Cyber security and privacy risks should be the top priority for any business at present, especially whilst trying to accommodate all staff in their new remote working environments. In the rush to get everybody working from home, security probably wasn’t top of mind and this presents a major threat for many businesses and people working from home for the first time.
Cybersecurity expert and J2 Software CEO John Mc Loughlin says more concerning is the intensification of cyberattacks, unscrupulous cybercriminals exploiting vulnerable and unsuspecting home workers. “Business owners haven’t taken the correct security measures to ensure everyone is protected.”
The South African Banking Risk Information Centre (SABRIC) has warned that cybercriminals are exploiting the spread of coronavirus for their own gain using “coronamania” panic to spread coronavirus scams.
It says these scams takes advantage of people’s concerns for their health and safety and pressure them into being tricked using social engineering. Social engineering is manipulative and exploits human vulnerability because criminals know that the weakest link in the information security chain is the human being.
These new scams include spoofed emails offering products such as masks, or fake offerings of vaccines, leading to phishing websites. These emails come from seemingly realistic and reputable companies which manipulate people into clicking on links. Some of these websites prompt the user for personal information which ends up in the hands of cybercriminals.
“Cybercriminals are also using SMS Phishing, more commonly known as SMishing, to trick victims into clicking on a link disguised as information on a coronavirus breakout in their area to steal their credentials. Some of these texts claim to provide free masks or pretend to be companies that have experienced delays in deliveries due to the coronavirus,” he explains.
Cybercriminals will also create fake news, links and stories to incite rage and get these spread via platforms such as WhatsApp. As unsuspecting people share this fake news and malicious websites the criminals expand their reach. These all stem back to very common attack methods that use our built-in fear and uncertainty to trick us to click. When people are desperate it is common to look for things to set their mind at ease.
When people are working with data, there’s always a risk of a security breach. This risk is escalated with uncontrolled and unmanaged work from home. It is so easy for people to forget their policies and procedures, the clean desk policy is forgotten and highly sensitive information is left in the open, corporate secrets are overheard in videoconferences and paper records are discarded without being shredded. This could include confidential client documents, either digitally on the laptop or in paper format.
More concerning is the sudden use of videoconference platforms like Zoom without the proper security controls in place. While the platforms are being ‘provided’ for the user, many businesses have not shared basic security measures to control the types of information and calls that can be bombed.
Mc Loughlin says although some businesses were better prepared for remote working than others, nearly all of them have failed to even get the basics right – especially now that their people are out in the wild. “We have seen access from all sorts of personal devices, many of which do not even have the basic levels of security in place.”
These devices lack end-point protection and the data generated is hardly ever backed-up. The basic principal is that if the security processes are in place in the office, they should also be in place outside of the office. The risk can be easily mitigated by simply taking the right steps.
Another challenge is that many home workers prefer to use their own devices instead of company equipment, this is largely due to the ease of use. When it becomes cumbersome to work on company devices, home workers tend to find workarounds to bypass the tedious office methods. Lack of visibility prevents business owners from discovering this and prevents them from fixing it. Without the right level of visibility, one cannot have the capability to know there is a problem.
Awareness programs are essential to ensure staff understand that using an unsecured WiFi connection at home is just as dangerous as one in the coffee shop. Not everyone understands the dangers of unsecured internet connections, so it’s crucial to communicate with staff on how to configure their home networks and provide enhanced security options. This includes the executive team that accesses sensitive data.
The fact that the user has moved to another location doesn’t mean the responsibility and the requirement to provide secure access to information and systems changes.
Ransomware was the fastest growing threat worldwide, but it now seems that phishing attacks have become the biggest risk. Cybercriminals are taking advantage of people that are merely looking for information and are scared for their own survival. The threats are diverse and change as the situation does, we need to work with our people to ensure that we are still doing the right things.
We do not need to add to the panic, do the basics, follow the guidelines and ensure visibility. Risk for every business is different and can be affected by the systems, access requirements and operating platforms. Looking at your own risk profile can simplify the process and limit your exposure to cyber risks.
Finally, businesses do not need to develop a new plan to prevent further breaches. A solid, simple and comprehensive security strategy that works in the office can be effective for remote workers. You may need to adapt, but good cyber security practice is good cyber security practice.
“When looking at your own situation, the problem may not be in policy but rather in execution. When you do the basics, enhance visibility and ensure user awareness. Those who don’t have security policies in place, now is a really good time to start getting those implemented,” he concludes.