The ongoing pandemic has demonstrated how efficient cybercriminals are in exploiting the fear and anxiety that has been generated on a global basis. They do this through social engineering methods and taking advantage of unsecured channels of communication.
Businesses have had to adopt a new way of working with the majority, if not the entirety, of workforces transitioning to working from home. Technology has been embraced on a new level with video-conferencing tools and communication channels adopted as the principal way of sharing data, not always with the correct security measures in place.
So, with VPN networks overloaded and fake news more prolific than ever, cybercriminals are currently ‘living the dream’. What are the necessary steps that businesses need to employ in order to stay safe when we are all at our most vulnerable, both professionally and personally?
Why is social engineering so effective in a crisis?
Social engineering is a method to urge people doing something in the interest of the attacker, by using different emotional motivators – like a sense of urgency, fear, anxiety or curiosity. And mass media stories are a source for such pretexts. When something is happening, people are looking for new updates, and the attacker can provide such updates in exchange to people doing something, for example, clicking on a link in an email – activating a malicious script.
This has been prevalent during the Covid-19 pandemic when anxiety has been high on a global scale. People have been forced to work from home and can feel lonely, making them more vulnerable to social engineering. According to the UK cybercrime reporting centre, Action Fraud, March saw a 400% increase in the number of coronavirus scams. These have included numerous phishing campaigns under the guise of respected bodies like the UK Government offering grants, tax rebates or compensation in exchange for the submission of sensitive data. Most recently, social engineers have taken advantage of the lockdown situation by sending fraudulent text messages supposedly from the UK Government saying that a penalty needs to be paid for breaching the lockdown restrictions with a link to pay directly to a non-government website.
Cybercriminals love video conferences
While many businesses are transferring to remote working to keep in line with lockdown restrictions, new methods of digital communication are being embraced by companies on a global scale. The adoption of video conferencing has made companies like Zoom a household name. Even Boris Johnson has been using this piece of software to conduct meetings whilst in self-isolation, nearly falling prey to a data breach himself by accidentally posting a screenshot of a cabinet meeting with the login details visible to all.
But how vulnerable are these video conferencing tools? Often, they require the installation of plugins and executable modules via a link shared in a meeting invite. Attackers can use this channel of executable installation, together with spear-phishing emails, to install backdoors on users’ computers. Also, video-conferencing systems can have critical vulnerabilities that allow attackers to get access to sensitive data, such as grabbing a video input from the camera without the users’ consent. For example, in July 2019, such a vulnerability was discovered in the Zoom Video conferencing system. The company has vowed to spend the next 90 days thinking about its privacy and already has upped its security game.
Whose responsibility is it – employees or employers?
The simple answer is both! Responsibility needs to be a mutual endeavour.
Employers need to increase the awareness level for employees – providing them with validated remote collaboration tools and clear communication instructions on how to deal with unexpected situations. Employees, in turn, should treat information assets more seriously whilst working remotely, since it is more difficult for them to quickly obtain assistance in case something goes wrong.
Cyber insurance headache
There’s no doubt that the situation with Covid-19 has been stressful for the insurance market. Some travel insurances, like InsureandGo, are even waiving compensations for impact during the travel chaos caused by the pandemic.
It has certainly flagged the importance of cybersecurity insurance when it comes to protecting data. In recent years there has been a rise in cybercrime with 4.5 million incidents in England and Wales in 2018. Yet a recent study found that more than 8 in 10 businesses have neglected to take out insurance policies against the impacts of a potential breach, leaving them increasingly exposed in the current environment.
However, with cyber insurance, not everything is clear and still, there are processes to clarify the ‘rules of the game’ initiated by the major players in the market. The industry view is that Covid-19 will definitely have an impact on the cyber insurance situation, especially if there is a logical connection of data breach and the virus outbreak as the cause.
Safety steps every company should take
As a minimum, companies should implement HDD encryption for their users’ laptops to avoid a data breach if the laptop is lost or stolen. Also, secure VPN solutions to connect to companies’ back-end systems are required. And this is the challenge – since not all VPN solutions are designed to deal with such a rapid increase in the number of connections and traffic volumes. Simply said, most systems are probably not ready to support all employees working from home.
Due care should be taken by employees to minimise inadvertent sharing of sensitive data. A clean desk policy should be followed. Documents which users are working with should be taken to a minimum. Also, special attention should be paid to keeping all software up to date, all security patches should be installed. Depending on the technology of the IT support team, it could be more difficult to keep updating computers that are connected remotely through VPN. Also, the most important step should probably be having an alternative trusted communication channel that can be used to verify the sender of a critical message.
Businesses should be implementing a well-balanced set of practices, including awareness campaigns, training sessions, checking vulnerabilities in the software, monitoring of systems, proper incident management procedures. The strength and security of each system depend on the weakest link, therefore it is necessary to keep up with everything, gradually increasing the maturity level.
It’s a learning curve
Interestingly, the Chinese word for ‘crisis’ is made up of the Chinese characters for ‘danger’ and ‘opportunity’. This is sometimes misinterpreted in the Western world to mean ‘danger plus opportunity’.
Each crisis should be viewed as an opportunity. So, the current ‘work from home policy’ in many organisations is a real test of the robustness of their infrastructure, including their ability to deal with cyber threats. Lessons learnt during this time will certainly help companies to become more mature and deal with more serious threats in future.
Andriy Lysyuk is Head of Cyber Security at Ciklum