A global crisis seems to present cybercriminals with a big opportunity. In the U.S., the FBI has observed instances of cybercrime having jumped by as much as 300%. Phishing attempts have soared by over 600% since the end of February, including traditional impersonation scams along with business email compromise (BEC) and extortion attacks. In Hong Kong, attackers are using the virus as a lure to trick users into clicking on news links booby-trapped with iOS spyware.
COVID-19 themed phishing scams began circulating in January, exploiting people’s fear and uncertainty around the crisis. According to security protection software company Sentrybay, as many as 42% of endpoints are unprotected at any given moment, creating large numbers of potential vulnerabilities. With so many Hong Kong workers working from home and using potentially compromised laptops or home computers to access their corporate networks, these endpoints present a significant weak link in the security chain.
This is a key point: more Hong Kong workers working from home means a much larger risk surface and exponentially more endpoints to try and protect. Other research by AI endpoint security platform SentinelOne showed that from February 23 to March 16 there was an increase in attempted attacks with peaks at 145 threats per 1,000 endpoints, compared to around 30 at the start of that period.
Hong Kong is home to many major financial services companies and global bank headquarters, companies that are proving to be prime targets for cybercriminals during the COVID-19 crisis. Just a few weeks ago, banks in Italy reported receiving emails that appeared to be from the World Health Organization (WHO) and bore the signature of a fictitious Italian doctor. The email had an attached document that claimed to carry guideline precautions against COVID-19, but in fact, when clicked, activated a Trojan horse malware that had been tailored for infiltrating banks.
Domain name threats in play, too
Domain attacks have also ramped up since the global pandemic commenced, according to cybersecurity company Check Point. More than 16,000 domain names related to COVID-19 have been registered since January, with around 10% of them having malicious motives.
This amounts to almost double the typical number of domain name registrations according to security specialists at Check Point.
Why is it happening?
Because cybercriminals love a vacuum: change and new ways of working can present them with opportunities. A scenario as all-encompassing as the COVID-19 pandemic has not really been anticipated by business, so it is practically impossible to plan for. You can carry out all the cybersecurity due diligence in the world, but it probably would never include a sudden ramping up of millions of people being forced to work from home.
It isn’t surprising that there are many thousands of newly remote workers in Hong Kong who are simply unaware of basic security measures. They are not used to working from home, so why would they be aware of the security requirements around it? As a result, many employees working from home create a new layer of vulnerability through no real fault of their own, by switching on compromised devices and applications. At the same time, many companies are struggling to keep externally-accessed systems secure, and cybercriminals are also becoming increasingly proficient at mimicking emails from health authorities.
How you can mitigate against threats
COVID-19 has forced companies to shift rapidly to remote working at unprecedented scale. Threats have increased, so the way you address them has to change, too. Steps that you can take include:
Plan: You will by now have realized that any emergency response and business continuity plans you had will likely not have anticipated the COVID-19 crisis. Every potential way forward now should factor in cyber threats and draw up contingencies that can address them. Cyber crisis simulations can help, and while conducting them remotely could be challenging, it might also prove more realistic.
Defend against phishing: This can be done through training and education of employees. It’s worth trying to set up simulated spear phishing attacks against employees to keep them on their toes during the COVID-19 situation. Try simulating attacks that promise recipients information about COVID-19 or that masquerade as IT help desks performing work from home checks. This can help you improve the defensive skills of your employees and enhance your company’s overall resilience in the face of these increased threats.
Update homeworking cybersecurity: Ensure that your cybersecurity policy is sufficient as your organization transitions to more employees working from outside the office. Your policy will need to cover remote-working access management, use of personal devices and updated data privacy considerations for employee access to documents and other information. Without the right security in place any devices used to access your corporate network can leave you vulnerable to hacking.
Monitor shadow IT: Monitor shadow IT, and try to keep your workers working from approved apps and solutions wherever possible.
Patch: Ensure that your remote access systems are fully patched and securely configured at all times.
Test: Since we are all still largely creating “work from home” protocols as we go, they are evolving in real time. So keep on reviewing all your protocols and procedures in real time to check for vulnerabilities or potential loopholes.
Brace for disruption: Be aware that your preventative measures can only realistically go so far. Be ready to respond fast in case of a breach. It generally pays to think of cyberattacks as a matter of “when,” rather than “if.”
Provide clear guidance and encourage communication: Ensure that homeworking policies are clear and include easy-to-follow steps that empower employees to make their homeworking environment secure. This should include instructing employees to communicate with internal security teams about any suspicious activities.
To read more about the knowledge, insights and experience Orange Cyberdefense is sharing around cybersecurity during the COVID-19 crisis and beyond, please download our white paper.
Edmund Yick is General Manager of Orange Business Services in Hong Kong and Taiwan. He is responsible for developing and managing the Orange Business Services portfolio of business solutions for multinational enterprises.
He has over 30 years of sales and management experience and is a Commerce and Business Administration graduate of the University of Toronto.