As enterprises grapple with the coronavirus outbreak, there is another threat lurking in the shadows -- the unprecedented rise in Covid-19 themed phishing attacks by cybercriminals with an entire global workforce forced to deliver enterprise-grade work on home-grade devices and laptops.
Phishing attacks with Covid-19 themes had seen an increase by 667% by the end of March alone, according to US cloud security firm Barracuda Networks. The attacks used a myriad of methods from email scams to brand impersonation attacks to blackmailing and business email compromise.
The methods of tricking users were equally creative -- selling coronavirus cures, seeking investments to develop vaccines as well as requesting donations for fake charities.
Combined with the heightened risk of Covid-19 themed cyber-attacks are increasing concerns around identity theft for Indians. A recent report from NortonLifeLock said that 70% of Indians were concerned about identity thefts and four out of ten respondents were victims of identity thefts at some point in their lives.
So how can these increasingly sophisticated and well disguised attacks be thwarted and risks minimized?
The solution involves a two pronged approach. First, what CIOs, CSOs and IT heads can do in terms of strategies to keep their work secure for their employees working from home. Second, the steps that users themselves can take while using their personal devices, laptops and home WiFi to carry out their daily work routines.
How enterprises can safeguard against cybersecurity threats
Know who gets access to what information: The first step would be for IT heads and CIOs to understand what level of access is needed by each employee in the company, in order to restrict unnecessary logins.
“In a rush to start to start operations, companies give VPN access to all employees, bring them inside the network and let them continue with the same work they did while using the office LAN connection,” says Murtaza Bhatia, head, vertical solutions, at NTT India.
For example, a 500-people strong organization needs to take a call on which devices need to connect to the network and which of the services offered are needed by different employees. “Not all 500 will need the same connectivity or the same context of solutions. In this regard, a ‘one size fits all’ approach would only make the remote infrastructure costly and hard to manage,” he adds.
Don’t move all operations to the cloud in haste: Enterprises should not move all processes randomly to the cloud and then worry that the security for all of the operations are not in place, says Rajpreet Kaur, senior principal analyst at Gartner. “First, discuss, decide and design the architecture which is required to support work from home and remote employees,” she says.
For all future deployments too, an emphasis on work-from-home first strategy needs to be implemented. “Think if the new deployment is feasible from the work from home perspective, if not, rethink the strategy,” she adds. After a strategy has been established, the vendors who can support the requirements and budgets can then be found and onboarded without much hassle.
Use multi-factor authentication and a dedicated platform for communications: “The first thing that a CIO should do ( in the case of requiring employees to work from home on short notice)... would be to turn on multi-factor authentication,” says Mary Jo Schrade, assistant general counsel, regional lead, Microsoft Digital Crimes Unit Asia.
Multi-factor authentication provides a host of benefits such as reduced identity theft, and although antivirus and internet security are necessary security elements, the lack of user authentication could leave the front door wide open.
Make employees aware of the threats: As hackers use more innovative and well-disguised methods to target users, awareness has to be created from the employer’s side in order to enlighten its employees on what situations or links to avoid.
“Companies must use their own internal portal to publish any information related to Covid-19 instead of sending it as an email,” says Gartner’s Kaur, keeping in mind that phishing scams could pose as internal emails from hackers posing as colleagues. “The IT team should drop an email to everyone that they won't be receiving any Covid-19 email through the company,” says Kaur. Any such information should only be published on a dedicated company portal or website, to minimize chances of phishing.
Create an internal response team: Murtaza from NTT India suggests that a cybersecurity response team be formulated that should emphasize on answering some key critical questions.
“How do we respond to a cyberattack? What is the response strategy? And how is the alarm system tracked and addressed? How to keep our response strategy updated? These are key questions to consider,” he says.
What employees can and must do to work safely from home
No matter what steps enterprises take to protect their employees online, it ultimately comes down to preventive steps that the home user takes that could make the difference between cyber safety and a cyber-catastrophe.
Verify before you click and create a work profile on the computer: A Check Point study showed that there were 16000 new websites created under the Covid-19 theme in January and February, with 6,000 of them springing up in the second week of February alone. Digging deeper, 2,200 of those websites were flagged as suspicious with 93 being confirmed as hacking domains by Check Point.
However, the way to find out if websites are malicious could be fairly simple.
“Have a close look at the hyperlink, does it look genuine or not? If it has a long URL or if it sounds too good to be true, it is most probably a fake link,” says Sandip Kumar Panda, CEO of InstaSafe, a cloud based security-as-a-service solution provider from Bengaluru.
It would also be a good idea to create a separate user profile for work on the computer to protect and preserve data.
“We need to stop using computers in the shareable mode. If you are using the computer for personal and professional work, then try to create a user profile for yourself so that the work data is protected,” adds Panda.
When users utilize one browser on one laptop for all office and personal needs, sensitive personal data, office data or even bank accounts could be compromised owing to a single browser being hacked into by a cybercriminal.
Keep software updated, use strong passwords and beware of third party apps: “One of the major loopholes I see is with people using their personal phones which may or may not be updated with the latest software, or even their home machine, which might not have legal software,” says Deepak Bhawnani, CEO of Alea Consulting, a New Delhi based risk mitigation consulting firm.
Software updates constitute a crucial component of security as they often include critical patches to security holes and can improve the stability of the software as well as remove risky components and provide a more secure working experience.
Security firm NortonLifeLock suggests using strong passwords, keeping all software updated with the latest versions, and using a full-service internet security suite. Additionally, Ritesh Chopra, country director, at NortonLifeLock India said users should take time and understand what permissions are being granted to third party applications. “Read new policies of new apps, understand how the data is used and what permissions are given with regards to location and camera access. Also remember to log out of sessions. Setting up control access and sharing screens are to be given importance,” Chopra said in a recent interview with TechCircle.
Alea’s Bhawnani adds that the minute normal functioning of offices resume, every single password from admin gateways, backups, firewalls and phone systems needs to be reset to avoid chances of security breaches.
Other key steps that employees can take from home include keeping close contact with employers through a company specific communications portal, understanding the cybersecurity tools already available at the company’s disposal, how to utilize them, as well as not trying to improvise and not using non-company specific apps to communicate with colleagues.
As governments, companies and employees try to navigate through the Covid-19 pandemic, it is exactly during these testing times that criminals are on the prowl to exploit vulnerable areas such as home devices or temporary work from home systems without a good security system.
But the silver lining is that the tools to combat these cyberattacks are available at large for most types of organizations, and the steps to be taken in order to mitigate these threats are fairly simple from the stakeholder that matters the most -- the employee.