Cybersecurity and the Covid Pandemic

The pandemic has caused millions of employees to work remotely. Whether through government regulations, periods of lockdown, quarantine, social distancing, or other methods of avoiding exposure to the virus, conducting one’s work from home has become the “new normal.” And even after it was possible to go back to work, many employees requested to continue working remotely or on a flexible schedule. This has resulted in online infrastructure becoming the core hub for communication, commerce, working, and learning.

Harvest Time for Hackers

According to a study by ISSA (Information Systems Security Association International), cyber-attacks have increased by 63% during the pandemic.1 Further, according to a recent international survey from SailPoint Technologies Holdings, Inc., 48% of U.S. participants said they had been targeted with phishing emails, calls, or text messages, both personally and professionally, over the course of six months of working from home. In addition, more than half of those polled in Europe, the Middle East, Africa, Australia, and New Zealand reported being phished during the pandemic, with 10% reporting phishing attempts at least once a week.2 The pandemic has been good to hackers, online scammers, and other cyber criminals, allowing them a multitude of opportunities to profit from the current state of affairs.

How Hacking Works

Various types of hacking are common. Phishing is where the attacker sends a fraudulent message that is intended to trick the victim into providing sensitive information or allowing malicious software into the victim’s system.

One example is when hackers target employees with malicious links embedded in carefully crafted emails. The email may, on initial glance, look like a notification from Amazon or Facebook, or even from a friend or family member.

At times, phishers may send an email that looks like it contains a link to information regarding the pandemic, thus exploiting people’s desire to stay informed. Upon clicking on the link, employees may give information they shouldn’t, or unknowingly download a virus like keylogging software onto their computers, providing their credentials to hackers. Cyber criminals can then freely access important business assets and data, masquerading as the employee whose credentials they stole. Another type of phishing is ransomware, where hackers take down a computer system, steal the data, and ask for a ransom to give it back. Hospitals, being currently overwhelmed by an influx of COVID-19 patients, are prime targets for hackers who would seek to hold them ransom by disabling their computer systems.

Another example of hacking has been the series of cyberattacks on video conferencing services. Between February 2020 and May 2020, over half a million people were affected by breaches in which the personal data of video conferencing services users (such as names, passwords, and email addresses) was stolen and sold on the dark web. To execute such attacks, hackers often use a tool called “OpenBullet.” OpenBullet is a free web-testing software that enables developers to perform specific requests on target webpages. With this program, they can run automatic penetration testing, trying one potential password after another until they manage to get through.3

Hackers may also employ a technique called “credential stuffing” to gain access to employees’ information. The stolen data can then be sold to other cyber criminals. In credential stuffing, hackers use previously stolen combinations of usernames and passwords to gain access to other accounts. It is exceedingly common for individuals to use the same usernames and passwords across multiple accounts on multiple websites. After all, usernames and passwords can be difficult to remember if each one is different.

Who are the Hackers?

We often think of hackers as career cybercriminals who are taking advantage of the reduction in cybersecurity, but there are other categories of hackers to keep in mind. Sometimes hackers may be malicious employees who, while working from home with less supervision and fewer technical controls, may be tempted to carry out fraud or other criminal activity. There are also what are called “hacktivists,” hackers who are fighting for social and political issues. Another group are “script kiddies,” hackers with less technical skills, who are testing out cyberattack software on a variety of organizations as practice to improve their skills.4

How to Harden the Target

Companies and their employees can increase cybersecurity through the following methods:

  1. For all work-related computers, employers should provide their employees with antivirus and malware software. While this protection is not foolproof, it will prevent most low-level attacks.
  2. Employers should brief their staff on best practices and procedures to regulate the sending of emails or other content to private email addresses and/or cloud storage.
  3. Employees should be ever on-guard when receiving emails and should check the authenticity of the sender’s address. For example, an email may claim that it is from Amazon regarding someone’s account, and asking them to sign in. It is important to look at the sender’s email address. Does it look like the email actually came from Amazon, or is it from some other source?
  4. Employees should ensure that their home Wi-Fi is protected by a strong password. Strong passwords should be long, should not be words from the dictionary, and should include a mix of letters, numbers, and special characters. They should not be reused.
  5. There are also password managers that can be helpful for securing passwords, such as Dashlane, which can keep track of passwords for employees and homes.
  6. Use a VPN. Virtual private networks add a further layer of protection to internet use from home by making an employee access company programs through what is effectively a cyber-tunnel. While they do not prevent cyberattacks on their own, they can be useful as an extra barrier for hackers. (They can also be difficult to access and significantly slow down computer programs.)
  7. Use cloud-based software for systems, documents, and storage. Typically, reputable companies that store information have higher levels of security, encryption, and protection than is possible for a small company to create on its own. Also, cloud-based systems are updated more regularly.
  8. And while we’re talking about updating, employees should regularly download updates to both their hardware and software. Failing to do this is one of the most common reasons that cyber-attacks succeed.
  9. Identify weak spots. Because all IT systems have weaknesses, companies should regularly run tests to identify those vulnerabilities and fix them as soon as possible. This can take the form of vulnerability scanning, or various types of penetration testing exercises. Hardware and software need to be regularly updated and have proper protections in place.
  10. Lastly, consult cybersecurity professionals for advice on protecting valuable data and systems.

_________________________________________

1 Leslie Kesselring, Information Systems Security Association International (ISSA), The Impact of the COVID-19 Pandemic on Cybersecurity, Available at: https://www.issa.org/the-impact-of-the-covid-19-pandemic-on-cybersecurity/

2 IEEE, Innovation at Work, How the COVID-19 Pandemic is Impacting Cyber Security Worldwide,
Available at https://innovationatwork.ieee.org/how-the-covid-19-pandemic-is-impacting-cyber-security-worldwide/

3 Cedric Pernet, Fyodor Yarochkin, and Vladimir Kropotov, Trend Micro, How Cybercriminals Abuse OpenBullet for Credential Stuffing, Available at https://www.trendmicro.com/en_us/research/21/d/how-cybercriminals-abuse-openbullet-for-credential-stuffing-.html

4 Cedric Nabe, Deloitte, Impact of COVID-19 on Cybersecurity
Available at https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html

Featured Image by Rebecca Sidebotham.

Because of the generality of the information on this site, it may not apply to a given place, time, or set of facts. It is not intended to be legal advice, and should not be acted upon without specific legal advice based on particular situations