Threat actors are seizing on the coronavirus outbreak to exploit the weakest link in cyber security – the human element. Aon’s Cyber Solutions offers some tips to help businesses stay safe against this latest cyber threat.
As the COVID-19 pandemic evolves, a new area of cyber risk has emerged and, as ever, malicious adversaries will be looking for every opportunity to take advantage of the situation.
The coronavirus outbreak has created an unexpected switch in the way we conduct day to day business. Self-isolation, work from home policies, and limitations on in-person meetings have created a heavier-than-usual reliance on virtual and electronic channels. In addition, employees are also looking to those channels for information, advice, and for solutions to the evolving practical challenges they’re facing.
Whilst most businesses have best practice business continuity plans in place, these are often centered around key business systems, processes and working environments and often assume a relatively constrained interruption, either in terms of length of interruption, geography, or system. Businesses should not overlook that attackers are actively exploiting human psychology to trick individuals into enabling the theft of sensitive information, money, and access to private systems.
We know from our significant experience of keeping organisations secure and responding to major cyber events and data breaches, that most security incidents have a human element – whether a simple error, an honest mistake, or negligence. However, we also know that one small human error could lead to painful loss and damage to a business and its reputation. The following are some examples to keep in mind as the coronavirus outbreak continues to evolve.
Malicious attachments and malware:
- Malicious attachments, links and how to spot them are part of every cyber security training programme, but that training normally takes place in a controlled environment. Employees primed to expect these exploits in a training exercise will usually choose the correct action – don’t click on that attachment! Yet we have seen numerous reports of ‘health campaigns’ that have disseminated emails with malicious attachments, purporting to be from official sources with guidance or information on coronavirus. Organisations such as the World Health Organisation (WHO) have issued official guidance warning of criminals impersonating the WHO to carry out attacks and scams. Criminals are also exploiting people’s hunger for coronavirus information and the speed and frequency at which they want that information to induce them to do things they might not do in another scenario.
- Employees are actively looking for and expect this information from their employer and may inherently trust communications which look authentic and provide information they are keen to hear. Imagine an attacker sending a genuine looking email to your employees titled ‘Office to close for two weeks – see Attachment for details’ or ‘As a result of COVID-19, all business travel cancelled – here’s a link to our travel booking site to make changes.’ Outside of a controlled office environment, and with information that people are desperate to get their hands on, mistakes can be made.
Phishing, vishing and smishing:
- These attacks are attempts made through email (phishing), voice calls (vishing) or SMS (smishing) by a bad actor to get hold of an individual’s credentials or other sensitive information. Many bad actors will take advantage of COVID-19 to try and trick employees into giving their credentials by convincing the employee that they are providing information genuinely required by their business. Attackers will scour open-source information on companies and individual employees to identify vulnerabilities that they can exploit – finding information on people’s companies and roles, and guessing email addresses with accuracy.
- An attacker might impersonate a trusted third party supplier – such as a travel partner – that the business would be expected to lean on at this time. They might also purport to supply a service that the business needs for its Business Continuity Plan – a malicious call could be concealed among the wave of promotional pitches that employees might receive in their role. Alternatively, employees may get a SMS message from someone claiming to be from the IT help-desk validating that all employees had VPN access. If successful, the attacker could gain access to sensitive information or credentials, and possibly your network and critical systems.
Remote work and working from home:
- Some businesses allow employees the option to work remotely or from home. However, moving away from an in-person workplace environment can open or unlock doors to attack, and it may be easier for attackers to find success as people are no longer relying on face-to-face validation of requests.
- Employees will be relying on voice, text, or other alternative channels such as social media that are unfamiliar in this context, allowing a greater chance of social engineering and impersonation scams. They may seek workarounds to IT policies or best practice, such as connecting to corporate networks from personal devices, or using corporate devices at home with heavy amounts of personal business and browsing for coronavirus information. The heavy social toll of “working from home” may drive employees to connect to new and potentially unsecured wireless networks in homes, coffee shops, and on the road, in proportionately greater numbers than the business has encountered before. The IT Helpdesk will also likely be under pressure to relax policies, and employees working from home might ask for restrictions to be relaxed such as USB device usage to allow them to print documents at a local print shop. It is easy to imagine that the pressure of working from home could result in such a compromise, removing a previously effective control.
Preparedness is key – and good cyber resilience includes keeping your employees informed on the latest threats.
You can help them recognize the emerging scenarios they might see in the coming weeks and months, and you should continue to drive home the message that they should treat communications from senders they don’t recognize with caution, and not open links, input credentials, or open attachments from an untrusted sender.
At a time of heightened business and technology stress, we recommend businesses review their cyber defenses and keep their staff informed of evolving threats so that they are less likely to become a victim of yet another phishing attack, Trickbot, or ransomware trojan.
Read our recent Risk Alert for more information on cyber risk implications of the coronavirus outbreak.
If you or your business have reason to believe that you have been compromised, contact Aon to help you identify and mitigate the risk to your organization.
CyQu (Cyber Quotient Evaluation) from Aon is an award-winning cyber risk assessment platform. Learn more.
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.