YARMOUTH, Maine—As the COVID-19 pandemic rages on, the current cybercrime landscape is focused on businesses of all sizes as more and more employees are working from home per government protocols to contain, control and remedy the virus. Cybercriminals are actively phishing, and vishing and smishing, too, presenting hyper risk to small businesses — such as some security manufacturers, integrators and consultants — as they are the entities that cannot afford to purchase super robust cybersecurity defenses.
“Cybercriminals, who have no scruples in the first place, are taking advantage of this global crisis and seizing upon it as an opportunity to try and exploit the situation to turn a profit,” Scott Watnik, cybersecurity practice co-chair at Wilk Auslander LLP in New York, told Security Systems News.
Real phishing, smishing, vishing examples
I spoke with Watnik using my personal smartphone from my home in Texas, observing the shelter in place order. As he was telling me that cybercriminals are using phishing, (including smishing and vishing) scams to infiltrate small business networks, my phone began to ring. It was a number I didn’t recognize, so I ‘googled’ it. As I suspected, it was identified as yet another insurance scam. “Great timing,” I thought to myself, rolling my eyes.
“We’re seeing an increase in phishing scams where cybercriminals send out emails that look ‘official,’ providing warnings and advice about the COVID-19 pandemic, but when these emails are opened, the lead to malware infections,” Watnik explained.
“We’re seeing phishing scams where there are emails containing information about hand sanitizers, which as you know can be hard to get. When you click on the link [provided in the email] to purchase hand sanitizer, it takes you to an order form and they’re [cybercriminals] are looking for unsuspecting people to provide bank account information.”
Such scams are occurring at an unprecedented scale right now, so governmental agencies are getting involved. The United States Computer Emergency Readiness Team (US-CERT) that has alerted people to an email about a COVID-19 Charity Fund, which turns out to be fraudulent. The Federal Trade Commission (FTC) has sent out similar warnings and so too has the United States Center for Disease Control (CDC) and on an international scale, the World Health Organization (WHO).
“There have been scams where cybercriminals have sent out emails that you would believe are coming from World Health Organization authorities, but you click a link within the email and malware is installed onto your computer,” said Watnik.
The huge realization and what to do
Businesses need to understand that because the vast majority of the global work force has transitioned from the office to the home, so too have the parameters of a business’ cybersecurity risk.
“Now when people are working from home, they’re distracted,” Watnik explained, adding that he personally has a restless four-year-old running around. “TVs are on; there’s a lot of chaos and no IT personnel to walk into everyone’s office, look at their computers and remind them of what’s going on. People are afraid and panicked due to the global environment right now, and that just makes them more susceptible to lowering their cybersecurity defenses.”
Therefore, all sized businesses — small, medium and large — are at risk; however, the real potential risk that could be fatal to an organization is the small business.
“We know that large, multi-billion-dollar, multi-national corporations are not hacked nearly as much as small businesses, and certainly when they are, you hear about; they get much more fanfare,” said Watnik. “But a cyberattack has never really been absolutely fatal to a multi-billion-dollar, multi-national corporation; however, 60 percent of all small businesses that are hacked end up closing up shop within a year, that’s a generally accepted statistic.”
So, what can small business owners do at this time to protect themselves against cyberattacks? Watnik offered the following, generally low-cost, protocols:
- At this point, all companies should have provided their employees with some sort of cybersecurity training in the form of a policy manual or one-hour instruction period. In fact, the New York Shield Act can be read to confer such requirements on covered entities. Reach out to all employees and remind them to go over their cybersecurity training and protocols.
- Whenever possible, direct employees to use company-owned devices which are usually going to be more secure and more within the control of the businesses’ IT personnel. If it’s not possible and employees are using their personal devices for work purposes, remind employees to make sure that no one other than themselves are using those devices or has access to them.
- Business data that is used on personal devices and sent electronically should be encrypted or sent via an encrypted method. “In fact, if I could recommend just one measure to take for remote working, it would be for business owners to set up a system to ensure client/customer information is sent in an encrypted fashion,” Watnik advised.
- Update all passwords and turn off all of the remember password functions, especially on personal devices.
- Activate multi-factor authentication on all business accounts.
- Encourage all employees to use a VPN as they are far less vulnerable to being hacked, according to Watnik.
- Issue a directive prohibiting employees from downloading business information onto personal devices or personal cloud services. This presents a risk of a cybercriminal infiltrating the business’ network as a result of a download; therefore, all business data should stay on the business’ network or business’ cloud storage.
- If your business is carrying cybersecurity insurance, contact your provider; if not, contact an insurance agent and explore what types of options are available.
- Ensure your business has an appropriate data breach and incident response plan in place. Contact the people who would be responsible for implementing this plan at a moment’s notice such as IT personnel, legal counsel, PR team and any other administrative personnel who would be involved in repairing the damage and mitigating the risk, including publicity fallout that could result. “People are hard to reach right now; everyone’s scattered and as a business owner, you want to make sure if there is a hack, the people you will need to contact are on call and can be reached,” said Watnik. “Reach out to those people, go over your incident response plan, or come up with one if you don’t have one, and just make sure everyone is on the same page.”
- Remember, it only takes one. “Once a cybercriminal hacks into even ONE employees’ computer, from there, that cybercriminal, he or she, can infiltrate the business’ entire network,” Watnik said.