2020 will be remembered as the year of Covid-19. The virus has had a huge impact on our lives, including the way in which we work.
In April, the first full month of the UK’s lockdown, 46 percent of British employees were working from home, with those staff with more experience and better qualifications making up most of that number, according to data from the Office for National Statistics (ONS).
Despite the lifting (and reimposition) of lockdown restrictions across the country, many employers have allowed their people to continue to work remotely. Just 60 percent of adults travelled to work in the UK between 14th and 18th October – the transition from office to home has, in the most part, run smoothly and allowed employees to continue to be productive while away from the office.
The success has, in no small part, been down to technology allowing staff to have all the necessary access to corporate information and the ability to communicate with colleagues while in the comfort of their own home. Employers that hadn’t previously encouraged or supported remote working hastily scrambled to implement policies and remote access infrastructure. Employees that were previously communicating locally within the office network, protected by an enterprise grade firewall, switched to connecting their laptops to a cheap home ISP router and accessing the data over VPN connections.
This shift has had huge implications for cybersecurity. Both the people charged with protecting corporate networks and their adversaries (the hackers!) having to quickly re-think their strategies. In recent years cyber criminals have become extremely opportunistic and thoughtless in their attacks. The world is their metaphorical oyster, as they turn global events into personal gain, disruption and protest. The rule book on ethics might as well be thrown out of the window – everyone and everything is fair game.
As the pandemic continued to spread worldwide, cyber threat actors capitalized on the health crisis by creating malware or launching attacks with a coronavirus theme. Our CERT team did a little bit of digging into the proliferation of Covid-19 related attacks as the pandemic worsened. In the week prior to the 26th March, 8,900 new DNS domains related to the terms ‘corona-virus’, ‘covid-19’ and ‘ncov’ were registered – more than double when compared to the previous week. During that same week, our customers also reported more than 600 potentially fraudulent emails, 10 percent of which proved to be malicious. The number of emails validated as malicious was four times higher than the previous week.
As the months have gone on, hackers have continued to use Covid-19 to prosper. The National Cyber Security Centre (NCSC) defended the UK from an average of 60 attacks per month during a year which saw its resources proactively focused on the coronavirus response, the organization’s latest Annual Review revealed. The NCSC handled 723 incidents between 1st September 2019 and 31st August 2020, with around 200 related to coronavirus. In the previous three years since launching, it supported an average of 602 incidents annually (590 in 2017, 557 in 2018 and 658 in 2019). It also disclosed that it had thwarted 15,354 campaigns that had used coronavirus themes as a "lure" to fool people into clicking on a link or opening an attachment containing malicious software.
While remote working has enabled organizations to continue operating with a much-reduced level of disruption than would have occurred if lockdown had happened a decade earlier, widespread security risks remain a reality. The use of home IT and personal devices that are not hardened to normal corporate standards acts as an unlocked front door for cyber criminals to open with their access point or endpoint attacks. We can’t control the threat, but we can control the extent of exposure, so we should focus on that. This means working smart, rather than hard – focusing our energy on considering the primary cyber concerns for our businesses and looking to address those one by one.
Defending against phishing
One of those key vulnerabilities, particularly in the run-up to Christmas, is social engineering - a technique used to deceive and manipulate victims to reach a certain goal, such as unauthorized access to a computer system, for financial gain or causing harm or disruption. Social engineering may, in some cases, be considered an art of manipulation; it is well planned, researched and executed in order to lure victims into revealing sensitive information or granting unauthorized access. From an attacker’s standpoint, it makes sense to focus on the behavioral patterns of humans. And what is one behavior that most of us do at this time of year? Christmas shopping!
According to UK online retail association IMRG, the combination of Black Friday discounts and coronavirus restrictions will make November a record-breaking month for online retail. In the first week of the month, online sales were up 61 percent compared with the same period last year. And with many people working from home, it is highly likely that many of these sales were made by employees were using their time at home to make the most of the occasional downtime to browse ecommerce sites on their corporate devices.
Technical countermeasures against phishing attempts and detecting malicious activities today are much more robust than they have been in the past. The human, on the other hand, is more complex and harder to predict in certain scenarios, while easy to manipulate in others. In the rush to grab a festive bargain, there is a risk that staff may fall victim to tried and tested methods of coercion:
- E-mails: cybercriminals use the name and layouts of known services or organizations (including retailers) to trick the user into clicking on a link or downloading a malicious file attachment.
- Fake websites: they look legitimate but are fraudulent copies. They trick the users into giving their personal information and/or into clicking on a malicious link and/or into downloading malware (sometimes without even knowing it).
So, while we may be less than a month until the big day, it is vital that your security teams remain vigilant to ensure an unwitting employee avoids falling foul of a devious cyber scam and turn the next few weeks into a ‘nightmare before Christmas’. Here are some top tips on the steps organizations can take now to help them have a happy festive period:
- Education, education, education: Regular communication with your staff about evolving threats is vital. And make sure they know the basics: check the authenticity of messages received, whatever the channel you receive it from: email, SMS, instant messaging, social media, etc. Elements to check are, in particular: the sender, the content of the message (spelling error or bad translation), urgent demand or unusual one.
- Review back up and disaster recovery. Two real threats which have arguably escalated due to the pandemic are ransomware and Denial of Service. Take some time to review the state of your backups and the readiness of your data and disaster recovery processes. Think about the data being generated by home workers – if you don’t already have a suitable backup system to support remote working, then public cloud solutions like Google Cloud, Dropbox and Microsoft OneDrive may present a viable alternative.
- Prepare for the worst: The less prepared a company is for a cyber-crisis, the more serious and difficult the impacts will be. However, it’s important to distinguish between a cyber security incident and a cyber crisis. A crisis is exceptional. It cannot be resolved by the usual processes and within the normal functioning realm of an organization. Employees involved in managing a crisis must step outside their usual roles and responsibilities. Most companies use the word “crisis” to describe incidents that they could manage without disrupting their practices. The difference between a crisis and a security incident requires a certain maturity and/or good training.
Stuart Reed, UK Director, Orange Cyberdefense