Top COVID-19 Cybersecurity Scams to Watch For — and How to Mitigate Them

When companies first started implementing BYOD policies in the workplace in the early 2000s, CIOs and other executives were compelled to consider the implications of company data accessed from personal devices. If BYOD warmed cybersecurity teams up to blurring the lines between business and personal — today’s remote workforce challenge is the main event. Here are the top COVID-19 cybersecurity scams to watch for, and how to mitigate them.

Main Event Today – Cybersecurity (be like Nike) Just Do It

IT teams are now tasked with eliminating the boundaries between our work and personal technologies and communicating new priorities to employees across lines of business.

The COVID-19 pandemic exponentially increased the surface area of digital threat landscapes across organizations. Now, as remote work potentially disconnects IT teams and disrupts cybersecurity processes, hackers are taking advantage of the opportunity to use the coronavirus as a weapon in cyberattacks.

Cybersecurity Schemes Working Right Now. Is this you?

New phishing schemes tell email users to register their names and social security numbers to receive free COVID testing or click links to websites with a variation of “corona map” in the URL and navigate to sites scraped from the CDC or Johns Hopkins.

Citizens today are increasingly vulnerable to requests for personally identifiable information (PII). Your personal information creates a unique opportunity for cybercriminals to access personal — and ultimately your company — data.

There is Money Sitting on the Couch and the Window is Open

With the government on the brink of paying out two trillion dollars in checks to U.S. citizens as part of the stimulus package, expect the hackers. These hackers are just waiting to pounce on confused and scrambling recipients, resulting in even more fraud and spam over the coming months. Seriously, you don’t have to be afraid — just get prepared.


cybersecurity
You don’t have to be afraid — just get prepared

Business and Site Security

Businesses that haven’t proactively built out sophisticated cloud backup systems and implemented disaster recovery plans are at risk.

In a landscape where threat vectors are dispersed across the personal and business devices of every employee in your organization, getting hacked is no longer a possibility — it is an expectation.

Since most companies take nearly six months to detect a data breach, many organizations’ data may already be compromised. But a few simple tweaks to your processes can help your organization better detect, prevent and recover from an inevitable breach.

What’s different about COVID scamming?

Responding to COVID-19 cybersecurity threats is a novel challenge in its own right.

Fortunately, we’re not seeing significantly different types of scams: Email phishing, Trojan malware and spoofed sites continue to dominate the threat landscape. If your company has developed a sophisticated strategy to prevent these types of breaches, you’re already headed in the right direction.

Why are cybersecurity problems different right now?

These threats, however, have never converged with world events and conditional factors such as newly remote workforces and public health standards. While managed service providers (MSPs) are typically successful at securing the physical perimeter defined by office space, IT professionals typically lack oversight into individual employees’ behaviors at home.

Home Environment — the fam.

Even with visibility into employee processes via work computers, you can’t monitor family behavior — a kid downloading a game using home internet, for example, can leave other devices vulnerable to an attack.

In addition, employees access work email from mobile phones now more than ever, and March saw a 300% spike in business app downloads as consumers flocked to productivity apps related to remote or teleworking, fitness and education.

With the increased dependency on mobile apps for collaboration and communication, attackers have latched onto this new vector by embedding trojans into apps posing as free video conferencing providers.

Your cybersecurity may come from video conferencing where a hacker can access user data through backdoor channels like search history, passwords and email addresses. With users flipping between various news sources throughout the day, supplying employees with an understanding of safe apps to download is critical.

Unprepared companies must simultaneously create and implement response plans, often doing so after a security event has already occurred.

Even Google algorithms struggle with delays in email antivirus protection. Antivirus software relies on real-time machine learning.  For example, an algorithm can quickly flag a sketchy email directing a user to sign in to eBay — but they don’t have the legacy data to differentiate which of the COVID emails flooding our inboxes are legitimate and which are not.

What About Domains and Certificates?

Hackers can easily create hundreds of domain names and obtain SSL certificates for spoofed websites within a few minutes. Assuming thousands of hackers are doing this at the same time, it may take Google — and the rest of us — a while to catch up.

Given the reality that business data is more vulnerable than ever, what precautions should all companies be taking to mitigate these unique risks?

Focus areas for safeguarding company data.

COVID-19 has forced an essential point: If cybersecurity wasn’t a 2020 business priority before, it needs to be now. With the average cost of a data breach, this year set to exceed $150 million, avoiding a damaging breach — hinges on your ability to navigate new security concerns.

Even in a stressed environment, your security protocols don’t need to change dramatically.

If you’re missing any of these critical cybersecurity elements, you need to take action now to mitigate the risk of a breach going forward:

  • Focus on the basics.Though the number of attempted attacks will continue to increase, the main attack vectors remain the same. Protecting your employees from phishing emails that compromise their credentials should be your top concern.All cloud applications should be bolstered by secure multi-factor authentication (MFA) tools. As much as possible, enable MFA for employees by default and opt for apps that offer single sign-on (SSO) capabilities.
  • Start deploying password management toolsInsist on the deployment of password management tools for both personal and business apps. In the same way that your essential security capabilities should include MFA and SSO tools, your bare-minimum toolkit must include password management capabilities.When your organization requires passwords that are both complex and changed frequently, you’re much less likely to experience credential stuffing. Credential stuffing is a tactic in which attackers gain credentials by purchasing records for sale on the Dark Web.
    Research on compromised credentials on the Dark Web by Kaseya company ID Agent found that disturbingly, names are the most common types of password, with “George” ringing in as the most popular name password. (Ya know, just don’t!)
  • Change and reinforce “best” employee cybersecurity behavior as much as possible.While the first phase of COVID response largely required forced change management — teams had a day or week to adapt and adjust policies. The next phase of response must reinforce and reward good cybersecurity practices as the new normal.For your organization to prepare for and respond to an attack, employees across your organization need upskilling through quality training programs.
    Your best training programs will include phishing simulations, incident response training and safe internet habits.

    Remember, employee security training doesn’t need to be lengthy and tedious to be effective: Keep training concise, brief, and focused. Then focus on rewarding good behavior.

Conclusion

Effective cybersecurity scams rely on fear and a lack of information to succeed. As humans, we’re driven by our innate desire to click links that promise more information or safety.

More than ever, company leadership has a responsibility to educate their workforce about how to succeed outside the office. Arm employees with tools and policies that address pain points.

With basic defenses, effective communication, and behavior modification, even companies without advanced threat detection systems can greatly reduce their chances of attack, and set themselves up for success today and down the line.

Kevin Lancaster

Kevin Lancaster

Kevin Lancaster is General Manager of Security Solutions for Kaseya and CEO of ID Agent, a Kaseya company. He is passionate about offering enterprise-grade cybersecurity to small and mid-sized businesses and helping to protect and restore the identities of those who are targeted by bad actors. Recognized twice as SmartCEO’s Future 50 and featured four times on Inc. 5000, the annual ranking of the fastest-growing private companies in America, Kevin frequently speaks to domestic and international audiences on hacking, data breach response, privacy, identity monitoring, cybersecurity and the Dark Web.

Source

Leave a Reply

%d bloggers like this: