Cybercriminals never experienced such heyday since COVID-19 hit the (cyber-) world. It is hard to not miss a target. With so many employees working from home. And with so little preparedness and awareness in many cases. The confidential information is up for grabs. Not a pretty sight. So, what is it that every organization with employees who work from home should be doing right now? Invest in cybersecurity. In people, processes, and technology. That said, cybersecurity is about people.
Only about 3% of malware tries to exploit an exclusively technical flaw. The other 97% instead targets users through Social Engineering (KnowBe4). Cyber criminals know that people are often the gateway to valuable credentials and databases or account details. The recent attack on Twitter is a perfect example. With a simple trick, or digital sleight of hand on a bad day, they know you could be an easier target than running every username-password combination in a data dump until they get a hit.
- Give remote employees new security policies on how to securely work from home
- Help remote employees using their personal device for work with securing it
- Provide password management guidelines
- Give new or more security training
55% of all emails are spam (Symantec). Considering the sheer volume of emails that many of us receive each day, this statistic is important. You may be able to spot more common red flags. Or obvious spam. But this constant flow of messages wears down your ability to spot the more subtle tricks embedded in messages that are just a few degrees off.
Your response is to be suspicious when email subjects look like this:
- Password Check Required Immediately
- Vacation Policy Update
- Branch/Corporate Reopening Schedule
- COVID-19 Awareness
- Coronavirus Stimulus Checks
- List of Rescheduled Meetings Due to COVID-19
- Confidential Information on COVID-19
- COVID-19 – Now airborne, Increased community transmission
- Fedex Tracking
- Your meeting attendees are waiting!
Phishing and Spear Phishing
Social engineering scams stole over $5 billion worldwide from 2013-2016 (PhishMe). Imagine what these numbers look like for 2020. Clearly, this is a growing problem. As the quality of anti-virus and malware scanning software has improved, cyber criminals are turning to social engineering against individual employees. Even to the point of ‘spear phishing’ or ‘whaling’ against bigger targets like senior management or CEOs.
- Understand who in your organization is at risk
- Put a secure IT infrastructure first
- Invest in security awareness training
- Set a chain of command process
- Pay attention to the information that you share
Being away from your colleagues has resulted in people flocking to social media more than before. In the face of crisis, social media usage has surged. A study of 25,000 consumers across 30 markets showed engagement increasing 61% over normal usage rates. Messaging across Facebook, Instagram and WhatsApp has increased 50% in countries hardest hit by the virus. Twitter is seeing 23% more daily users than a year ago (Forbes). Cybercriminals create bogus profiles on social media. And they try to trick you. They will impersonate a celebrity or one of your friends or colleagues. And above all, these profiles look very much like the real thing, and it is easy to get tricked. They try to impersonate a celebrity that the bad guys already know you like a lot.
Let us say you were tricked into believing a bogus Social Network profile. The next step is that they try to make you click on a link or install malicious software. Often it is to watch a video or review photos. If you click, or do that install, it is highly likely that you will infect your laptop. With malware that allows the attacker to take it over. The laptop that you use to do your work from home. With all the company data on it. Or access to that data.
- Increase the number of phishing security tests
- Step users through interactive new-school security awareness training
- Run frequent simulated social engineering tests. And keep users on their toes with security top of mind
- Get Secure Email Gateway and Web Gateways that cover URL filtering
- Make sure that your endpoints are patched religiously
- Identify users that handle sensitive information. And enforce multi-factor authentication for them
- Review your internal security policies and procedures. Specifically those related to financial transactions to prevent CEO fraud
- Check your firewall configuration. And make sure no criminal network traffic is allowed out
- Have rigorous backup practices in place
- Work on your cybersecurity budget. And show it is increasingly based on measurable risk reduction. And try to eliminate overspending on point-solutions targeted at one threat-or-another
Our Response to Cybercriminals
INTERPROM has just released an affordable online self-paced Cybersecurity Foundation certification training course. The course is based on the recommendations as provided by the ISO/IEC 27032 standard.
After just $350, 15 lessons, and a certification exam, you are certified. Above all, you gain in knowledge, in understanding, and in awareness. Ultimately, you become less of a target for criminals in the cyberspace. Whether you are an employee of a large firm or run a mom-and-pop store. The course is for anyone who seeks to increase their security posture. Check it out and see for yourself.
Looking for additional industry-recognized certifications? We offer: