While remote working might have been a feature in some companies before now, many others would have found themselves with days – if not hours – to prepare for the new, restricted reality.
That will have seen a lot of firms cobble together incomplete remote working systems, operated under hurriedly devised practices by ill-prepared – and somewhat disorientated – staff.
A dream come true for a cyber-criminal.
“Cyber criminals are opportunistic… we’re definitely seeing Covid-19-related attacks,” said Des Ryan, solutions director for Microsoft Ireland.
“I don’t think there’s necessarily an increase in the number, but I think attackers are just using this to find the weak link.”
So far it appears as though the underlying goals of cyber criminals are little changed from before – they’re still trying to trick people into handing over passwords, money, bank account details or access to critical information.
“The vast majority of it is simply them changing the lures to take advantage of the situation,” said Chet Wisniewski, principal research scientist at security technology firm Sophos.
This is nothing new in itself – many recent cyber crime campaigns were themed around the Australian wildfires, for example. In the current climate that means old attacks are simply getting a ‘coronavirus’ coat of paint.
“We see that in our lab data to a certain degree, at first we saw a small volume of Covid-19 scams, as if gangs were testing to see what would make them the most money,” said Mr Wisniewski. “If the new scam works the old thing goes away and the new thing does all kinds of volume.”
Dishonour among thieves
One example many will have seen already is a spurious email that seeks donations for the World Health Organization – a broad swipe of a phishing attempt that some dub a ‘Spray and Pray’. However others are far more targeted and nefarious, including attacks on hospitals in the Czech Republic and France and scams aimed at firms trying to buy personal protective equipment.
When it comes to firms that are now operating remotely, criminals are seeking to take advantage of what is an unfamiliar situation, where time and resources are likely stretched.
“It might be an email pretending maybe to be from IT or HR – saying ‘here’s your company update on what’s happening’ and when you click on the link it brings you to a fake website and asks you for credentials to log into it,” said Brian Honan, owner of security firm BH Consulting.
“You will also see people pretending to ring up from IT and get that information from them as well.”
If firms are ill-prepared for this new dynamic, they may have no way of confirming identities – or may even lack an agreed (secure) method of communicating with colleagues, which would minimise the opportunity for such attacks.
If companies didn’t have time to set staff up with a company laptop, tablet or phone, their use of a personal device adds another point of weakness.
But perhaps the greatest concern is the extremely stressful backdrop all of this is happening against, which may indirectly lead people to make poor decisions.
“Traditionally most people who work from home would have been in a managed-type situation, in a set up that is comfortable…but now what we’re seeing is people working not just from home but working through a crisis, so they’re going to be under a lot more stresses and strains,” said Mr Honan.
“Suddenly the nice quiet work environment you might have had is now a home school, your partner is working from home – and people are looking for information and reassurance, so criminals are using that atmosphere of fear and panic and worry to send out scams.”
And the problem is that firms in this situation must now try to plug those holes on the fly.
Protection that’s tried and tested
The nature of the attacks so far does offer a silver lining, however. As most of the Covid-themed attacks are simply rebranded rehashes of the same old tricks, the safeguards against them should already be well-known.
“There’s still some basics that can apply,” said Mr Ryan. “Remembering the security rules of ‘don’t click on a link that you’re not expecting’, or at least inspect the link closely to ensure that it’s not something that you shouldn’t click on.”
Whatever the system that’s in place, people are always the weakest link.
Most offices have safety nets in place to cover this – blocking staff from following links to dodgy sites and halting the download of malicious email attachments. In the wild these extra protections may not exist, making the basics of solid passwords and careful clicking all the more important.
As repetitive and boring as the message may be, reminding staff of that – and the ways to ensure they are not caught out – will help to significantly strengthen your protection.
“People have been told forever about passwords,” said Mr Wisniewski. “Reminding them of that and pointing out that the normal layers of protection aren’t there, might mean they have more caution during these stressful times.”
That extra vigilance should extend to the IT department too – which may also be made more vulnerable by the unique and stressful climate.
Beyond awareness, there are other simple, low-tech steps individuals can take to protect themselves immediately – especially when trying to verify that the person on the other end of the phone, text or email is who they claim to be.
“You can do something like a remote call back,” said Mr Wisniewski. “Someone calls in for a password reset, so you say you’ll call them back on the number you have for them in the directory.
“It’s a simple practice that doesn’t cost anything.”
Get verified
In terms of actual changes to a system, the introduction of multi-factor authentication is perhaps the easiest and most effective option – and one that can often be rolled out remotely.
This sees a log-in being verified by a ‘token’, often taking the form of a six digit code generated through an app or text message. This makes it easier to verify someone’s identity remotely, while also protecting a firm even if a user’s login details are compromised.
Depending on the software a company uses they may already have licences for this kind of security service and others – it’s just a question of having them activated.
Even if they do not, many vendors are temporarily waiving fees on their own solutions to give companies the opportunity to protect themselves during these unusual times.
What is important is that companies are pro-active in finding ways for their employees to do their jobs remotely. But they are advised to be flexible given the circumstances, while also ensuring that their chosen methods are accessible and fit-for-purpose.
“If people don’t know how to use the tech and see it as a blocker they’ll go around it,” said Mr Ryan.
Staff being left to find their own work-arounds could create a security risk, but it may also become a data protection problem down the line.
“From a security and and GDPR point-of-view people may have rushed out to get these things up and running and get the job done,” said Mr Honan. “You now have to ask ‘are these platforms secure enough and suitable for what we need?’ and, if not, take the necessary steps.”
Never mix business and pleasure
One key way of avoiding that is to try to minimise the overlap of business and personal – from a hardware and software point-of-view.
You may have easy access to a colleague via social media, but it probably is not the best channel for professional communications.
Likewise, even if you are forced to temporarily re-purpose a personal device for work, do your best to ensure that is its sole purpose for the duration.
“It’s really important not to let the kids use the work PC for their homework,” said Mr Wisniewski. “You can pick up Chromebooks reasonably cheaply and have them delivered, so if that’s a possibility I would suggest people do that.”
At the very least, though, companies should take this crisis as an opportunity to properly assess their security system and its suitability to remote working.
Now that the triage is done, those found to be lacking should put the effort into building something that will see them safely through this – and any future – shocks.
“The key is not to take shortcuts – there are certain architectural prerequisites that you want to take to ensure that your security doesn’t get compromised,” said Mr Ryan. “You can put some basic blocs in place that will block 80% of your risk, after that it’s the law of diminishing returns.
“If you put emphasis on getting that layer right, the bulk of your security will be covered.”
