It doesn’t take long for cybercriminals to exploit a global pandemic.
Within days of the Covid-19 outbreak, we began seeing phishing attacks disguised as medical resources in our inboxes. Complete strangers and obscene images invaded our Zoom conference calls. And the overburdened healthcare facilities behind our frontline workers came under attack.
Since then, the FBI has seen a 300% increase in cybercrime, and as many as 4,000 cybercrime complaints a day. And in one week alone, Google responded to more than 18 million malware and phishing emails a day related to Covid-19 scams.
These attacks aren’t just targeting application backdoors and device vulnerabilities. Cybercriminals are also taking advantage of changes in the way we use technology during the pandemic for email campaigns, direct mail marketing, and virtual tradeshows.
With so many employees working from home and events reverting to virtual meetings, existing sales and marketing tools are being used in ways never before imagined. All of which are producing new vulnerabilities.
These changes are forcing software companies to quickly identify and patch exposures, such as the way Zoom issued fixes to prevent Zoom Bombing. Now the company is extending end-to-end encryption (E2EE) to users both paid and free beginning in July. (Zoom had previously stated that E2EE would be available only to paid customers.)
But until all software providers like Zoom can identify and fix vulnerabilities, organizations will have to step up their efforts to protect their employees and customer data. This includes improving their security postures to accommodate remote workers using unsecured devices over home networks, monitoring for unchecked permissions and unauthorized access to applications, and encouraging employees to keep passwords updated and current with software patches.
“Most organizations have gone from having maybe five percent of employees working remotely to just about everyone logging in from home,” says Estee Woods, senior marketing director for Tempered, which develops zero trust network security software. “When you have that kind of situation with such a quick flip of the switch, it creates risks everywhere. Now we have companies spending more time keeping employees connected to critical applications and less time worrying about security.”
1) Adapt training to help employees spot phishing attacks
Woods says employees represent the largest attack surface and are more vulnerable when removed from oversight measures. Training is needed to educate employees about the social engineering behind phishing attacks where hackers mimic emails from customers, vendors, or other employees to trick them into clicking a link or opening an attachment.
She recommends developing a process where IT is accessible for questions and review anything that looks suspicious. IT should also teach employees how to use multifactor authentication to know if their credentials are being used by someone else to log into company applications. Software training programs like KnowBe4 can help companies prepare and test employees with simulated phishing attacks.
2) Develop and maintain multiple security postures
As employees become more mobile, organizations have been adapting their security postures to cover work in and outside of the office. This includes guidelines that prevent employees from accessing personal shopping sites or searching non-work-related topics over Google.
3) Make VPN mandatory and easy
Woods also recommends companies mandate that employees connect to company resources exclusively over virtual private networks (VPNs). However, they must ensure that they’re user friendly.
“No matter your situation, you have to make sure your solution is flexible, friendly and fast,” she said. “IT and security departments and security have to remember that employees are internal customers. And so anything that is hard to use or introduces latency will be a problem, and create risk. You have to make sure your solution helps them do their job and not make it more difficult, or it won’t be adopted.”
4) Increase awareness around virtual tradeshows
In addition to video conferencing, Covid-19 has pushed virtual tradeshows into the mainstream. Over the last two months, major industry tradeshows are trying to salvage their traditional tradeshows with virtual events. It’s a new frontier for many event companies and attendees.
Tim Matthews, CMO for Exabeam, which produces a global security management platform, says the new world of virtual tradeshows is an environment ripe for potential cyberthreats. Matthews says the risks come on two fronts: how the customer engages with virtual events, and how companies manage registration and attendance.
“Right now, you have a lot of event companies that are moving to the world of virtual events for the first time,” he said. “And they have to do it very quickly, which means they probably had to rush changes to their registration processes and logistics. At the same time, they might have experienced a round of employee furloughs, and lack the IT support they need to ensure their communications and procedures are safe.”
He says cybercriminals can send emails posing as event officials requesting password resets or credit card information for additional services. Event companies, which hold a treasure trove of attendee information, can be exposed from the inside by employees disgruntled over pay cuts and company layoffs.
Matthews recommends event companies and employers inform attendees on what to expect and not expect from them during and after registration.
“I think they should probably tell people in advance that they need to be wary,” he said. “And let them know what to look out for in the way of potential phishing emails and unauthorized requests. Tell them, for example, that they should not receive random requests for personal information or links. And let them know what an official email from the event should and should not look like. With the way things are now, a little bit of education can go a long way.”
Matthews also says event companies should take additional steps to prevent registration data from being shared by employees who can be recruited by individuals offering cash in exchange for information. This might mean, for example, relooking at who can access data internally and applying new restrictions.
5) Keep customer business and home addresses separate
With more employees working from home, many might be tempted to include their home addresses when registering for events or requesting materials. Matthews says this makes it easy for personal and business information to become intertwined and vulnerable to theft. When conducting a direct mail campaign, he suggests companies distinguish between the two and rely on bonded mail houses, which are entrusted with keeping data private.
Even as companies change the way they travel, sell, or operate through traditional methods, security procedures and protocols will have to adapt, or risk being compromised. It’s a new evolution that will be felt across all operations. Woods says it’s therefore essential for IT security teams to look across all aspects of the business to understand user needs and make the solutions as simple as possible.
“You have to make sure you understand what people need and what frustrates them because as soon as something is hard or frustrating, that’s when their guards go down and they stop using the security tools needed to protect them and the company,” she said.