04 Aug Cyber-threats grow globally as organisations exit lockdown
Despite the gradual easing of the COVID-19 lockdown regulations, industry has become increasingly reliant upon its online networks and remote-work capabilities. The threat of cyber-attack has similarly grown, says Professor Kamal Bechkoum, Head of Business and Technology at the University of Gloucestershire.
Picture a cyber-hack on your organisation as being like any other scam – tenacious, infuriating and often playing on human weakness or error to achieve access to your most important resources.
Organisations around the world are bombarded on a daily basis with information about cybercrime and threats to their IT infrastructure, almost to the point where it feels like there is little else that needs to be done, other than trust in the IT department’s abilities and get on with life.
But does this mean that a business is safe, that its partner companies’ data is secure, that payments can be made in a secure way and its computers, facilities and services will continue to function without hiccup?
In a word, ‘no.’ There is yet to be a company created that is 100% secure, because no one is completely safe when it comes to cyber threats. The government’s recent COVID-19 ‘test, track and trace’ smartphone app, originally piloted on the Isle of Wight, is a prime example of what can go wrong when a significant lack of trust comes into play.
According to a recent 1,000-person survey almost half (48%) of people in the UK questioned about the NHSX contact-tracing app say they don’t trust the government to keep their information safe from hackers.
The poll also found that 43% of respondents are worried that using the app could give fraudsters an opportunity to launch phishing attacks by email or SMS. This is in addition to the thousands of fake COVID-19 domains springing up and being used to initiate a flood of online frauds.
Given that one of the most important public health and safety plans of our time struggled to assure the public of its authenticity and trustworthiness, how can business leaders make the right decisions to protect themselves and their stakeholders through these troubling times?
In the first instance cybersecurity should not be delegated. While you are busy thinking ‘it’s not going to be me,’ that’s when you leave yourself most vulnerable.
According to a recent Mimecast report, ‘100 Days of Coronavirus (Covid-19)’ there has been a 35.16% increase in malware detections, as well as a significant increase in spam (26.3%), impersonations (30,3%) and unsafe URL clicks (55.8%).
Hackers will always try to take advantage of a crisis and the coronavirus outbreak has provided them with an ideal opportunity to do so. Since the beginning of the year criminals have used COVID-19 as a cover to stage a variety of cyber-attacks, ranging from ransomware takeovers of hospital systems, through to private network hacking.
One of the greatest threats at the present time is ‘phishing,’ the process where criminals fraudulently attempt to steal sensitive information such as usernames, passwords and credit card details by disguising themselves as a trustworthy contact using e-communication.
A mass of phishing attacks have targeted consumer trust in mainstream video-conferencing platforms to steal personal information and harm lives, many of which initially involved hackers impersonating health organisations offering fake coronavirus-related news.
Secondly, hackers adjusted their attacks to target remote-workers by impersonating trusted tech platforms such as Zoom, Skype and Microsoft Teams.
Hackers use false domains to fabricate Zoom notifications and also create false COVID-19 email alerts. Those who respond can unwittingly download malware or compromise their data security.
Research from Check Point found that more than 1,700 Zoom-related domains had been registered within a three-week period, and 4% of these were suspicious or potentially malicious.
To better protect your organisation in the first instance it’s important to understand that a cyber-attack is inevitable. It’s really not a question of ‘if,’ but ‘when.’
Forecasts for the number of online-linked devices, otherwise known as the ‘Internet of Things’ (IOT), in 2020 varies from between 26 billion to 75 billion. If there’s one lesson to be learnt from the current pandemic it’s that more of us than ever before are working remotely and often mixing the use of personal and professional devices to stay connected.
There is so much information created by these devices – up to and beyond 2.5 quintillion bytes – that 90% of the world’s data has been created in the last two to three years.
Considering this massive volume it is perhaps understandable that cyber defences can never be 100% secure. The grand challenge facing all organisations is the need to improve their understanding of where threats are most likely to come from, and engage in habitual good security practice at all levels of the organisation.
To begin with, a threat register should consider criminals, ‘hacktivists,’ competitors, hostile states, and insiders, alongside the following tips:
Four top tips towards becoming cyber-secure:
1. A human firewall – people are the first line of defence. Lead by example and develop all of your policies and teams to be cyber-aware. Preparedness can’t simply be delegated to the IT department or executive. It has to be the responsibility of everyone
2. Update systems regularly – this should be done continuously to ensure the latest software versions and patches are in place to help systems become as airtight as possible
3. Continuous security – there is no single event or graduation ceremony that guarantees the job is complete. Everyone within and connected to the organisation needs to appreciate that this is a continuously-evolving process
4. Worse case planning – have a plan for when things go wrong. Who will take the lead on responding to the attack? How can the problem be solved? Who needs to be informed? What can be learnt and done to prevent similar attacks in the future?
All IOT devices and systems are vulnerable. Malicious apps will often sit in the background for long periods of time collecting data until the time comes for them to strike.
One devastating example was the December 2015 Ukraine power grid cyber-attack, when hackers were able to compromise the information systems of three energy distribution companies and temporarily disrupted electricity supplies for around 230,000 consumers.
This is not massively different from what the average cyber-criminal might do to gain access to your bank account, and make no mistake, even the experts are vulnerable.
Over the last year I’ve personally experienced six attempts to get into my own system and fell victim to a spear-phishing scam. This is an increasingly common form of attack where criminals attempt to gain sensitive information, such as usernames, passwords or credit card details, by disguising themselves as a trustworthy entity in an electronic communication.
After gaining access to my address book the fraudsters contacted 250 friends, family and associates, asking them to pay for Amazon purchases on ‘my’ behalf. Two fell for it.
On another occasion, I’m somewhat embarrassed to admit, I attempted to book some hotel rooms for visiting guests in Cheltenham, but had only 10 minutes spare to do this. I went onto an accommodation-booking website, made the payment and received an email stating that the booking could be confirmed within three days. Later I received a call from my bank querying a transaction from Istanbul for £1,100. Luckily they managed to block any further withdrawals.
Some 95% of internal breaches are caused by human error. Your default approach to all IOT systems should always be one of suspicion.
The individual is our first line of defence and we all should think of ourselves as human firewalls within our organisations. It is vital to make sure systems are updated regularly and understand that security is a continuous process. Access control and privileges should be managed tightly, otherwise employees can unwittingly cause damage by downloading the wrong application.
At the University of Gloucestershire we take this issue of access control very seriously.. As a head of school, even I can’t download anything on my PC and I’m happy about this because I know it’s for my own and the security of the organisation’s systems. When you recruit new people they should be inducted into this kind of culture.
The pressures of the coronavirus pandemic has left many of us tired, putting ourselves in a position where we might fail to properly check the veracity of texts or emails received before reacting. This is when it becomes very easy to overlook crucial details and let things slip by.
Don’t make the mistake of acting in haste. Breathe, regroup and take your time. Ask the right questions, double-check your actions and ensure that everyone is alert to cyber-security issues. Your business might just depend on it.