Clients

Cybersecurity Threats Grow During Pandemic

Working from home exposes staffers, organizations to hacking risks

The coronavirus pandemic that abruptly closed offices and forced millions of employees to begin working remotely from home has also exposed these workers and their employers to new security threats from increased global cyberattacks.

“Unfortunately, COVID-19 has highlighted a lot of existing cybersecurity vulnerabilities for private business and government,” cybersecurity and privacy expert Leeza Garber said in an interview with Advisors Magazine. “Many companies were not ready to send their employees to work from their home environment,” added Garber, a lawyer, keynote speaker, and frequent on-air analyst for Fox News Channel and Fox Business Network.

A recent survey by Barracuda Networks found 49 percent of businesses have encountered at least one cybersecurity incident since moving to a remote working model in 2020. Another 49 percent expect a data breach or similar incident in the near future. More than half also anticipated continuing widespread telecommuting after the crisis passes.

IMG 1771Cyber threats have dramatically increased since the COVID-19 pandemic began earlier this year. Hackers have particularly targeted medical institutions, but threats to individuals and enterprises of all types are also spiking. Cybersecurity group IBM X-Force reported spam related to COVID-19 rose 4,300 percent from mid-February to the end of March. Similarly, cybersecurity company RiskIQ’s spam monitoring system received 156,186 emails containing “corona” or “covid” over a three-day period in early May.

IBM also stated some emails appeared to come from government agencies concerning small business emergency loans; others supposedly shared details about COVID-19 testing. Clicking on the attachment or email link triggers malware that allows hackers to steal personal data, install computer viruses, or lock down devices until a ransom is paid.

“With every major event, whether it's in the United States or abroad, you see hackers and malicious actors capitalizing on the fear,” Garber said. “We're seeing it now in terms of the coronavirus and COVID-19. It arrives in attacks where hackers are saying they have hand sanitizer, or a vaccine, or new information on the virus in your area. It may be in emails that seem to come from your supervisor or the CEO. They will contain links that have some sort of malicious aspect to them. It may also be in the form of text messages or phone calls.”

The cyberattacks Garber has seen related to COVID-19 do not rely on new techniques. Methods such as phishing, malware, ransomware, and social engineering have been around for decades, she said. Now those practices are being adapted to fit current circumstances and concerns.

“We see the vulnerabilities increasing, especially because hackers and malicious actors are using the fear of the pandemic to send billions of phishing emails and links to malware,” she said. “They are capitalizing on the fear that exists for this very real physical problem, and translating it into the cyber world.”

Cyber Hygiene

As external threats intensified as millions of employees began working remotely on a daily basis, Garber said it became obvious that some businesses were not prepared to shift from controlled office settings to work-at-home networks. Companies typically have centralized cybersecurity programs that interact with employees and control systems access. Some teleworkers are using company equipment from home, while others rely on personal laptops, tablets, and cell phones. All of these devices need to be locked down and secure.

“Working from home calls for what I like to call ‘cyberhygiene’,” Garber said “Basically it’s the idea of being proactive and vigilant in a cyber environment. It could mean implementing best practices from your work environment at home; being aware that security problems exist; and remaining alert – even when you are working from home, surrounded by family.”

Cyberhygiene also means understanding your obligations to clients or customers, as well as continuing to follow internal policies governing privacy and confidentiality. When consulting on security and privacy systems with clients, Garber added, a review of procedures and systems should also cover legal obligations under state and federal laws, plus any relevant guidance from the relevant industry.

One example of cyberhygiene at home concerns the Internet of Things: “smart” devices such as speakers, televisions, security cameras, appliances, and baby monitors. Garber said many companies have advised employees not to take confidential calls in front of a smart device. Those devices increase surface areas that cyberattackers may take advantage of, use to surreptitiously record conversations and collect data.

Best Practices for Seamless Cybersecurity

Garber outlined several best practices to assist remote workers and businesses of all sizes – from solo practitioners to global multinationals – that now find themselves in a teleworking environment. Being proactive and vigilant are critical, she said, as not everyone realizes the common threats they can face.

garber2quote

One practice that can cause problems is misusing social media by providing too much personal detail. Garber, who is also an adjunct law professor at Drexel University’s Thomas R. Kline School of Law and a lecturer at The Wharton School at the University of Pennsylvania, advises her students and clients to Google themselves once a month to discover what information is publicly available about them. With more employees working at home and everyone connecting through social media more often, she said, some people are proactively supplying information that could erode privacy in their personal and/or professional lives.

“Best practices for passwords are also important. Your need to have a different password for every type of account,” Garber said. “That’s something that we've heard for decades. Yet, some people still take the easy route because it's a time-saver and it seems more efficient. It’s always worth taking the extra step to solidify security at the primary password level.”

dataprivacy500x400Make sure your home Wi-Fi connection is secure. You can encrypt your Wi-Fi connection and rename your Wi-Fi network. However, she suggests not using your own name or other personal information in your network name, as someone nearby who is trying to hack it could leverage those details.

Employees working from home also need to understand what it means to be live on camera. If you are using Zoom or another videoconferencing app, be aware of what you're actually showing on the screen. Garber cited the recent example of an ABC reporter broadcasting from home without wearing slacks – which went viral on YouTube when the camera dipped down too far. The videoconference view of your home office might show a whiteboard where you are developing corporate strategy, or there may be documents on your desk that can be read by others. She also advised Zoom users to password-protect their meetings and avoid group notifications to make sure only invited participants can access the session.

Awareness should also extend to mobile devices such as smartphones and tablets, which can receive text messages and emails containing malicious links. People don’t typically think about locking down their phones, Garber said. However, having a smartphone is like carrying a mini-computer around with you. She said anti-virus and anti-malware programs are available for mobile devices, and are used in many corporate environments.

garberquote

Among companies, major problems with cybersecurity arise from not understanding the issues and budget shortfalls, she said. Sometimes businesses do not have a technical team that can install security patches and send system updates to remote workers, nor the ability to enforce policies and best practices outside the corporate network. The Barracuda survey found 40 percent of businesses polled were reducing cybersecurity budgets to cut costs during the pandemic.

While each business has its own policies, systems, and schedules, Garber said, there are some general principles everyone should live by. Those include basic password security; activating security software; and installing system patches as they become available.

Large companies often spend hundreds of thousands of dollars drafting security policies and buying cybersecurity insurance, she added. Remote employees still need to follow those policies to maintain privacy and security. Employers also need to ensure best practices and rules are being followed – particularly in a work-from-home environment.

Garber said she has seen a huge uptick in companies adopting various security-related insurance coverages. However, they may be paying a lot of money to secure threats they are not really impacted by. They may also lack coverage against the threats they do face. She said it is important to conduct an audit to understand what threats are reaching the business on a daily level; what system traffic looks like; and what vulnerabilities exist.

Garber also advises that access to data and applications should be based on the principle of least privilege.

“That is basically the idea that you want the least amount of people having the least amount of access for the least amount of time,” she explained. “If someone doesn't need access to a certain document or a certain part of the network, they shouldn't have access because it opens your organization to more vulnerabilities.”

Garber added, “Honestly, cybersecurity practices don’t have to require super high-end, complex technology. Sometimes it just comes down to the basics of passwords, anti-virus/anti-malware software, and taking the time to think clearly before clicking.”

© 2017-2019 Advisors Magazine. All Rights Reserved.Design & Development by The Web Empire

Search