How Bad Actors Played the Pandemic: What COVID Taught Us About Online Security
The height of COVID-19 was a stressful time for people across the globe. But with all of the challenges that the pandemic brought, it can be easy to overlook how it impacted online security. Let’s take a look at how bad actors played the pandemic –and what we can learn moving forward into the post-pandemic world.
First, let’s take a look at some of the stats.
Increase in Online Attacks & Scams:
- In April 2020, Swissinfo.ch reported figures from the NCSC (National Cyber Security Center) showing that there were 350 reported cases of cyberattacks (phishing, fraudulent websites, direct attacks on companies, etc.), compared to the usual 100-150.
- In the first half of 2020, HC3 issued notices for over 35k malicious COVID-19 websites (CISA.gov).
- In April 2020, Google reported it blocked 18 million phishing and malware emails each day (CISA.gov).
- According to representative Emanuel Cleaver at a June 2020 U.S. government hearing, the FBI saw a 75 percent increase in daily cybercrimes since the start of the pandemic. Surprisingly, the number was lower than the spike seen earlier in the pandemic when cybercrime reports had quadrupled.
- The average cost of a data breach resulting from remote working can be as much as $137,000. (Deloitte)
- From January to July 2020, the City of London Police reported that more than 11 million GBP had been lost due to online COVID-19 scams (ActionFraud).
- A survey of existing cybersecurity professionals found that over 80% have witnessed a change in their day‐to‐day job responsibilities due to COVID‐19 (Apprenticeship.gov).
The COVID-19 Security Landscape & Its Impacts
While the types of online security attacks didn’t change all that much during the pandemic, the frequency of attacks did, making the security landscape more treacherous for new at-home workers who relied heavily on personal networks and devices. Even video chat systems put some companies at risk due to the lack of security functions that were enabled by default.
As a result of these changes, many organizations established more advanced cybersecurity infrastructures to inhibit growing threats such as increases in spam and malware, impersonations, ransomware, and more. Some of these changes included new security policies and tools, additional training, and more security hires.
While some businesses were accustomed to a mostly-remote workforce, others did not have a lot of the needed tools in place to support at-home workers. For example, new VPNs needed to be set up, new password rules enforced, and BYOD (bring your own devices) and MDM (mobile device management) policies needed to be created or beefed up. The healthcare sector, in particular, was hit hard, as remote security threats were constant.
Bad actors knew people would be searching for medical information and services–making this industry an easy target. Banks and insurance companies, which typically operate on more traditional (older) technologies and infrastructures, were also frequent targets.
Looking to the Future
So what can we learn from these recent events? Though the threat of COVID-19 is dissipating, we don’t know when or if there will be another pandemic and health crisis, and threat actors are always looking for their next big opportunity–whatever it may be. It’s important that your business is prepared to meet any looming security threat.
In addition, COVID-19 has had long-lasting impacts. A large number of global employees are permanently remote, meaning we should all continue to stay vigilant around similar security risks.
Here are a few ways you can keep your remote (and in-office) employees safe:
Ongoing security training
Employees (including executive staff) should undergo regular training on best practices and procedures around email and online security.
Regular employee testing
One of the best ways to train employees on email security is to send false phishing emails and test to see if they report them as such. Any employee who fails the test should undergo additional individual security training.
Zero Trust Policy
CISOs and CIOs should consider implementing a zero-trust approach to cybersecurity. This means only authenticated and authorized users and devices are permitted access to data and applications. No trust is granted by default.
In addition to ensuring they have a strong password set up for their home Wi-Fi network, employees should also use a VPN set up by their company for an added layer of protection.
Antivirus software isn’t all-encompassing, but it can act as a good first barrier against low-level attacks.
Test Your Systems
For every IT system, there’s at least one weakness. Ensure your team is testing and finding critical vulnerabilities through regular penetration testing exercises.
Review Your Risk Exposure
Your teams should be evaluating your crisis plans, business continuity plans, and cybersecurity policies every six months at a minimum. With new threats appearing regularly, anything else is too risky.
Consider Adding New Tools
Consider testing and implementing advanced email security tools to ensure your teams are well protected–wherever they work.
How can you implement email security best practices and tools, including phishing simulator and DMARC protection?