October is Cybersecurity Awareness Month, established in 2004 as a broad effort to help all Americans stay safer and more secure online. This year’s theme is: “Do Your Part. #BeCyberSmart.”
Like so many activities in 2020, COVID-19 has introduced a layer of complexity across efforts to be CyberSmart. Here’s how COVID is influencing cybersecurity – and what we can all do to help keep our companies, workforces, and families more cyber-secure this year.
How Cybercriminals Are Capitalizing on COVID-19
As the Boston Consulting Group points out, “It’s an unfortunate reality that in times of humanitarian crisis, we need to speak more about cybersecurity.” Cybercriminals have, indeed, been busy since the start of COVID, diligently working to cause mayhem while the business world adjusts to the pandemic.
- Acquiring COVID-19 domain names: As early as January, COVID-19-branded website domain names started to be snatched up by cybercriminals eager to cash in on the crisis by masquerading as legitimate COVID-19 information sites.
- Sending health information or PPP-related phishing emails. Deceptive emails that look as if they are sent from legitimate health and business organizations such as the World Health Organization, the U.S. Centers for Disease Control and Prevention (CDC), or the Small Business Administration (SBA) are actually delivery vehicles for malicious links and attachments.
- Hacking employer IT infrastructure. As employees rapidly moved to work from home, many companies didn’t have time to adequately bolster their IT infrastructure to support mass remote working. Cybercriminals were there to hack into those systems. And they’re still there, monitoring the chaos of employees transitioning back to work – exploiting vulnerabilities to access company, employee, and client data.
- Intercepting non-secure communications. Well-meaning employees who are not set up to work from home will do whatever they can to complete their work and serve their customers. Yet that new workflow may include using a personal email address, a non-secure home or public Wi-Fi, or direct remote access to files on the company internet. Eager cybercriminals are ready and waiting for just such open doors into the company’s files and data.
What CyberSmart Employers are Doing During the Pandemic
The MIT Sloan Management Review confirms that, “Since the COVID-19 outbreak began, the number of cyberattacks has soared as hackers have exploited a greater number of weakly protected back doors into corporate systems as well as the human distraction caused by COVID-19-related events.” As companies are wrestling with the realities of mass remote working, hybrid work models, and the increase in cyberattacks, business and IT leaders must do more to protect their systems and data.
Here are some best practices for improving cybersecurity in your organization:
- Shore up enterprise IT architecture to withstand mass remote work. Firewalls, networks, collaboration tools, and servers should all be configured to accept – and track – remote access. If your workforce worked primarily in the office, you may need to purchase hardware or cloud services to handle the increased load as a majority of employees work from home.
- Revisit, revise work from home IT policies. Make it clear whether you require virtual private network (VPN) access to company networks. Do you support personal laptops or smartphones that are not provided by the company? Do you provide firewalls and tech support for personal devices? Decide whether to limit the hours that employees can access the server. When you’re ready, share the updated policies across the company.
- Update business continuity plans. Plan now for the increased threat of a cyberattack affecting your organization. Be sure your team is competent and ready to respond to a security breach or data incident. Remember, COVID-19 could also directly impact any member of your crisis response team. Plan that some people could be out sick for days. Identify and train back-up personnel who could step in – and be sure you’re providing access and security measures for those team members, as well.
- Train up your help desk. The help desk is the first place that people will go for an IT issue. Train up your support staff now – and on an ongoing basis – to ensure they are current on your policies as well as new threats that are unfolding every day.
- Communicate. Communicate. Communicate. Make cybersecurity a routine part of your communications with employees. Policy updates, videos, and answers to frequently asked questions can all help to educate employees. By keeping the topic top of mind, you increase the chance that employees confidently follow CyberSmart behaviors.
Tips for Employees to Stay Cyber-Safe
This year, and every year, the weakest links in corporate cybersecurity – and your strongest defenses – are your employees. This year, many companies have homebound employees who are making do with their home office setup. Many are distracted by health concerns, financial stress, and family demands, making them more vulnerable to cyber and “social engineering” attacks designed to trick them into downloading malware or sharing sensitive information.
Here are some practical cyber safety tips for your employees:
- Keep learning. Lifelong learning has never been more important than during a novel coronavirus pandemic and evolving cybersecurity threats. Things are moving quickly, and we are all learning as the situation unfolds. Use Avilar WebMentor® LMS or aother learning management system to view available training, participate in cybersecurity exercises, and reference information you want to remember.
- Be email vigilant. If something doesn’t look right in an email, don’t click. Don’t download suspicious attachments. Even legitimate-looking email addresses can be deceptive. For example, these two email addresses look identical: sample@email and sampIe@email. However, the “l” in the first address is a lower-case ‘L” and, in the second address, it’s an upper-case “I.“
- Expect targeted phishing emails. The bad guys are sophisticated. Finance professionals should be especially wary of emails related to PPP loans. Executive assistants should be on the lookout for emails that appear to come from an executive but ask for something unexpected. Senior execs should know that cybercriminals are targeting devices of family members in your household in hopes of getting to your information. It’s time for vigilance for every employee – and all those around you.
- Use (only) secure Wi-Fi. If you’re using your personal Wi-Fi network for work, be sure it is set up securely with a strong password. Avoid unsecured public Wi-Fi.
- Use a VPN. Make it a practice to access company information exclusively through your company’s VPN.
- Engage device-level protection. Cybersecurity Awareness Month organizers are pushing this simple advice: “If you connect it, protect it.” Be vigilant about only using password-protected and firewall-protected laptops and phones to conduct work.
- Say “Yes” to application security controls. For collaboration, group text, virtual meeting, and other applications, use passwords and multi-factor authentication to protect the shared information.
- Speak up if you have questions or changes. Questions about your home network? Wondering whether to click on a suspicious email? Is your family planning a schoolcation, temporarily moving your remote work and homeschooling to a hotel environment? Check with your IT Help Desk for recommendations and advice.
- Stay in touch. If your company encourages a wellness check-in, do let your team know about your health and wellbeing. Some of Avilar’s WebMentor® Skills clients use our competency management system for wellness check-ins, making it easy for you to flag when you may need additional support.
Today’s homes and businesses are more connected than ever. With more people working from home, the two digital environments are even more interconnected, creating expanded “attack surfaces” for cybercriminals. National Cybersecurity Awareness Month is a great time to shore up your company’s IT systems, business continuity plans, training, and communication. Every user needs to do their part, confidently and competently. Do Your Part. #BeCyberSmart
If you’re working to improve the knowledge, skills, and behaviors of your workforce to combat cyberattacks, read our white paper: Advancing Cybersecurity With Competency Management. Or contact us to find out how Avilar’s WebMentor Skills™ and WebMentor LMS™ can support your effort.
Why Cybersecurity is an Every-Employee Initiative
How to Update Your Business Continuity Plan in a Time of Crises
How to Bring the Best Lessons of COVID-19 Back to Work
5 Ways to Combat Cyber Threats at Your Organization