The cyber-threats faced by businesses in 2020 have not varied a significant amount in 2020, despite the major changes to working practices brought about by COVID-19, according to Graham Cluley, cybersecurity blogger and researcher, speaking during a keynote session at the virtual (ISC)2 Security Congress.
“Most of the attacks we’re seeing during 2020 are variations on a theme that we’ve seen many times, such as phishing attacks, ransomware and business email compromise (BEC),” he explained. “They haven’t disappeared into thin air during the COVID-19 pandemic; they’ve multiplied and continued to target unprepared users and ill-prepared organizations.”
However, companies are much more vulnerable to these common tactics now, with employees operating at home where they are often heavily distracted and without easy access to IT support. Cluley noted: “We’re still being expected to determine if a link can be trusted or not and we’re sometimes making big mistakes as a result.”
He added that these attempts to trick users into clicking malicious links are becoming increasingly sophisticated, easily mistaken for something legitimate, such as appearing to be Google docs.
Another big issue is that there is now no longer a single building that can be fortified to protect companies, with their infrastructure spread out across multiple homes and networks. This means an individual falling prey to a phishing scam at home can lead to major consequences for organizations. Cluley outlined: “It’s presence may not be noticed for weeks, and stealing information and credentials, learning about your business.” Therefore, protecting against unauthorized access, such as through using more multi-factorial authentication (MFA), critical in this new environment.
Organizations also need to consider the threats posed by additional physical access into people’s homes and therefore their work environments. This can include cleaners or tradesmen. “Sometimes these people can be on a low wage and might be looking for additional ways to boost their income,” he said.
The stakes of ransomware attacks have been ramped-up over recent times, according to Cluley, and he outlined the phenomenon whereby some news organizations are willing to pay for stolen information and publicize anything “juicy” uncovered. He stated: “The exfiltration of data, from a ransomware-attacked company, can be monetized by the hacker, either by offering to sell it on the dark market to other hackers, or they can simply use it as leverage and say ‘we are going to embarrass you as a company and reveal your secrets.’”
In addition, BEC remains a huge danger, with businesses being “attacked more than ever” via this method. Cluley explained that this generally occurs following extensive research into organizations by cyber-criminals, who then pose as genuine suppliers to trick finance departments into wiring them money. He cited FBI figures which estimate businesses globally have lost $12bn from these types of scam, which don’t require any programming knowledge.
He highlighted a recent case in which $90m was successfully scammed after the French government defense minister was impersonated using a silicon mask on a web cam requesting a loan from people to pay a ransom. The use of video to conduct scams could prove to be especially effective during the COVID-19 pandemic. “The chances are people are more trusting of a conversation they are having over a Zoom call than they would over email,” observed Cluley.
Despite the growing threat phishing, ransomware and BEC attacks pose to home workers, Cluley believes there are reasons for positivity. “It hasn’t actually resulted in a surge in breaches,” said Cluley, noting that “an increase in attacks does not necessarily mean an increase in breaches.”