With remote working bringing new security challenges, make sure you don't fall victim to cyber criminals
As most of us now find ourselves working remotely, it’s quite incredible to see how things have changed so dramatically in such a relatively short space of time. There have been challenges, of course – and perhaps some triumphs, too – as we have figured out new ways of doing business.
One fact is unequivocal. Home and personal work stations are often less secure and more susceptible to hackers, meaning that we need to identify and manage the additional cyber risks involved in working from home.
Cyber criminals are using the Covid-19 pandemic as a time to exploit weaknesses in network security and human fallibilities as we discover new ways of using technology.
Never being ones to miss an opportunity, criminals are taking advantage of the disruption and uncertainty, and launching cyber-attacks on remote workers at home and on supply chains.
From a cyber perspective, be vigilant! Now more than ever, it’s vital to keep our wits about us as the bad actors are relentless, taking advantage of our insecurities as well as the goodwill that is inherent within the majority of us.
Working from home (WFH) has resulted in the growth of the use of personal devices and home networks. The security of employees’ home computers and home networks is usually beyond the control of the companies for whom they work. The absence of necessary security on home networks creates a heightened risk of system disruption for the company.
The increased susceptibilities of WFH mean that cyber criminals have upped the ante. Cyberattacks, while clearly evident pre-Covid, have exponentially increased as criminals take advantage of the disruption and weakened network securities.
From the early days of remote working, hacking events have surged as compromised technology and security have allowed easier access to network systems.
Evidence suggests that phishing attacks alone have increased by 667% just in March of this year.
Cyber criminals are exploiting human frailties. The fraudulent attempts to prey on our generosity of spirit – that spirit clearly evident in our nation’s response to Captain Tom Moore’s heroic efforts – are repugnant.
Bogus websites have been set up posing as charities to channel funds into cyber criminals’ bank accounts.
Our natural fears and anxieties are being used against us as criminals seek to offer us fraudulent PPE, home-testing kits and cures. The appeal is all too obvious. These fraudulent activities are carried out via email, phone scams (eg offering free home testing kits or the promotion of bogus cures), or hoax texts (including one that offered a $30,000 'relief' package from 'The Financial Care Center', and another that informed recipients that they must take a mandatory online Covid-19 test; both were attempts to obtain banking and other personal information).
Another 'in' for these hackers is bogus updates on Covid-19, which are being sent by email or via social media. Phishing attacks involve emails to employees that appear to come from senior executives, emails that purport to attach updated policies around remote working, or emails that pretend to be from health agencies.
We are aware of emails purportedly from the World Health Organization, ostensibly providing Covid-19 updates via an attachment. Rather than providing helpful content, the attachment, once clicked, launches malware or ransomware into the victim’s computer.
Again, preying on human behavioural patterns, fraudsters often craft phishing emails encouraging the recipients to take action while manipulating our willingness to be efficient, helpful and proactive. Examples include:
The phish, if successful, may provide remote access to an employee’s computer or network, often the precursor to installing ransomware. Alternatively, or perhaps at the same time, the scammer uses valuable information to commit fraud or identity theft.
We are all generally becoming more educated in our ability to spot phishing emails: we’ve been told about checking for clues such as bad grammar, spelling mistakes, poor stylistics and odd-looking links.
Unfortunately, however, the sophistication of these emails is also improving at the same rate, and even the most seasoned cyber-guru can get caught out.
While spotting a phishing email is becoming increasingly difficult, the National Cyber Security Centre (NCSC) has put together some common signs to look for:
The overriding message is: do not trust information that doesn’t come from official sources and be suspicious of messages coming from a company from which you don’t normally receive communications.
One final but very relevant point needs to be made in relation to data protection.
There may be a temptation to share information more readily when WFH, particularly when operating a mobile device, whether a smartphone or tablet.
Psychologically, because we are not 'in the office' and are not sitting at our desk, we can become a little relaxed about our work practices, which may translate into more liberal sharing of data, perhaps without the normal thought processes being engaged.
It is vital that employees continue to maintain strict data policies when it comes to the handling of data. Inadvertent sharing of information regarding affected employees or clients could result in significant repercussions,from a financial, regulatory and reputational perspective.
Awareness, education and technology solutions all help but are not failsafe. Detection must be combined with an effective incident response plan and business continuity plan. Cyber insurance ought to be considered as part of this process.
The 24/7 breach response services offered as part of a market-leading cyber policy will be crucial in the immediate aftermath of a cyber incident, providing access to experienced consultants in IT, legal services, PR and crisis management specialists, during a stressful and vulnerable time.
Finally, if you have any questions, please contact your Lockton account manager for further advice or email ACCAaccountants@uk.lockton.com.
Lockton is ACCA’s recommended broker for professional indemnity insurance.