With the Coronavirus (COVID-19) sweeping the world and causing massive disruptions, most of our focus has been on things like ensuring we wash our hands properly and ensuring we maintain social distancing. And, this is a good thing if all countries want to flatten the curve.
However, there’s a hidden nastiness which may catch you by surprise and that you should be aware of. To put simply:
Hackers haven’t gone into hibernation.
While many other businesses are in complete lockdown and others have transitioned to work from home, hackers and those out there wanting to cause damage, spread malware or other malicious activities are not only active but increasing in activity.
This means you need to be as vigilant as ever when it comes to IT security.
Our internal firewall data has shown a change in attack behaviour in the last few months. While it’s not conclusive enough to explicitly state that this pandemic is the reason, we’re expecting the threat to constantly change over the next 12 months to target specific COVID-19 weaknesses.
What does this actually mean?
There are a number of factors you need to consider.
This will be the biggest security threat. For those unfamiliar with what phishing is, it’s the crafting of fake emails to make them seem legitimate. For example, a common phishing email is a fake email from your bank or payment system (eg Paypal) asking you to login and unsuspend your account. This is of course fake and you’ll be handing your details over to a malicious third party to spend your money.
The simple rule is, treat all emails as suspicious. Hackers know there’s a significant increase in work-from-home users and government payouts, so they will be targeting this fact. The emails may appear to be from your company asking you to install additional software or other similar tasks which are significantly more common during this pandemic.
Secondly, they may also appear to be government or other similar websites requiring you to register or ask you to provide some form of credentials in order to receive government stimulus money or similar.
The other one we see frequently are fake emails in regards to your email, Internet service and/or phone data being over quota. We expect to see an increase in these phishing emails also during COVID-19 as legitimate notifications (which won’t ever ask you to login) will be increasing as well.
If you’ve taken your PC home and it was connecting to internal systems to run updates, this system may not work remotely. While your internal IT should be verifying this thorough central management software, the scale of having thousands of people suddenly work from home may mean their resources are stretched.
If you’re a small business and don’t have internal IT onsite all the time, again it’s worth verifying that your operating system updates are being applied if you’ve had to move IT infrastructure.
Your website isn’t any different to your PC and in the majority of cases (eg, WordPress, Joomla and similar) there’s always a constant stream of updates to the core code, plugins and themes. Many of these updates include security fixes which if left unpatched could lead your site to be compromised.
None of this has changed with COVID-19, however as businesses are changing to adapt then it’s easy for these updates to be forgotten. Similarly, if you’ve decided to shut your business for a short period of time then these updates are still required to be run. Leaving them for a few months could mean you have a nasty surprise if your website is compromised.
This is commonly overlooked when internal IT systems are moved to bigger networks. If you’re working from any form of communal or public WiFi, make sure your email traffic is encrypted when talking to your email server.
If in doubt, please talk to your email or hosting provider to review your settings. Many legacy systems still allow unencrypted methods of communication and this means via a public or shared network your username and password is available to anyone else on that network.
Working from home means you need to consider a few extra scenarios. In many typical office setups, there’s usually a central file server and therefore a singular place of backup. Or, if you’re backing up laptops and PC’s to a central server, this may not be available once you’ve moved the PC to home.
You should conduct an audit of document storage locations and then determine how these are being backed up. Are they stored using a replicated service? For example, you may have (ie OneDrive / Dropbox / Google Drive)? Are you using a document management system to check in and out documents (eg SharePoint) and if so, how often are you checking the documents in?
The best way to approach how and when you should backup items is by working out what you can lose. If your PC loses all data overnight, what’s the business impact to you? What if this occurred for multiple employees? By working out your business cost and associated risks, you can then formulate a plan.
Increasing your security
While most of the news is doom and gloom, this could be a good opportunity to improve your overall IT security too. If you’ve already ticked these things off your list then that’s great!
In the majority instances, your accounts won’t be hacked because you’ve been targeted personally. Instead, most phishing campaigns cast their net far and wide with the theory being the more people they can try then the higher the chances of someone filling the fake form out.
One of the best, limiting factors you can do is to use strong and unique passwords. This means that you should have a unique password for every login and make it at least 10 characters long. We’ve covered the importance of strong passwords previously and highly recommend reading (or indeed re-reading!) the article if you haven’t done so recently.
A very effective means of security is to enable Multi-factor Authentication (MFA) for your servers. This means that to login or access a system, you have to provide more than one method of authentication. For example, Office 365 you can use the Azure Authenticator App which means when you login to Office 365, you also need to provide a secondary code from your mobile phone.
The key advantage here is that even if someone managed to get your username and password (ie where you’ve accidentally filled out a fake phishing form), they would still require the code from your mobile device and therefore can’t access your services.
Aside from using long, unique passwords, this is the most effective security measure you can put in place to protect yourself.
MFA can either be a mobile app or you can use a physical USB key such as the Yubikey.
This works in a very similar way to a mobile authenticator app but the difference is you can take it completely offline (unlike most mobiles) and for services neatly integrated it’s literally as simple as tapping the button.
Anti-Spam Email Filtering
If your email doesn’t already pass through some from of Professional Anti-Spam system, then we’d highly recommend you investigate the use of one of these systems. The larger systems use a number of complex algorithms as well as global data from millions of emails to be able to detect and block spam and phishing emails to an accuracy of 99.9% or greater.
This means that even if a phishing email is sent to you or your staff, it’s most likely going to be blocked by an automated system.
If you’re reading this blog, then it’s a great step forward. As the saying goes, forewarned is forearmed. If you know about the latest scams and security threats before they occur then it means you’re able to recognise them if you see them. Here’s further reading and the latest information from the Australian Cyber Security Centre to help keep you up-to-date:
- Cyber security is essential when preparing for COVID-19
- Widespread reports of COVID-19 malicious scams being sent to Australians
Remember, these threats are real so stay vigilant!