As most of us now find ourselves working remotely, it's quite incredible to see how things have changed so dramatically in such a relatively short space of time.
There have been challenges of course, and perhaps some triumphs too as we have figured out new ways of doing business. One fact is unequivocal. Home and personal work stations are often less secure and more susceptible to hackers, meaning that we need to identify and manage the additional cyber risks involved in working from home.
Cyber criminals are using the coronavirus as a time to exploit weaknesses in network security and human fallibilities as we figure out new ways of using technology. Never being ones to miss an opportunity, criminals are taking advantage of the disruption and uncertainty and launching cyber-attacks on remote workers at home and on supply chains.
From a cyber perspective, be vigilant! Now more than ever, it's vital to keep our wits about us as the bad actors are relentless, taking advantage of our insecurities as well as the goodwill that is inherent within the majority of us.
A Secure Working From Home Environment
WFH has resulted in the growth of use of personal devices and home networks. The security of employees' home computers and home networks is usually beyond the control of the companies for whom they work. The absence of necessary security on home networks creates a heightened risk of system disruption for the company.
What should you do?
- Advise all staff to avoid public wi-fi
- Ideally, ensure that any work network is accessed via a virtual desktop such as those provided by Citrix or Cisco, with properly configured remote access solutions. This will limit the ability to store sensitive information on the employee's computer and to prevent malware from migrating from an employee's home computer to the company's systems
- Ensure multi-factor authentication is required to access company systems
- If a virtual desktop is not available, advise employees to ensure home systems are secure by using a Virtual Private Network (VPN) and:
• encrypting computer drives
• requiring strong passwords for wireless networks
• patching software on a regular basis
• installing strong antivirus software that is regularly updated
• enabling session timeouts
- Use portable device management solutions (including encryption) to limit the risks inherent in using personal devices (including mobile phones)
- Insist that employees keep personal data and work data separate
- Train employees about what to do if they think their computer or their company account has been compromised
- Install updates when they are available
- Backup data on secure platforms
- Use security controls with Zoom, Teams, WebEx, etc.
The Cyber Risk Environment
The increased susceptibilities of WFH, means that cyber-criminals have upped the ante. Cyber-attacks, while clearly evident pre-Covid, have exponentially increased as criminals take advantage of the disruption and weakened network securities. From the early days of remote working, hacking events have surged as compromised technology and security have allowed easier access to network systems.
Evidence suggests that phishing attacks alone have increased by 667% just in March of this year.
Phishing with Covid-19 as bait
Cyber-criminals are exploiting human frailties. The fraudulent attempts to prey on our generosity of spirit - that spirit clearly evident in our nation's response to Captain Tom Moore's heroic efforts - are repugnant.
Bogus websites have been set up posing as charities to channel funds into cyber-criminals' bank accounts.
Our natural fears and anxieties are being used against us as criminals seek to offer us fraudulent PPE, home-testing kits and cures. The appeal is all too obvious. These fraudulent activities are carried out via email, phone scams (e.g. offering free home testing kits or the promotion of bogus cures), or hoax texts (including one that offered a $30,000 “relief” package from “The Financial Care Center” and another that informed recipients that they must take a mandatory online Covid-19 test; both attempts to obtain banking and other personal information).
Another “in” for these hackers, is bogus updates on Covid-19, which are being sent by email or via social media. Phishing attacks involve emails to employees that appear to come from senior executives, emails that purport to attach updated policies around remote working, or emails that pretend to be from health agencies.
We are aware of emails purportedly from the World Health Organization ostensibly providing Covid-19 updates via an attachment. Rather than providing helpful content, the attachment, once clicked, launches malware or ransomware into the victim's computer.
Phishing with psychology as bait
Again, preying on human behavioural patterns, fraudsters often craft phishing emails encouraging the recipients to take action whilst manipulating our willingness to be efficient, helpful and proactive. Examples include:
- "Your mailbox exceeds 3.5MB of storage as set by the administrator. To validate your account, click here".
- "Welcome to the new Outlook web app for staff. Login here".
- "You have a new voicemail message. Click here to access".
The phish, if successful, may provide remote access to an employee's computer or network, often the precursor to installing ransomware. Alternatively, or perhaps coterminously, the scammer uses valuable information to commit fraud or identity theft.
What should you do?
We are all generally becoming more educated in our ability to spot phishing emails: we've been told about checking for clues such as bad grammar, spelling mistakes, poor stylistics and odd-looking links. Unfortunately however, the sophistication of these emails is also improving at the same rate, and even the most seasoned cyber-guru can get caught out.
While spotting a phishing email is becoming increasingly difficult, the National Cyber Security Centre (NCSC) has put together some common signs to look for:
- Authority - Is the sender claiming to be from someone official (e.g. your bank, doctor, a solicitor, government department)? Criminals often pretend to be important people or organisations to trick you into doing what they want.
- Urgency - Are you told you have a limited time to respond (e.g. in 24 hours or immediately)? Criminals often threaten you with fines or other negative consequences.
- Emotion - Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.
- Scarcity - Is the message offering something in short supply (like concert tickets, money or a cure for medical conditions)? Fear of missing out on a good deal or opportunity can make you respond quickly.
- Current events - Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting).
- Avoid clicking on links in unsolicited emails and beware of email attachments.
- All emails related to the pandemic that invite the recipient to click on a link or open an attachment should be treated as suspicious. That is particularly true if they appear to come from governmental organisations or large companies with which the recipient has no connection. Use trusted sources including legitimate, government websites, for up-to-date, fact-based information about Covid-19.
- As always, emails that seek personal information should be viewed with extreme scepticism. Do not reveal personal or financial information in emails, and do not respond to email solicitations for this information. This is particularly true now with respect to emails concerning the pandemic.
- Educate your employees about how to recognise phishing emails on both mobile devices and desktop/laptops.
The overriding message is: Do not trust information that doesn't come from official sources and be suspicious of messages coming from a company from which you don't normally receive communications.
One final but very relevant point needs to be made in relation to data protection.
There may be a temptation to share information more readily when WFH, particularly when operating a mobile device, whether a smart-phone or tablet.
Psychologically, because we are not “in the office” and are not sitting at our desk, we can become a little relaxed about our work practices, which may translate into more liberal sharing of data, perhaps without the normal thought processes being engaged.
It is vital that employees continue to maintain strict data policies when it comes to the handling of data. Inadvertent sharing of information regarding affected employees or clients could result in significant repercussions both from a financial, regulatory, and reputational perspective.
Additional Pieces to the Jigsaw
Awareness, education and technology solutions all help but are not failsafe. Detection must be combined with an effective incident response plan and business continuity plan. Cyber insurance ought to be considered as part of this process.
The 24/7 breach response services offered as part of a market-leading cyber policy will be crucial in the immediate aftermath of a cyber incident, providing access to experienced consultants in IT, legal services, PR and crisis management specialists, during a stressful and vulnerable time.