Guest Post by: William Gamble, Member, The Florida Bar Standing Committee on Technology
While there are many businesses negatively impacted by the COVID-19 pandemic, hacking isn’t one of them. Hackers look forward to disasters because they can use the increased fear as motivation to fall for the most recent scam.
Cyber criminals have been using the recent prominence of the World Health Organization (WHO) and the US Center for Disease Control (CDC) to create fraudulent websites. These websites and clones try various activities to turn a victim’s anxiety into cash. They advertise everything from antiviral cures or equipment to impossible to get face masks, hand sanitizers and ventilators, all of which turn out to be fake. They are even soliciting funds, in bitcoins of course, for vaccine research.
Even nation state actors are involved. According to the US state department official Lea Gabrielle in testimony before the US Congress, Russia was responsible for “swarms of online, false personas” that were spreading misinformation about the disease. She said the “entire ecosystem of Russian disinformation is at play” in attempts to capitalize on uncertainty caused by the pandemic. On Sunday the US Department of Health and Human Services was hit by a cyber-attack.
Hospitals and healthcare facilities have been specifically targeted. The Czech Republic’s second-biggest hospital, the Brno University Hospital, was hit by cyber-attack. The hospital was fortunately not shut down, but it would be easy to imagine the enormous pressure to quickly pay a ransom to get crucial services back in desperate times.
Hackers are also taking advantage of new telecommuters. In offices, security departments can have a high degree of control over the network and the environment. This may not be the case for workers at home.
While it is impossible for all workers or even the well informed to be aware of myriad attacks, there are three main areas where they have exploited victims with the most success.
- Social Engineering
- Unpatched systems
Social Engineering is the most important area for telecommuters. It is also an area where, with sufficient training, staff can avoid problems.
The second area has to do with passwords. These problems can be solved with a few practical rules. Staff should use passphrases which are potent and easy to remember. Unlike Mark Zuckerberg, staff should be sure to use different passphrases for different accounts. Password managers are both convenient and impressive. Wherever possible firms should institute two factor or multifactor authentication (MFA)
The third area has to do with ensuring that any technology that your staff is using is using the most up to date version. Unpatched apps will be hacker within 48 hours after a patch comes out or a vulnerability is publicized.
These areas are discussed on the SANS (information security institute) website (https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit/). This website includes many resource which are often free including their Securely Working From Home Kit .
New telecommuters can introduce substantial cyber security risks into a system, but with the proper precautions, including many controls listed in the ISO 27001 and other frameworks like the NIST CSF, the economic fallout from the COVID-19 pandemic will not include losses from a hack.