Graham Wedgbury ACII, cyber insurance specialist for Lycetts, looks at the escalation of cyber security attacks during the COVID-19 pandemic and outlines steps businesses can take to mitigate the risks
For the past six months, COVID-19 has been sending ripples across the world, impacting industries and individuals alike.
But whilst most have been grappling to get to grips with the pandemic and its economic fallout, some have been using the unprecedented global emergency to their advantage.
Cyber criminals have turned their attention to exploiting the COVID-19 pandemic, using businesses’ vulnerabilities and individuals’ fears to cash in.
By the end of March, more than 42,000 websites with domains containing “COVID” and “corona” had been created, according to a report from cybsecurity research firm Sophos Labs. Researchers say the bulk of the domains are either actively malicious or suspicious.
In addition, The World Health Organisation (WHO) reported a five-fold increase in the number of cyber attacks directed at its staff, as well as email scams targeting the public at large.
In April, some 450 active WHO email addresses and passwords were leaked online, along with thousands belonging to others working on the novel coronavirus response.
Scammers impersonating WHO in emails have also increasingly targeted the general public in order to channel donations to a fictitious fund and not the authentic COVID-19 Solidarity Response Fund.
Cyber criminals are ruthless in their pursuit of profit, and as businesses strive to stay afloat, it is important that vigilance is not replaced by distraction.
With more services moving online and the rise in home working looking to become a long-term trend, it is even more imperative that businesses tighten their defences and take fast and effective remedial action in the event of an attack.
Often the human is the weakest link in the information security chain, so training is a good starting point, before a loss occurs and essential in the aftermath of a breach. Regardless of how the hacker got into the network, whether it was an employee’s unfortunate click on an infected email or bad luck regarding a password attack, it is time to analyse employees’ cyber security awareness and provide training to ensure the likelihood of a recurrence is minimised.
During these unprecedented times, employees’ guard may be down and they may be more likely to fall victim to COVID related ‘click bait’ emails that play on associated anxieties.
Employees should be made aware of the most common methods of increased cyber-attack activity, including:
- Phishing emails
- Emails that appear genuine are sent requesting the employee to install software onto their device.
- Special offers from commercial organisations offering free medical products (masks, tests, PPE).
- Information on a coronavirus cure.
- Offers of tax refunds or government financial aid.
- Safety advice from World Health Organization (WHO) or the Centres for Disease Control and Prevention (CDC).
- Emails from fake HR departments asking employees to complete a survey.
- Malicious websites promoting online diagnostic tools.
- Fake COVID-19 tracker smartphone apps endorsed by the government.
Defeat the Cyber Criminals
Once a system has been compromised, businesses not only face initial monetary loss but brand loyalty and reputation may also be sacrificed. If data protection laws have not been adhered to, a company may even face prosecution or hefty fines.
Therefore, the aim of every organisation should be to be proactive in their approach and put good practice and security controls at the heart of their cyber security strategy. These include the following:
- Continually raise awareness and remind your employees of the importance of computer security.
- Encourage and support your team with training, so they can identify threats and learn how to respond to them.
- Ensure that your employees back up their data regularly.
- Keep portable devices safe e.g.: use PIN/Password protection/fingerprint/face recognition; keep device software updated; do not connect to public (spot hots) hot spots using 3G/4G or VPNs; replace any devices no longer supported by manufacturers.
- Regularly update anti-virus software and update devices with the latest software patches. Only use approved software. Control access to removable media i.e., memory sticks, and ensure your firewall is always enabled.
- Avoid phishing attacks, scan for malware and change passwords if a successful attack is detected.
- Educate employees on common phishing tactics: e.g. tell them to look for poor spelling, grammar or images that may be indicative of rogue email.
- Protect data using strong passwords and encryption. Use tools to prevent employees from using predictable passwords.
- Avoid sharing passwords.
- Have a tried and tested response plan ready in the event you do fall victim to an attack.
- Continually assess and test the robustness of your cyber defences.
- Learn from any incidents and update your defences.
Not just cushioning the blow
Specialist insurance is another aspect of cyber security and cyber resilience that businesses need to consider – though it is still vastly under-utilised by businesses.
According to the Cyber Security Breaches Survey, just one in ten (11%) of UK businesses say that they have a specific cyber security insurance policy, and a further 15% of businesses said they have previously considered but ruled out having cyber insurance.
Top reasons for not having cyber insurance include a lack of awareness of cyber insurance (23%) and considering themselves to have too low a risk to warrant it (22%).
Some organisations felt they already had enough funds to cover a loss due to a cyber attack, so did not see the need for insurance.
But insurance does not just serve as a monetary cushion. Many insurers and brokers are now helping customers with contingency planning, establishing an understanding of the implications of cyber breaches, evaluation of risk, and putting security measures and crisis action plans in place, as well as help with swift legal and public relations advice post-breach.
The main thing that companies need to realise is that making their organisation completely impenetrable and invulnerable to cyber breaches is wholly unrealistic.
The COVID-19 pandemic has taught us that cyber criminals are relentless and will quickly evolve their criminal activity to cash in, even in times of crises. Therefore, all organisations, no matter what size, are vulnerable – and the attacks on a global organisation like WHO only serve to highlight this.
As we become more connected as a society and criminal methods become more aggressive, one thing is clear; complacency when it comes to cyber security is no longer an option.