When COVID-19 meets cybercrime

By Philippe Riboton, Managing Director at HR Partners International Executive Search.

The large-scale adoption of work-from-home technologies, the increased activity on customer-facing networks and the greater use of online services all present fresh opportunities which cyberattackers have been quick to exploit in order to capitalize on the crisis. According to the US Federal Trade Commission by mid-August there had been more than 172,000 fraud reports in the US alone related to the pandemic itself. “The pandemic has created the perfect amount of fear, uncertainty, doubt and chaos”, said Kery Pearlson, the executive director of Cybersecurity at the MIT Sloane School of Management at a recent conference. “The bad guys have upped the game, and we have to do the same.”

 IT professionals I spoke to agree with Martin Konicek, CEO of itelligence Czech Republic, who says that “the ICT environments in a lot of companies were not prepared for such a quick change on the new normal. The peak of communication remotely created a window of opportunity for cybercrime individuals. Therefore phishing attacks, ransomware attacks, malspams and other forms of cybercrime are on all-time high.”

Rudolf Urbanek, the Country General Manager of Microsoft for the Czech Republic and Slovakia, has a front row seat to what is going on: “what we see across many organizations, corporate IT systems and processes”, he told me, “is often defined and secured for a legacy environment, where most of the access is being done from internal private networks. The complexity of new devices applied, access through different networks, often from public spaces with WI-FI connectivity, raises the risk exposure.”

The phishing threat especially is so huge that Google’s Threat Analysis Group (TAG), a specialized team of security experts at Google trained at identifying new vulnerabilities and threats across all Google products, has blocked some 18 million Covid-19-themed malware and phishing Gmail messages per day in April 2020 (in addition to more than 240 million COVID related spam messages). Some of you may have received those messages which impersonated official links on tech platforms like Skype, Zoom and Google Meet with the clear intention to mislead their targets (a data breach affected more than 500,000 Zoom users in April this year).

As the TAG report dated April 22nd puts it: “we are seeing bad actors use COVID-related themes to create urgency so that people respond to phishing attacks and scams. Our security systems have detected examples ranging from solicitations for charities and NGOs, to messages that try to mimic employer communications to employees working from home, to websites posing as official government pages and public health agencies.” One such attack called Netwalker, a strain of ransomware, recently was using files with coronavirus in the name so that they looked important to users. Other recent attackers  for example created an identical version of a map of global COVID-19 cases with embedded malware.

Such attackers attempt to gain information or access by tricking legitimate users into revealing their security credentials using text phishing (”smishing”), voice phishing (“vishing”) or SMSishing (the act of sending phishing messages via SMS text). Once installed via downloads such malware applications typically either steal users’ confidential data (personal information, credit card information etc …) or launch ransomware attacks which can lock a user’s system until they pay a certain amount of money. One example only: a ransomware attack in June of this year forced the Japanese car manufacturer Honda to almost shut down its global operations, including factory operations.

 Companies in general are equipped to answer this kind of threat. The trouble this time comes from the fact people may react differently to this kind of solicitation while working from home, creating what experts call “work-from-home vulnerabilities”. Some might be exposed to unsecured remote connectivity to company data with improper authentication access (unprotected videoconference links or hacked videoconference passwords for example – which can be used to access a company’s network) and unsafe cloud configurations. Others who are struggling from home to access data and systems might be tempted to bypass security controls, generating as a result new risks for themselves and increased vulnerability for their employers.

With millions of professionals working from home, companies are faced with the challenge to mitigate risks of remote access to sensitive data. Remedies include implementing multi-factor identification in order to enable employees to adopt “hybrid working” in a safe manner – as well as learning new remote-working protocols and becoming better acquainted with procedures for threat identification and escalation.

COVID-19 and its implications in terms of cybersecurity and users’ vulnerability reminds us that the switch toward remote working can’t take place without increased investments and attention to cybersecurity challenges. “We’ve done two years of digital transformation in two weeks”, said Andrew Stanley, the Chief Information Security Officer at Mars at a recent CIO conference. Therefore proper cyber-education should be put high on the list of companies’ priorities in order to raise people’s awareness about their responsibilities. One such example is illustrated by “bait-phishing” exercises in which companies send a phishing-type email to their own employees to make sure they remain alert to potential scams. “In the end it is the responsibility of everybody in the management”, Martin Konicek says: “IT should come up with the technical solutions, HR should help create awareness and the top management should create conditions where needed measures can be implemented in a time and result effective way.”

“Beyond the pandemic, cybersecurity has shifted away from a perimeter-based security model where all assets inside a network are trusted”, said Rebecca McHale, vice president and chief information officer at Booz Allen, an American management and information technology consulting firm: “companies are now looking at protecting access to information and emphasizing identity as part of trust. Companies should adopt zero-trust architecture – the idea that individuals, devices and applications cannot be trusted by default, and need to be authenticated and authorized.”

The coming months are likely to bring more uncertainty, raising the challenge for IT professionals and especially CISO’s (Chief Information Security Officers) to simultaneously protect against new cyberthreats, reinforce protection while maintaining business continuity.

As Rudolf Urbanek puts it: “many organizations need to come back to the discussion about overall hybrid workplace culture where cybersecurity should be part of it.”

Welcome to the post COVID-19 world.