The cybercriminal is not one for missing out on an opportunity and COVID-19, aka the Coronavirus, is proving a tempting prospect…
At the time of writing, there were about 114,000 cases of COVID-19 infected people across the world. The UK, so far, has been relatively mildly affected. However, this does not stop the fraudster from taking advantage while the chips are down.
One of the most recent examples, where scammers have played on our fear, uncertainty, and doubt around COVID-19, was identified by security vendor Malwarebytes. The researchers found a website showing a map of coronavirus cases across the world, that was infected with malware. The infected website is a spoof of the real Johns Hopkins University corona map site. It looks exactly like the real one; go to the map with a vulnerability in your browser and hey presto, you’re infected, perhaps not with COVID-19 but with an altogether different virus.
This brings me to the main point of this article. Why security hygiene and security awareness is as important as washing your hands while we deal with the Coronavirus…
Coronavirus Phishing and Other Scams
The Defence Works has already warned of Coronavirus phishing campaigns in the wild. Back in early February, we described phishing emails, doing the rounds, that were using people’s fear of the virus to encourage a click on a phishing link. The emails took the form of a World Health Organization (WHO) branded email with a link to a spoof login page that attempted to steal login credentials.
Since then, more of the same type of phishing email campaigns, based on COVID-19 fear tactics, have started to appear. Elaborate scams are also doing the rounds. Like the ‘face mask scams’ which have resulted in a loss of £800,000 across the UK in just a few weeks. The scam revolved around fraudulent online websites selling protective masks. The National Fraud Intelligence Bureau (NFIB) has also warned about increasing numbers of Coronavirus themed phishing emails.
Remote workers and COVID-19
One of the possible upsides of COVID-19 is the opportunity to work from home! Some of the giant tech companies have already sent employees home to work remotely. This includes Google as well as Facebook, which recently closed its London office due to an employee with COVID-19. Many companies will follow their example as the prediction of the virus affecting larger numbers in the UK, hits home, and/or the government mandates it, wherever possible.
Remote working, however, brings with it security challenges:
INSECURE CONNECTIONS BACK TO BASE
We outlined some of these issues in our paper on using public wi-fi safely. However, the problems of insecure connectivity can be many-fold. Seemingly secure home Wi-Fi networks may not be as secure as you think. Routers, that specifically target the home office user, have been found to have vulnerabilities that certain malware exploits. Over half a million home routers were infected with a malware called VPNFilter in 2019. The malware was able to intercept data and steal personal information and login credentials.
INSECURE MOBILE DEVICES
When working from home, it might be tempting to use a mobile device to connect back to the office or pick up work emails. According to Checkpoint, there was a 50% increase in malware affecting smartphones in 2019. One of the issues of staff using their own devices is that the IT department doesn’t have as much control over what is installed on that device – the industry calls this “Shadow IT”. Remote working can result in staff installing apps that they like to use rather than what an organization has deemed appropriate to use. This has the potential for security gaps to open up.
MALICIOUS AND ACCIDENTAL INSIDERS (ON THE OUTSIDE)
Remote working means that you have potentially fewer controls over what employees do. If a malicious employee decides to steal data, doing it from home could make it easier.
Accidental loss of data is also a problem. A report on mobile device theft and loss found that 69% of mobile devices are misplaced with 31% being stolen from cars, homes, etc. If the device has unprotected data on it, even in the form of emails or messages, this is not only bad for your organization’s reputation, but it could make you non-compliant with data privacy and protection laws.
Tips to Good Security Hygiene for Remote Workers
As well as washing your hands regularly and avoiding touching your face, employees should practise good security hygiene when working remotely. Some top tips to secure home working are:
REMOTE WORKING SECURITY POLICY
A good place to start is to make sure your security policy extends to a home working environment. This allows you to plan out your response to potential security threats against remote workers. This will stand you in good stead for the future when employees decide they like working from home and try and negotiate a remote work clause in a contract. This is a real possibility as a poll on attitudes towards remote working found that 99% of employees would love to work remotely at least part-time.
TRAIN YOUR STAFF ON SECURITY MATTERS
Security awareness training is vital at work and at home. Teach your staff how to spot phishing campaigns that target them using their fear of the COVID-19 virus. These campaigns try to trick users into clicking malicious links or downloading infected attachments.
Good security hygiene is also about using robust passwords and not sharing them; this extends to preventing family members or housemates from seeing passwords by shoulder surfing.
APPROPRIATE TECHNOLOGY TO SUPPORT SECURITY HYGIENE
Technology should be used to help harden any potential areas of weakness when staff work from home. This can include:
- Hard disk encryption on laptops
- Robust authentication, such as using two-factors rather than just passwords for logging into corporate apps. Also, only give access to corporate data on a need to know basis.
- Anti-malware on all devices (including smartphones)
- A virtual private network (VPN) or mobile router for use when staff are not able to use a secure WI-FI connection
COVID-19 is not yet a Zombie Apocalypse. However, unless we tighten up our security hygiene for remote workers, we may end up with a pandemic of data breaches.
If you’d like to see how a security awareness training programme can help secure your remote workforce, sign up for a free demo here.
Subscribe to the Proofpoint Blog