Due to the exposure of COVID-19, hundreds of thousands of people in the U.S. are having to adjust from working around other people to working within the confines of their homes. Now they may also be exposing themselves to another type of risk – cyber-attacks.
Email phishing attacks are by far the most effective means that attackers use to gain entry into an entity's network. A phish is a link, attachment, or other containment in an email that is used to implant malware in a computer that can give hackers an opportunity to demand a ransom or steal data once the user clicks to open the phish. Email phishing is so successful because it only takes one person to accept an invitation to open a link or attachment sent by email to open a worm or virus that will work its way through the entire systems network. This is called spear-phishing, as it uses one infected host to spread to others. And attackers are very adept at making these emails look official – they may look like they are from the entity's management, a supplier or vendor, a partner relationship, or some other work-related entity. Other successful email phishing attacks contain links to a joke, gif or emoji attachments, invitations to events or contests, etc.; anything that would entice someone to open the link or attachment.
Now that there are so many businesses in practically every sector encouraging employees to work from home due to the coronavirus outbreak, email phishing expeditions are ramping up. Some of these employees are working from home for the first time, some won't have adequate space to have a separate office, others may be juggling home-schooling and work at the same time, or caring for sick or elderly family members in the home, or any other number of situations that are outside the norm for the employee or their family. Thus, employees working from home may be especially vulnerable, as there have been reports of phishing emails posing as important alerts regarding COVID-19, or as emails from a company executive or president about the coronavirus. In fact, Proofpoint Threat Research, a leading cybersecurity company, just revealed that coronavirus-related email lures now represent the greatest collection of attack types united by a single theme that their research team has seen in years, if not ever. The types of threats observed include phishing for credentials, malicious attachments and links, spam and malware, among others, all of which leverage coronavirus lures. People working from home during this pandemic have multiple things to think about and distract them, and may inadvertently click on a link they might otherwise have been extra cautious about.
In addition, with ready access to their work computers and possibly a more flexible work schedule, many employees will spend evenings working when that would normally not be the case. Telecommuters may be tempted to take a break from their normal environment to move some or all of their workday to another location, be it a family member's house, a hotel, a coffee shop, or any other place they should choose. While the quarantines may prevent some of this, once restrictions are lifted this could become more of an issue. Any place a worker takes their computer to work where they can log onto a WiFi, particularly without a VPN, the company's network data is exposed and vulnerable to attack. Employers should have strict security protocols in place to avoid such exposures. According to Rajeev Gupta, co-founder of Cowbell, a California based cyber insurer, the most common cybersecurity mistake among small employers he has seen is the lack of a virtual private network (VPN). SentryBay CEO Dave Waterson in an interview with Raconteur predicted up to 40% more cyberattacks during the coronavirus crisis, and other experts predict even greater increases.
Another mistake is having a VPN but making it accessible only on one server or an inadequate number of servers to handle the load created by employees trying to gain access from remote locations. Often, employees have not been properly trained in security, or the business's security policies have not been properly reinforced. To combat phishing, as well as other cyberthreats, it is critical that employers implement a security awareness training program – a formal process to educate employees about corporate policies and procedures centered around protecting company systems and data. In addition, it has never been more important for employers to make sure their VPN is up-to-date and patched, and as secure as possible.
Evening work also increases vulnerability to hacking. According to a report published today by U.S. cyber-security FireEye, 76 percent of all ransomware infections in the enterprise sector occur outside working hours, with 49 percent taking place during nighttime over the weekdays, and 27 percent taking place over the weekend. An enterprise sector is a term that encompasses corporations, small businesses, nonprofit organizations, government bodies, and others that use computers. Attackers are targeting users with sophisticated email subjects such as, COVID-19 Preparedness Steps with a link to supposed document with those steps; or COVID-19 Vaccine and Testing Kit with a link to sign up for these things. Even the most adept user can be tricked if they are tired, stressed, or worried.
FireEye compiled this information from dozens of ransomware incident response investigations from 2017-2019. Since 2017, human-operated ransomware attacks have gone up 860 percent and impact all sectors and geographical locations, not just North American companies. This can only be expected to increase with the advanced number of employees working from home due to COVID-19 precautions. The reason why attackers are choosing nights or weekends to trigger attacks is because most companies don't have IT staff working those shifts, and if they do, they are most likely short-handed.Thus, there is slow reaction time with either no one being available to address the attack right away and shut down the network, or the difficulty a short staff may have in figuring out exactly what's happening before the process ends and the hacker has shut down the network and demanded the ransom. Usually these types of ransomware attacks are the result of a prolonged network compromise and intrusion – advanced cyber-attacks succeed because they are carefully planned, methodical and patient. By the time most organizations realize they've suffered a data breach, they may have actually been under attack for weeks, months, or even years. The time from initial compromise to the time of an actual ransomware attack is on average three days, with attackers carefully deciding the most opportune time to lock down a network.
In addition, employees may spend some part of their workday accessing social media, such as Facebook, Pinterest, Twitter, LinkedIn, or other media sites. Some of this access may be necessary or beneficial based on the nature of the business. It is important that employees be trained in how to identify potential links that could compromise network security, and what should and should not be posted on these sites by the employees. For entities that do not permit employees to be on social media during working hours, a strict policy needs to be in place and communicated that prohibits workers from logging onto social networking sites on company-owned devices or via the company network. Training may be difficult to accomplish with all of the adjustments being made for companies and workers to work in as normal a way as possible, but at the very least companies should make their employees aware of the increase in number and sophistication of targeted attacks, and the fact that they willl prey on the user's need to learn more about the coronavirus and treatments so that they will be more cautious about opening such emails coming from outside the company. If something says it is from the CDC, the World Health Organization or similar, the user should not access the document from their email, but go directly to those websites as a precaution.
"It all comes down to access points," CyberScout Chief Executive Officer Jennifer Leuer said in a prepared statement. "For every WiFi network that an employee signs on to, they are creating an additional access point for hackers to infiltrate your business systems. The danger is even greater if employees are using public WiFi."
CyberScout suggested these tips for securing business data:
Set up a virtual private network (VPN), and be aware that some are better than others. The network should include multi-factor authentication.
Require employees to use private WiFi. If employees need to work from other places (hotels, libraries, conferences, other), require them to use a mobile hotspot (such as those available through a smartphone) to access a secure connection.
Upgrade password requirements to require more complex and lengthy passwords and regularly change passwords – up to once a day if the culture will allow it.
In a telephone interview, Leuer said many small and mid-sized employers that have not paid much attention to cybersecurity are taking a closer look now because they are concerned employees will have to work from home.
"You never want to see a crisis go to waste," she said. "Unfortunately, that's what's getting their attention."