Stephen Burke, CEO and founder of Cyber Risk Aware, discusses how organisations can do their own ‘health check’, train their employees in real-time and adopt cybersecurity best practice in the wake of the COVID-19 pandemic
A recent Europol report highlights that ‘cybercriminals have been among the most adept at exploiting the COVID-19 pandemic for the various scams and attacks they carry out’. The same report predicts that phishing and ransomware campaigns are being launched to exploit the current crisis and are expected to continue to increase in scope and scale.
Much of this increase is because of the momentous shift to remote working: The majority of the world’s office-based business is now being operated by individuals from home. Many organisations had already set up the foundations of a remote infrastructure but none could prepare for the sheer enormity of the shift. The fact is that a change of location for workers, taking them into a virtual world, actually has propelled them onto the frontline of being the target of cybercrime.
Just with any big shift, cracks will come and the cybercriminal is ready and honed like a nasty virtual athlete to jump on every vulnerability. Many reports have suggested that cybercrime has increased by up to 80%. Within hours of the first indication that Covid19 may have severe consequences, the cybercriminal was using his favourite and most effective method – the phishing attack.
Get your priorities right
The attacks are coming thick and fast. In March it was reported that one of the largest COVID-19 testing centres, the Brno University Hospital in the Czech Republic, was forced to close as a result of a ransomware attack. In April, Google reported that it has blocked over 126 million phishing scams. Organisations need to get their priorities in order – they need to stop worrying about uniform Zoom backgrounds or office quizzes to keep up morale: they need to start to arm their people with cybersecurity awareness training so that they don’t become prey to the next attack. The hard fact is that over 90% of data breaches occur because of human error, and that error is the fault of the organisation that doesn’t train its staff.
Human cybersecurity risks need to go to the top of the priority list. Organisations need to stop putting security awareness training budgets behind Zoom training sessions and channel it into cyber risk awareness training. That training ideally needs to be in real-time: scheduled training sessions are not half as effective as training on the job.
The easiest way to do this is to ‘health check’ your organisation: try a free live phishing trial across your network. This can be done very easily: Cyber Risk Aware’s free COVID-19 Phishing Tests help businesses defend their network against increased cyber threats during this coronavirus pandemic period. Now more than ever, an organisation should run simulated phishing tests to raise awareness of what a real attack will look like and inform staff what to do in the event of receiving a suspicious email.
Best Cyber Security Awareness practice
Organisations also need to arm upon their best practice to ensure their remote workforce is helping to protect their business, data and reputation. Here are some key pointers:
● Be extra vigilant to COVID-19 phishing scams – run the free phishing campaign to assess risks, deliver awareness and train your staff.
● Use secure company provided systems – ensure cloud-based systems are patched and don’t use personal accounts.
● Be prepared and equip your staff. Provide encrypted up-to-date devices with patched applications, and VPN’s to access your company’s internal systems.
● Put protocols and processes in place should a cyberattack take place, to minimise the impact. Cyber Risk Aware offers PhishHuk, a free outlook plugin, which staff can use in their email ribbon to report phishing emails to IT Security.
● Have clear lines of communication. Avoid Social Media and Whatsapp when revealing sensitive data. Ensure your company is set up with secure best practice communication channels.
● Don’t take the easy route. Shadow IT – a term used for downloading unapproved software, is an increasing threat to cybersecurity. This can include Macro for excel or software to grab screenshots for example.
● Don’t connect to public WIFI. Instead, use a company-provided VPN or mobile data if accessing sensitive data.
● Don’t allow the use of personal devices as they are often insecure and vulnerable to cyber-attacks.
● Password protection and encryptions are key. On devices, files and data.
● Don’t forget to backup data centrally. Be it the concern of a system crash or the risk
posed by a ransomware attack, ensure all backups are made daily, to a central location and that restores are tested regularly by IT staff.
Stick to the rule of ABC
Always be coaching: At a time when businesses and individuals are more vulnerable, to mitigate the spread of this pandemic, organisations need to pull together for the greater good. Keeping businesses operational and protecting workforces from escalating threats, should be a global consideration and a united collaboration.
This time of uncertainty has led to a path to unprecedented behaviours. With the majority of the workforce now encouraged to work from home, the risk of businesses experiencing a cyber incident is significantly increased. Therefore it is imperative staff and businesses are prepared and protected from these very present cyber threats as best as possible. The best way of arming your people with knowledge of the cyber threats that are out there, and protecting your business in these uncertain times, is through cybersecurity awareness training with real-time cyber-attack simulations. And with free phishing simulations at your disposal, there can be no excuse for not doing your own cybersecurity health check.