By Cathy Findley
The COVID-19 crisis has forced many organisations and individuals to embrace new practices and ways of work. But while we’ve all been focused on the health and economic threats posed by COVID-19, cyber criminals around the world have undoubtedly been capitalising on this crisis and many schemes have been designed to exploit the greatest cyber security vulnerability of all – human emotion. Is human emotion the greatest risk to cyber security?
Penny Futter, Chief Information Officer of African Bank, says that while cyber security per say is nothing new, COVID-19 has done two things to cyber security risk management. Firstly, it has broadened the attack surface of organisations to include remote working employees, and secondly, it has shifted much more of the responsibility for cyber security prevention onto the end users or the employees of companies. This has highlighted the important role which people play in cyber security risk management today and has changed the risks companies now face.
Futter says research shows that 92% of malware used within cyber attacks are delivered via email which means a huge number of successful attacks are as the result of a user unwittingly releasing malicious software which then can have a range of impacts from ransomware, to data loss to financial loss. There is no doubt that the human factor plays an important role in cyber security and remains the weakest link in this chain, yet public awareness and visibility of cyber security to common users remains largely inadequate. She says it is important for companies to realise that although people may be the weakest link in the chain, they can also be the strongest line of defense, if appropriately equipped.
With a phishing email, the goal of the attacker is to trick the email recipient into believing that the message is something they want or need in order to encourage them to click a link or download an attachment. Futter says an evolution of this is spear-phishing – the act of sending emails to specific and well-researched targets while pretending to be a trusted sender. “The individual is often targeted for the access or privileges they have into key IT or financial systems within the organisation. The attackers will also make use of information about the target to make the attacks more specific and personal and hence more believable,” she explains.
She says whilst all employees, whether onsite or working from home, are vulnerable to phishing attacks, remote work forces are more vulnerable because employees are dispersed and have fewer lines of direct communication through which they can confirm unanticipated or suspicious messages.
There have been many phishing scams related to COVID-19 since the start of the outbreak. Hackers have adapted to the realities of remote work by impersonating trusted technology platforms. Skype, Zoom and Google Meet platforms are also now being included in the toolbox of cyber criminals.
Recent statistics released by well-known security provider, Check Point, showed that more than 1 700 Zoom-related domains had been registered in the three weeks prior to the study. “Hackers are using these false domains to create fake Zoom meeting notifications and create fake COVID-19 themed email alerts. People who respond to these alerts usually end up downloading malware or otherwise compromising their data security. In another iteration of this kind of scam, hackers are impersonating a Skype login page and tricking Skype users into relinquishing their password information,” she says.
Hackers really tug and pull on human emotions in order to get people to do what they want and with so many people working from home, cut off from regular contact with their colleagues and generally on edge with anxiety or stress, now is the perfect time for hackers to test the limits of individual vigilance.
“Phishing is a serious threat that can cost individuals and companies both money and peace of mind. The easiest solution to this is to equip all staff with the power of information and make sure everyone is aware of the critical role they play in protecting their company,” says Futter. She says much of this revolves around training and awareness campaigns combined with well-defined procedures informing employees how to respond if suspicious emails are detected. “But it is more than just that,” she says. “It comes down to a culture – a culture of understanding that when it comes to security, every link is important because a chain is only as strong as its weakest link.”
In addition to the human component of cyber security there are also some non-human contributors.
Devices are the first of these contributors. The Morphisec work from home employee cyber security threat index, showed that 56% percent of employees are using their personal computers as part of their company’s remote response to COVID-19. In addition, nearly 25% of employees working from home don’t know what security protocols are in place on their device. This approach has impacted security, with controls around the loss of a device, malware detection or anti-virus software and data loss being most impacted.
“The loss of a device in these circumstances becomes a big thing as most private devices will not have an adequate form of data protection installed on them,” she says.
Another concern is the installation of malicious applications. One of the primary concerns amongst security professionals is users downloading apps which are infiltrated with malicious malware code. Corporate devices will invariably have administrator rights removed which will prevent users from installing applications without the appropriate approvals from their IT department. The IT department will perform security checks on all applications before they are installed to confirm there are no unknown / malicious components. Corporates will also provide an additional safety net in the form of anti-virus or malware protection which will detect when a malicious application or malicious code is trying to run and will block that operation.
However, on personal devices, there may be no antivirus installed and even if it is installed, users still need to ensure the definitions are regularly updated to cater for the ever-changing threat landscape. “If both of these are not in place, there is a dramatic increase in the risk of users connecting into the company network,” says Futter.
Moving or transferring data in a way that is unprotected, can expose the company to additional data leakage/data loss risk. On personal laptops, data can be emailed to third parties, saved onto USB memory sticks and even uploaded onto document storage sites which all pose a security risk to an organisation.
The need to secure the home network is not just to protect personal assets, but also business data and communications. The attack surface of any organisation represents the number of different points where an unauthorised user can try to enter or extract data from an organisation. Keeping the attack surface as small as possible is a basic security measure but with so many people working from home, this attack surface is now very different.
New vulnerabilities found in network and Internet-of-Things (IoT) devices are being weaponised by cyber criminals within days of disclosure – and sometimes hours. “Depending on how connectivity into the company is set up, these companies now need to worry about IoT and other devices connected to home networks as it may be possible to use these devices to proxy back into the corporate network,” says Futter.
She says there are many things which can be done to protect the home network and by extension, the corporate network, but there are two basic issues which should receive initial focus. Firstly education. “It is really critical to provide all staff members with a basic understanding of their own responsibilities in protecting the company when using their home network. Secondly many home networks are controlled by a router – this is the front door into your home network, and this should be protected fiercely. All routers come with default usernames and passwords which are often both weak and easy to google. If you have never changed the default username and password, this should be done immediately, and users should follow the principles of a strong password.”
For many organisations, the threats discussed are not new, but Covid-19 has both exacerbated and shone a light on the risks and their associated mitigants. Those organisations which have had either a ‘Bring your own device (BYOD) policy or a work from home policy in place for a period of time, will have a head start on those who are embarking on this journey as a response to the crisis. Similarly, organisations who have already implemented a zero-trust model will be a step ahead of those who are still relying on their corporate network perimeter for defense.
“Many companies will have implemented controls to varying degrees. One now needs to identify which of the controls are fit for purpose and which of them need to be enhanced in order to reduce the level of risk to which the company is exposed.”
It is really easy to talk about changes and adapting the security posture of an organisation but like any change it does take time and companies should take a methodical approach to identifying the highest risk areas and tackling those first.
“For all the technology and processes that we can put in place to reduce risk, there is stark irony in understanding that the most cost-effective and rapid response an organisation can have to cyber risk is to mobilise a staff complement to understand their role in protecting the company, equip them with the right tools to do so and most importantly, instill in them a deep rooted commitment to prevent cyber security breaches. After all, it is often human vigilance which will save the day,” concludes Futter.
Enjoy the 6th edition of ESG: The Future of Sustainability: