Employees were the biggest threat to corporate cybersecurity well before COVID-19. The 2019 ‘Human Factor’ report from Proofpoint, a California-based enterprise security company, found that more than 99% of the attacks they observed needed human interaction to succeed.
Timing, trust or a lapse of concentration can lead the most cyber aware to click on a fake link or comply with a fraudulent request for money or data. The risk of cyber threats are bound to increase as working at home piles on the distractions – and cybercriminals are quick to take advantage of uncertainty and disruption.
“They’re already using COVID-19 subject lines in emails to tempt people to open them and click on a link inside,” says Greg Austin, Professor of Cyber Security, Strategy and Diplomacy at UNSW Canberra Cyber Centre. “It’s a bit late to re-educate people on basic cybersecurity, so employers may be better off warning them to look out for disinformation and false news on the pandemic itself.”
Phillipa Lee, Senior Consultant at Agilient Security Consultants, has seen fraud emails overtake ransomware as the preferred and most profitable cyber-criminal income stream.
“They’re already using COVID-19 subject lines in emails to tempt people to open them and click on a link inside.” – Greg Austin
“In a recent example, a hacker intercepted a payment reminder from a legitimate supplier then set up an account with an almost identical domain name in another country,” she says. “The hacker crafted an almost identical reminder stating that the supplier’s banking details had changed. The invoice was processed, and payment made to the hacker’s account.”
Once again, risks increase when employees are working at home.
“Normally, the accounts staff might just stroll across the office to verify a suspicious email,” says Leon Fouche, National Leader, Cyber Security at BDO. “When they’re working remotely, it’s vital they phone to check. Every staff member should be provided with a complete list of contact numbers – the IT support team, the office manager and, where appropriate, executives including the CEO. As well as strengthening security this will allow everyone to communicate by other means if the email server goes down.”
Poor preparation increases cyber threats
According to Austin, most corporations recognised that they should prepare for a national cyber emergency on the scale of the COVID-19.
“By the end of January, CEOs should have been asking to see the plan for business continuity for security in the case of a pandemic, or for one to be drawn up,” he says. “If such a plan still doesn’t exist, they should be looking for new senior staff. Working from home introduces many additional vulnerabilities, and these are magnified when the regime has been implemented at short notice. Without prior evaluation there is no way to be sure of any reasonable cybersecurity around the work practices of most employees.”
As the crisis rolls on, it’s clear that few companies were fully prepared, leaving them open to the risk of cyber threats. Some corporate and virtual private networks (VPNs) are buckling under the strain of supporting so many remote workers for so long. Fouche has seen large organisations scrambling to buy additional licenses for remote access software. And Richard Watson, Lead Partner APAC Cyber at EY, is concerned that most home internet is wi-fi-based, yet people rarely change the default password on their router.
“This enables anyone to log into that router and access the data passing over it,” he says.
He is also concerned that not everyone working at home has a corporate device with a remote access login.
“The home computer is not controlled by the corporate IT department so there are no guarantees that the operating system and virus protection are up to date or that the device has password control,” he says. “Computers shared with kids are particularly vulnerable. In general, they aren’t as careful about the links they click and are more easily tempted by social media offers which introduce spyware.”
Organisations can reduce their vulnerability to cyber threats and attacks by ensuring remote devices have the most up-to-date security features.
“The Australian Cyber Security Centre has excellent information on managing a remote workforce, and Stay Smart Online also provides advice on protecting your business assets including mobiles and tablets,” says Lee.
Demonstrating leadership
As the pandemic continues to affect individuals and organisations around the world, it’s vital that employees adhere to management policies and procedures.
“CEOs need to ensure that employees at every level of the company understand how much is at stake,” says Lee.
Watson suggests that CEOs communicate regularly – from a wellness point of view as well as a work one.
“You need to ensure any questions are answered quickly and your people aren’t left rudderless for days on end,” he says. “Video is a very effective way of doing this as it personalises the message.”
Lee sees one optimistic aspect of managing organisations through a pandemic. “It provides an opportunity for leaders to build enterprise-wide trust and resilience,” she says.