Amid COVID-19, hackers are presented opportunity on multiple fronts. They play on people’s concerns about the virus by presenting phishing schemes or malware disguised in fake Centers for Disease Control and Prevention (CDC) alerts that talk about the latest vaccine or treatment developments. Hackers quickly used the pandemic and related anxiety to lure people into phishing schemes and malware attacks. There is also pressure on healthcare companies and researchers to safeguard their vaccine and treatment data. As of mid-July, there have been multiple reports of Russian and Chinese state-sponsored hackers attempting to steal coronavirus vaccine data from various labs.
Over the past few months, millions of workers have turned their homes into their new, remote office, including state government employees, which brought a host of risks through use of unsecured Wi-Fi and poor access controls. This shift toward home as well as the underlying panic brought on by COVID-19 altered hackers’ focus and targets aimed at the remote worker. Chief Information Security Officers (CISO) preparing their companies for this change require time, training for employees and the right technology, as well as increased cooperation between the security teams and IT/network operations groups.
Contact tracing issues
Another opportunity for hacking during the pandemic comes with contact tracing. Hackers found contact tracing apps an ideal cover for phishing schemes, by misrepresenting official tracing accounts via email. Legitimate apps themselves are also targets for hackers who see it as a treasure trove of data with individual names and addresses as well as insights from contacts and movements.
For example, for people in high-value positions such as politicians or lawyers on important cases, information about that person’s movements and meetings is valuable to opponents and easily sold by bad actors. Many of these apps lacked encrypted source code, and many did not have intrusion detection when hackers accessed restricted mobile data.
Targeting remote workers
The massive shift toward remote work means more networks are accessed by employees on their own devices. Companies without a remote work component were left to scramble as shutdowns started, putting in place a patchwork of security protocols that often afforded little protection. Remote workers are enticing targets for hackers conducting data theft and ransomware.
As the pandemic continues, companies need to move past the initial shock and adopt Bring Your Own Device (BYOD) policies to handle the nature of remote work. This includes standards for data encryption, dual authentication, pass-phrases instead of passwords, and inactivity timeout controls to protect access during idle periods. IT also needs full remote wipe controls for lost devices or employee terminations or voluntary departures.
Security departments also responded to remote work by investing in VPN access, which brought with it the need for firewalls and gateway controls. Some firms took the step of using operations management tools to turn home computers into corporate-controlled machines managed by IT. Without endpoint management in place, the massive number of phones, tablets and computers accessing corporate networks is unmanageable and unsustainable. These issues also present compliance risks in cases where at-home workers access or store PII data, and they’re subsequently duped by a “COVID-19 Cure” phishing email.
Additional safeguards for businesses during COVID-19 and beyond (since working from home is now a long-term trend):
- Put in place DDoS protections which can impact the entire remote workforce which relies on accessing the company’s cloud platforms. More security focused appliances are also needed in the cloud to support the infrastructure and protect against DDoS.
- Use multi-factor authentication (MFA) to reduce access points for hackers to intrude home-based networks.
- Mandate employees to stay off public Wi-Fi networks which provide easy entry points for hackers.
- Use monitoring tools to spot poor decisions such as clicking on suspect sites, downloading attachments from unverified senders and other detrimental choices.
- Use a secure search engine and communication platform, such as GOFBA, that shields users from malicious sites and malware.
Employees need guidance
On the people side, training is needed to bring at-home employees up to speed on the latest types of attacks and proper defenses that are necessary during this period of enhanced hacker activity. Education is key. They need additional information about spotting fraudulent emails, and guidance to not click on links or download attachments from unfamiliar senders.
Provide guidance to the remote workers about the ways the World Health Organization (WHO) and CDC disseminate information, so they can spot legitimate data sources. Additional training tips for employees include:
- Mandates about use of VPNs to access company data and platforms.
- Automatic updating to remove security and patch gaps from manual updating.
- IT and security should work together to communicate more frequently with remote employees about the latest tech implementations, best practices, and any shift in expectations from corporate.
Hackers unfortunately thrive on misery. They exploit people’s need for information in a crisis and the security holes caused by disruption. COVID-19 presents an unparalleled disruption, and CISO’s and their teams will need continued vigilance in addition to the latest strategies for managing the challenges of remote workforces, protecting their networks and training staff members to do their part.