.
Preventing Phishing and Social Engineering
First off, organizations must increase awareness of social engineering and phishing scams amongst all teams. Many employees may have taken these cybersecurity concerns a bit casually up to this point, but now it is imperative that everyone stays vigilant.
“Having most employees go remote is obviously straining already tight IT resources, both personnel and available remote access. Social engineers and phishers are also in a feeding frenzy, taking advantage of the COVID-19 situation, as evidenced by a huge uptick in the COVID-19-themed phishing attacks,” says Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4. “COVID-19-themed phishing strategies are likely to be more successful because of the built-in stressor events and people’s lack of familiarity with these phishing themes,” he adds.
Social engineering attacks like phishing have always been a favorite for cyberpunks to trick people into giving up sensitive information like login details and credit card information. Though most organizations are enhancing their email security to block phishing attacks, cybercriminals are leveraging the pandemic scare to social engineer the minds of people.
Plus, email phishing is an effective, high-reward, and minimal-investment strategy for hackers to gain access to credentials, so it’s about time organizations ensure that employees are aware of phishing email tactics and are well informed on how to tell the difference between fake and genuine emails.
Here are eight precautions to reinforce in all your teams to protect your company from social engineering attacks:
- Be skeptical of emails from unknown senders or familiar people (like your company’s CEO or your doctor) who do not usually communicate directly with you.
- Don’t click on links or open attachments from those senders.
- Don’t forward suspicious emails to co-workers.
- Examine the sender’s email address to ensure it’s from a true account. Hover over the link to expose the associated web addresses in the “to” and “from” fields; look for slight character changes that make email addresses appear visually accurate — a .com domain where it should be .gov, for example.
- Note grammatical errors in the text of the email; they’re usually a sure sign of fraud.
- Report suspicious emails to the IT or security department.
- Install the corporate-approved anti-phishing filter on browsers and emails.
- Use the corporate-approved anti-virus software to scan attachments.
Securing Work-From-Home Arrangements at Scale
The second pillar of the cybersecurity issues during the crisis is the transition from in-office to work-from-home on an organizational level. Apart from solidifying awareness of phishing and social engineering scams, organizations must use the right technological measures to ensure not just peak levels of productivity but also cybersecurity when working from home.
Here are a few actions that cybersecurity teams must take to minimize risks:
Expedite Patching for Critical Systems
Minimizing patch cycles for high priority systems such as virtual private networks (VPNs), end-point protection, and cloud interfaces that are crucial for remote employees will help organizations destroy vulnerabilities as soon as they’re detected. In essence, patches that secure the remote working environment need to be prioritized.
Scale-Up Multi-Factor Authentication
All teams working remotely must be mandated to use multi-factor authentication (MFA) to access critical applications. Scaling up MFA can be difficult, but there’s a way to make the rollout of MFA smoother.
Prioritize workers who have superior privileges (such as domain and sysadmins, and application developers) and ones who work with critical systems (for instance, finances). This allows cybersecurity teams to learn from the experience and devise large-scale MFA implementation plans that covers everyone.
Ensure Shadow IT Security
It isn’t uncommon for employees to use so-called shadow IT systems, which they set up and administer without formal approval or support from the company’s IT department. Prolonged work-from-home may expose such systems because business operations that rely on shadow IT in the office will break down once employees find themselves unable to access those resources.
Thus, IT and security staff must be prepared to transition, support, and secure business-critical shadow devices and software. They must be vigilant of the new shadow-IT systems that teams may use to ease working from home, to make up for in-office capabilities they can’t access, or to get around hurdles.
Final Thoughts
No one knows for sure when the pandemic will subside and normal in-office operations can resume in full force. While working from home has many benefits (such as increased productivity, lower overhead costs, and more), cybersecurity isn’t one of them. Couple that with the COVID-19 scare and you’ve got a cybersecurity situation on your hands.
Organizations must focus on the aforementioned two pillars of cybersecurity to try and ensure the company-wide transition to work-from-home doesn’t bring about any data breaches or cyber threats to the business.
——–
About The Author:
Gaurav Belani is a senior SEO and content marketing analyst at Growfusely, a content marketing agency that specializes in data-driven SEO. He has more than seven years of experience in digital marketing and loves to read and write about education technology, AI, machine learning, data science, and other emerging technologies. In his spare time, he enjoys watching movies and listening to music. Connect with him on Twitter at @belanigaurav.