With the pandemic forcing many companies to make a sudden and unexpected shift to remote work, some companies were more ready than others. The sudden pivot gave many organizations little time for their IT teams to prepare.
Needless to say, nefarious individuals have attempted to profit from catching those unprepared off guard. As we move through this unprecedented time, it’s important to protect your employees from cyber criminals and support appropriate levels of digital security.
Despite the fact that some states are starting to reopen offices in parts of the country, many workers will still be remote at least part time for the foreseeable future to help comply with social distancing efforts.
Further, high-risk employees or those caring for high-risk individuals may even ask to remain remote for a much longer period—because of this, it’s important to still be mindful of threats that could emerge with a majority or large portion of employees still remote.
Here are some specific examples of COVID-19 cyber threats and how you can help prevent them.
Phishing
Phishing is by no means a new threat, but has taken on some new “clothes” as a result of the COVID-19 pandemic.
For example, after the World Health Organization declared COVID-19 a pandemic in March, registrars saw an increase in related domain name registrations. Additionally, over the course of a week in April Google saw more than 18 million daily malware and phishing emails related to COVID-19 scams.
These COVID-19 related domains have subsequently decreased, but per the latest from the Cyber Threat Coalition they’ve instead shifted to a new trend as the world adapts to the pandemic… masks.
Most of this phishing attempts fall into three specific areas, which are:
Credential theft. The classic phishing attempt of tricking people into logging into a fake website remains common, but thieves have now started going after videoconferencing usernames and passwords. Another scam involved impersonating the World Health Organization and claiming to be raising funds for vaccine research; the real goal of course was to steal the money and possibly credit card numbers. Other agencies, including the CDC, have also been impersonated.
Business email compromise. Phishers can use stolen credentials to impersonate a person inside your organization to steal money or sensitive information. Although not specific to COVID-19, with many still working remotely, it can be harder to check with fellow employees whether or not an email came from the actual sender before responding. Employees may thus be more likely to respond to an “urgent” email without first verifying the source.
Malware delivery. One COVID-specific issue here is virus outbreak apps. There are some malicious mobile apps circulating for Android users that may use accurate data, but are trojan horses for malware. Such apps take advantage of the fact that too many people do not install antivirus and malware protection on their mobile phones and tablets.
All of the above cases above should be quite compelling to ensure that your company has a culture of cybersecurity. Employees need to be educated in basic cyber hygiene in order to identify phishing attempts.
The answer is what it has always been—keep up employee training on phishing. However, if you are running a phishing drill don’t use anything COVID-19 related, as people are understandably stressed and it could potentially cause undue distress or anger.
Insecure Remote Work Environments
People who do not normally work from home may not have the tools or the education to do so safely. Despite the fact that we are now months into the pandemic, this still could be true as organizations have adapted to change at different paces.
There are a few specific issues here:
Consumer-Grade Routers
A lot of home wifi and network routers are not properly secured. While most routers now ship with encryption enabled, employees may have potentially given the password out to friends who were visiting their homes. A larger issue is that most people do not think to change the default password that allows them to log in to their router as an administrator. Both the password and the username need to be changed.
Ideally, IT should keep a list of who has what routers and if a particular make or model has a problem, they can make sure the employee using it knows. In some cases, an employee may be using an older router with poor security protocols. Buying them a new router is generally inexpensive and can prevent a much more costly data breach.
Insecure Devices on Home Networks
Another thing to talk to employees about is any and all other devices on their home network. Smart televisions, smart speakers, etc, can all be ways to hack into a home network. Ask employees to update the passwords on all of their devices so as to make sure none have default passwords, which can ship with thousands of devices and are often easy for nefarious individuals to compromise.
Insecure Devices
Many employees could potentially use their own devices, even if it’s just accessing slack from a personal computer or phone. You should consider measures such as always enabling device encryption when possible. Even consumer-grade device encryption can help (like password protecting an iPhone!), and providing a higher grade version is useful if you have employees handling particularly sensitive information.
Personal computers may also have automatic security updates turned off, especially if the employee is worried about a forced update to a new version of the OS that may not run all of their software.
Often, too, they have not installed an up-to-date antivirus and anti-malware suite on their personal devices (including phones and Macintosh computers). If employees balk, remind them that proper malware protection will also protect their personal data and hardware from attacks.
Lack of Availability in Secure Tools
One problem quite a few companies had at the start of the lockdowns was that their VPN bandwidth, previously quite sufficient, is not up to the strain of every single person in the office trying to use it at once. Many employees reacted to this by turning off the VPN in order to speed up their connections.
Other employees might find that they are now using a home computer that does not have all the software on it they need to do their job. This may result in employees deciding to save time by downloading the software themselves, potentially picking up malware. Employees should instead download the software through official channels sanctioned by the IT department.
Proactively asking employees what they need and making sure to provide them with appropriate, secure tools for all of their tasks should be a priority for your organization.
Dealing with COVID-19 related cyber threats is an ongoing challenge, but one that all teams must now endure. Even as your employees come back into the office, learning best practices for remote work will be helpful and will also allow greater flexibility for employees down the line.
Figuring out all your bases to cover is not an easy process to navigate, especially in times like these— and that’s why Electric is here to support your organization. Electric can work closely to help you find the right solutions to make remote work easier and more secure for your employees.