Ransomware and phishing attacks are on the rise, as are the significant legal and economic considerations that follow. In 2019, a number of municipalities across Canada faced malicious online attacks that effectively shut-down city operations unless a ransom was paid.1 A recent Carbon Black survey of 250 Canadian CIOs, CTOs and CISOs found that 88% of businesses had suffered a data breach over the past 12 months, largely due to phishing attacks.2
As businesses adapt to the "new normal" of extreme uncertainty caused by the COVID-19 pandemic, countless employees are faced with the prospect of working remotely in a variety of new (and sometimes less-than-secure) environments. Cybercriminals have taken notice.
Phishing attacks related to COVID-19 began in January and have exploded online since, with some reports pointing to thousands of new sites and scams created every day. For example, regulators in the UK have identified a rise in the registration of webpages relating to coronavirus, which is suspected to be the work of online threat actors looking to exploit the outbreak.3
Perhaps in a bid for self-preservation, a number of hackers have made clear they will not resort to ransomware and other health-related cyberattacks during the pandemic. However, businesses should be wary of these overtures and continue to maintain vigilance across their workforces, especially in light of the recent (and significant) attack on the U.S. Health and Human Services Department earlier in March.4
The minute-to-minute evolution of the pandemic can feel overwhelming and even surreal. However, organizations can consider a number of straightforward best practices when attempting to reduce the risk of phishing and other cyber incidents arising from COVID-19:
1) Implement a clear and consistent process for communicating to employees over the course of the pandemic – to address how the outbreak may impact employees long-term,5 to provide updates on IT and other policy issues, and also to ensure everyone remains connected, even if virtually, during this public health emergency.
2) Specifically, IT teams and resources should keep in touch with remote workers to ensure program updates and patches continue to be installed when available, and to quickly deal with any data incidents taking place outside of the traditional office.
3) Speak to employees frankly about using work technology for work purposes only, and reinforce the need to keep devices secure from their own online activities at home (e.g., limit online shopping or other activities that increase the risk of their clicking fake ads). Employees may also consider having these conversations with other family members/close contacts (e.g., to reduce the possibility of the use of vulnerable remote drives).
4) Continue to reinforce online IT security training while employees are working remotely so they stay abreast of the latest phishing and ransomware scams during the pandemic. Of late, these attacks have involved emails with information claiming to be from government-related health agencies offering pandemic advice or fake workplace correspondence seeking sensitive personal information and/or requesting password verification.
5) Employees should also ensure they are maintaining good cybersecurity practices at home by confirming their Wi-Fi is secure, remembering to constantly save and back-up work, and locking their screens when leaving workspaces if in a shared environment.
1 'Definite uptick': Global wave of ransomware attacks hitting Canadian organizations – CBC, Oct 14, 2019
2 CANADA | GLOBAL THREAT REPORT | DEFENDER POWER ON THE RISE – Carbon Black
3 Coronavirus-themed phishing attacks and hacking campaigns are on the rise – ZD Net, March 16, 2020
4 Cyber-Attack Hits U.S. Health Agency Amid Covid-19 Outbreak – Bloomberg, March 16, 2020
5 COVID-19 – How Employers Can Manage the Workplace in These Uncertain Times – Cox & Palmer, March 18,2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.