Cybersecurity in the age of COVID-19

Cyber incidents are consistently ranked at the top of business concerns. At the end of 2021, it was said that the estimated cost of cyber-crime would rise by $6 Trillion. This estimate was made before the COVID-19 pandemic disrupted businesses worldwide and offered new opportunities for hackers and bad actors. Since the pandemic began, Marriott suffered a data breach affecting 5.2 million customers, and a ransomware attack forced Honda to shut down global operations.

Changing cybercrime tactics and a shift to employees working from home elevates the importance of security strategies. The overall message: Working from home may change a lot of employee behaviour, but relaxing security standards shouldn’t be one of them.

We asked David Wilkinson, AKA the Scottish Microsoft Dude, for his top advice on how to protect your cybersecurity during the pandemic and beyond.

Look out for pandemic-related scams

Bad actors online have adjusted their methods to take advantage of the pandemic. Hackers are opportunistic and that is, I think, the biggest change brought about by COVID-19.

Hackers have pivoted from sending phishing messages asking for bitcoin to something COVID-19 related or something that is more personal and pulling on the heartstrings.

Hackers have also started attacking collaboration platforms – a data breach affected more than 500,000 Zoom users last April, for example. The pandemic and shifting to remote working has changed the adversary opportunities, and shifted their focus on to some of the other tools that many of us are using.

These kinds of changes in behaviour by hackers is expected though, and it happens whenever there is a crisis. This time, security experts are doubling down on awareness about phishing – emails that try to trick people into sharing personal information or clicking on fraudulent links that upload malware, and SMishing – which is sending phishing messages via text message.

Any of these pandemic-related phishing scams can be disguised as information from the World Health Organisation or the centres for Disease Control, or purport to have information about test results.

Other areas of added vulnerability during the pandemic include:

• Information stealing scams – Hackers embed code into websites that look real and provide legitimate information about the coronavirus. For example, hackers created an identical version of a map of global COVID-19 cases with embedded malware.
• Ransomware and malware attacks – Netwalker, a sharing of ransomware, is using files with coronavirus in the name so that they look important. The files embed code that will encrypt your files.
• Work from home vulnerabilities – These include unprotected videoconference links or hacked videoconferencing passwords, which can be used to access a company’s network. Also, some people working from home might be using unsecured networks. With more people now using Microsoft 365 and less people using a secure VPN to access company data, there is a higher risk with people working from home using home Wi-Fi that company data can now potentially be accessed easier by the scammers and hackers.
• Fake products – Several websites purport to sell masks or coronavirus remedies, but take money from customers without providing any product. Others sell fake face masks and exemption cards claiming to come from an authorised body.

Adjust security for a remote majority workforce

In the face of a wide range of threats, businesses should begin by reviewing the basics. Here are some best practices for cyber security during the pandemic and otherwise:

• Employees should beware of any requests for information and verify the source, including unexpected emails or calls from co-workers.
• Make sure laptops, mobile phones, and apps are updated and install any required patches.
• Screen locks should be something that are configured correctly, especially with home-schooled children in the house. All it would take is for a child to click around on your computer while you go to make a coffee and you have an issue! If screen locks are configured correctly, then your computer will lock automatically when you leave your computer.
• Consider multi-factor authentication.

The sudden shift to working from home has raised other security concerns. For example, the last year saw many businesses carry out a two-year digital transformation project in less than two weeks. This has led to an increase in the use of third parties. For example, some workers that are based abroad couldn’t move their laptops from offices to homes, so there was a scramble to get them new technology and ensure it was secure.

Some key questions that need to be asked:

• Is the technology setup correctly?
• Are the individuals using the technology appropriately at home?
• Are they using personal devices or shared devices?

Pay attention to your employees’ state of mind

While it might be uncomfortable to think about, employees’ stress brings an increased risk of inside threats. People whose emotional health might be a bit taxed right now, people in different economic situations than they were previously, for example, are things that might make somebody more likely to be an insider threat to a business.

Also under the umbrella of employee mental health is the question of whether companies should continue with regular “bait-phishing” exercises, in which companies send a phishing-type email to their own employees to make sure they remain alert to potential scams.

While some companies have pulled back on these because of increased stress, some other companies decided to continue, deciding that now more than ever companies need to make sure these skills are kept sharp.

Prioritise access more than ever

Beyond the pandemic, cyber security has shifted away from perimeter-based security models where all assets inside a network are trusted. Instead of these system-centric security models, companies are looking at protecting access to information and emphasising identity as part of trust.

Companies should adopt a zero-trust architecture. The idea that individuals, devices, and applications cannot be trusted by default and need to be authenticated and authorised.

Some guiding principles include:

• Assume there has been a breach
• Never trust, always verify
• Follow the principle of least privilege access – giving the fewest people access to data and information as possible

Always remember to consider design thinking and customer experience. Security can’t be viewed as an obstacle or users will be incentivised to go around it.

Embrace industry collaboration

Companies benefit from working together and sharing cyber security best practices.

Stick to your enduring principles

Looking forward, companies should be making sure their information is secure, plans are in place in case of breaches or illnesses, and their employees are holding up during a stressful time.

If companies don’t already have a Business Continuity Plan or Disaster Recovery Plan then this is something that needs to be created and / or updated if you already have one. It’s good to have solid plans in place in case of an emergency.

Want to chat further about cybersecurity? Join the conversation over on my social media channels.

Twitter, Facebook, Instagram