Cyber Risk and COVID-19: Practical Guidance for Secure Remote Working
In recent years, cyber-attacks have continued to increase in number and scope, with businesses facing ever-growing threats from ransomware, distributed denial-of-service attacks, and phishing schemes. Ransomware attacks alone saw a 41 percent increase in 2019 from 2018, with more than 200,000 organizations and city governments suffering attacks. Today, all eyes are on the spread of COVID-19, both in the U.S. and globally. Unfortunately, as the world focuses on public health and economic uncertainty, cyber criminals see opportunities for exploitation.
Governments and businesses are responding to the coronavirus’ spread by urging an increasing number of personnel to work remotely in an effort to maintain business continuity under dynamic and unprecedented circumstances. This necessary surge in remote work, however, opens an increasing number of doors for bad actors to profit. Enhanced risks stem from insecure WiFi connections, open printer ports, browser plug-ins, social media feeds, documents shared on cloud databases, and more. Not surprisingly, cyber-opportunists are out in full force, creating an uptick in cyber scams, phishing emails, and ransomware attacks. Just last weekend, the U.S. Department of Health and Human Services reported that it suffered a cyberattack when hackers tried—and, according to HHS, failed—to scan the Department’s networks and email system
Cyber criminals are capitalizing on the fear, lax cyber-hygiene, and uncertainty created by the pandemic, leveraging the vulnerabilities of a substantial influx of people into the remote workforce, which expands the attack vectors available to bypass corporate security measures. On March 13, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an alert urging organizations moving to remote environments to “adopt a heightened state of cybersecurity.” It is critical—now more than ever—that businesses and their employees remain diligent and aware of potential scams and threats. Businesses can consider the following guidance as they navigate the challenges ahead:
- Have a Plan: Most importantly, businesses need to be prepared for the worst with a robust incident response plan that addresses a range of potential cyber events, as well as business continuity requirements.
- Resources and Education: Information Security departments need adequate support to prepare and educate employees about cybersecurity risks and the internal policies necessary to maintain digital security in a remote environment. Businesses should also ensure that each worker has the required equipment for secure networking and access, including requiring multi-factor authentication. Use of personal devices and email accounts should be centrally controlled and monitored through policies and technological solutions to minimize the risk of additional—and unknown—vulnerabilities.
- Constant Vigilance: All members of a business enterprise must remain vigilant when opening email attachments and clicking on embedded links within a document. In the wake of challenging circumstances such as the current pandemic, cyber scammers and hackers routinely exploit people’s compassion and empathy by posing as relief organizations or charities. Hackers will tailor their attacks and send phishing emails claiming to be about the virus or from a trusted government agency. All members of an enterprise must be educated not to click on links or attachments from relief organizations; instead, go directly to the purported organization’s website. Be suspicious of any request for donations in cash, by gift card, or money wiring. In a similar vein, be wary of emails and social media links from unknown sources purporting to be sources of information about COVID-19.
- Trust but Verify: Employees should be aware that many phishing attacks come disguised as communications from internal personnel, and often individuals who are supervisors or management. Everyone should be suspicious of directives asking anyone to send funds, access a link, or open an attachment. Any suspicious or unusual request should be verified by phone or in person.
There is no magic bullet to eliminate cyber risk, and the instability and uncertainty created by COVID-19 heighten the risk of attack by opportunistic criminals. But businesses and individuals can mitigate these risks by exercising heightened vigilance and raising awareness among their employees of the increased likelihood of cyber-attacks in the coming weeks and months.