The global disruption caused by COVID-19 has provided cyber criminals the opportunity of a lifetime. Unfortunately, businesses both large and
small—as well as private citizens—are paying the price. Recent high-profile cyberattacks on major oil pipelines, power facilities, hospitals, airports, and aviation companies may have you asking, ‘What does COVID-19 have to do with it?’ The answer is, probably more than
1. Employee Shortage: If your organization is understaffed, something could be overlooked in the effort to get the job done. According to a recent Washington Post article, there are nearly 465,000
unfilled cyber jobs across the nation. Changes to security procedures enacted to save time or increase productivity also place an increased
risk on an already understaffed Information Technology (IT) community. In addition, many organizations lack a document flow of who has
what responsibilities and who takes over when that person is no longer there. No one knows what isn’t being done, so it is assumed that someone else is doing it—leading to a false sense of security.
2. New Employees. New Positions. New Responsibilities: Considering the abovementioned workforce shortage, it is natural that employees may be hired or moved into positions they are not fully qualified for, requiring a larger-than-normal amount of additional training. Training these new employees takes time, and mistakes will be made.
3. More Remote Workers: The concept of teleworking itself is not new. What is new is the number of organizations that have had to implement remote work as part of their everyday operations. A 2020 Pew Research Center survey found that “about seven-in-ten workers who say their jobs can mostly be done from home say they are teleworking all or most of the time,” in comparison to pre-COVID-19 statistics showing 62% of the same type of workers rarely or never worked from home. For an already depleted IT staff, this major shift in requirements could, in many ways, transform IT infrastructure, process, and procedure.
What cybercrimes are happening?
Types of cybercrimes have not changed. What has changed is the scale of the attacks, how they are committed, and who they target. In reference to the three workforce shifts discussed above, cyber criminals now have a new audience in an unfamiliar work setting to target.
How are companies now targeted?
The most common cybercrimes facing businesses today fit into five categories:
1. Open system access through a wireless connection: Many companies still have not implemented a required Virtual Private Network (VPN) for employees working remotely. Home networks, hotels, restaurants, airports, and FBOs are prime targets for cyber criminals. Assuming that
open access or home networks are safe is a major gap in cybersecurity and can easily lead to hackers gaining access to company data and key operating systems.
2. Malware: Malware is software that is included within a website, email, or program. Its intent is to steal, damage, or destroy computer systems.
3. Phishing and spear-phishing: Emails, phone calls, text messages, social network messaging or chats that appear to be from reputable companies or known individuals have become primary methods for cyber criminals to obtain passwords and personal data, as well as proprietary information. Phishing is broad, targeting a wide audience, while spear-phishing is personal, targeting an individual.
4. Vishing: In this scenario, a simple phone call is placed with the intent of obtaining personal information, which cyber criminals then use to gain access to individual accounts or company systems. Vishing is not a new scheme; however, its use by cyber criminals has increased so significantly that some experts now place it toward the top of the risk spectrum.
5. Smishing: The use of text messages in a phishing or spear-phishing type attack is a newer tactic rising in popularity among cyber criminals. Most often, smishing is used to request the purchase of something (e.g.: electronic gift cards) or to obtain personal information, such as a phone number or email address.
What is the cost?
According to Varonis, a data security and insider threat detection company, “Data breaches exposed 36 billion records in the first half of 2020” and “95% of cybersecurity breaches are caused by human error.” This data does not account for the average financial cost of a single cybersecurity breach, which IBM and Ponemon estimated at over $4 million dollars in 2020. In addition to financial cost is the unforeseen damage that occurs to your company’s reputation and business operations, as well as future liabilities.
What can you do?
1. Knowing that human error makes up 95% of all cybersecurity breaches also means that 95% of all cybersecurity breaches are preventable! This can be accomplished through training, policy, and
a. Training: Many companies have some level of cybersecurity training required of new hires. Too often, however, those companies lack recurrent or random cybersecurity training. If employees haven’t been trained on cyber threats on a regular basis to mitigate complacency, your company risk remains high.
b. Policy: What rules do you have in place? Your company should have clear policies that specify internet use, email attachment and link handling, and network access.
c. Procedure: What actions need to be taken? Provide clear and concise procedures to define how emails are sent, how information must be secured, and what to do in a suspected cyber breach.
2. Invest in your IT professionals and IT infrastructure.
a. Do you have an internal IT team, or are you using outsourced services? The key is to answer yes to one of these two questions. If you answered no to both, then you are most likely placing your company and clients at risk of a cyber breach.
b. Keep in mind that not every IT professional is an IT security professional. Yes, most IT professionals have some level of security knowledge. Ask yourself if your current staff has the knowledge necessary to secure your company and customer data.
c. Cybersecurity risks are continually evolving. Your organization must invest in IT infrastructure, such as current equipment and up-to-date programs, as well as in your IT professionals. Training your IT team to understand and combat current risks is critical to your success.
Cyber risk has been around since the early days of the internet, starting with perpetrators trying to “hack” into programs, looking for vulnerabilities. Today, cyber criminals launch attacks against emergency services, pipelines, government agencies, private corporations, and individuals. The threat continues to evolve, so risk assessment within your organization is a vital tool in preventing and mitigating cybercrime. Stéphane Nappo, Global Head Information Security for Société Générale International Banking, once stated, “It takes 20 years to build a reputation and a few minutes of cyber incident to ruin it.”
IBM Report: Cost of a Data Breach Hits Record High During Pandemic (prnewswire.com)
The Cybersecurity 202: The government’s facing a severe shortage
of cyber workers when it needs them the most – The Washington
How Coronavirus Has Changed the Way Americans Work | Pew
134 Cybersecurity Statistics and Trends for 2021 | Varonis
By Joe Dalton