The Covid-19 pandemic continues to evolve, and cyber criminals are mercilessly exploiting the crisis for their own objectives. While there may not have been a significant increase in the actual levels of cybercrime, there has certainly been a change in direction. So the question is: are you and your business prepared?
The sudden and unprecedented shift to mass remote working has exposed many businesses to unforeseen cyber threats. A large number of activities have suddenly moved to the digital world without the opportunity to implement all of the necessary IT security measures, and educate staff on the relevant policies and procedures – cyber criminals are only too aware of this.
Employees are having to grapple with working in unfamiliar environments, meaning they may not be as prepared or alert enough to spot Covid-19 associated phishing emails and scams. And they may not be aware of the firm’s policies and procedures for home working. According to the UK’s National Cyber Security Centre (NCSC), cyber criminals have been ‘scanning for vulnerabilities in software and remote working tools as more people work from home during the pandemic,’ likely aided by the use of susceptible services like Virtual Private Networks (VPNs).
The use of unsafe home Wi-Fi networks and personal devices, which will not have the same level of security as business devices, along with the lack of firewalls, will increase the likelihood of attack.
Firms have adapted to the situation and will be using cloud-based services and software as a service (SaaS), but cyber criminals will now be focusing their efforts on accessing these remote services by extracting the necessary credentials from the unsuspecting user. One method used is voice phishing, also known as ‘vishing’, whereby the cyber-criminal mimics the technical support of the provider, in order to trick those who are not used to working from home.
Avoiding cyber-attacks is important, particularly at the moment, when businesses need to show regulatory compliance, including the requirement to protect personal information in accordance with the General Data Protection Regulations (GDPR).
It is also critical at this time of increased financial uncertainty that firms are not overwhelmed with potential liabilities and fines. Although it would be fair to say that data regulators will be (or at least should be) sympathetic to any company that suffers a data breach or cyber-attack during the Covid-19 crisis, those regulators will still be looking to see what technical and organisational measures were taken to adjust security and incident response procedures. Those who are lacking are exposing themselves to potential liability.
In these extraordinary times, it is also likely that many businesses will not have prepared crisis plans in the event of a cyber-attack, or at least they will not have tested the ones they have already. The current situation should influence companies’ decisions to review and test the policies, plans and procedure they have in place.
A growing appetite from the public for up-to-date information about the virus has led to an increasing use of Covid-19 associated themes by cyber criminals. In place of the notorious ‘Nigerian Prince’ schemes, scammers are tricking individuals into giving away their credentials or downloading malicious software, in return for what they believe to be updated government guidance, fake cures or offers of PPE.
The pandemic has led to huge levels of staff being placed on furlough or made redundant, and it is likely that job-themed plots, mimicking actual job vacancies, will be used by cyber criminals to lure people into providing their personal details.
The change in targets by cyber-criminals, to predominantly focus on the remote working force, illustrates how cyber-crime is heavily influenced by economic and social patterns, in this case by the Covid-19 outbreak. The way in which cyber-crime activity mirrors the movements of people and businesses also shows, if we didn’t know it already, how intertwined technology is with our lives.
The present risks make it clear that cyber security and educating staff to avoid cyber-attacks is crucial. So again: are you and your business prepared?
If you need help with your policies, procedures, and regulatory compliance get in contact with our team of experts, who’ll be more than happy to assist.