Vincent Voci Vincent Voci
Vice President, Cyber Policy and Operations, U.S. Chamber of Commerce
Abel Torres Abel Torres
Executive Director, Center for Global Regulatory Cooperation, U.S. Chamber of Commerce

Published

April 23, 2020

Share

As the world adapts to new ways of working due to the spread of the coronavirus, cyber criminals are proving themselves as adaptive as ever at finding innovative ways to exploit new cybersecurity vulnerabilities. These criminals are also using the threat of the virus itself to exploit our emotions and scam often well-meaning victims.

It is paramount that businesses and governments look for ways to better understand the risks to their organizations and to their countries and learn how to mitigate or eliminate those risks.

Guarding against coronavirus phishing attacks

A majority (71%) of cybersecurity professionals have reported an increase in security threats since the start of the virus outbreak. Over half of these experts cited phishing attacks—fake emails sent from supposedly reputable companies in order to induce individuals to reveal personal information—as the top threat. These experts said malicious websites (32%), malware (28%) and ransomware (19%) were other top threats.

In fact, in a recent Federal Bureau of Investigation (FBI) Public Service Announcement, the agency reported that cyber actors have engaged in phishing campaigns against first responders, deployed ransomware at medical facilities, and created fake COVID-19 websites that quietly download malware to victim devices.

This underscores the importance for organizations and employees to use cybersecurity best practices, such as these recommendations on improving telework security from the National Institute of Standards and Technology (NIST):

  • Find out if your organization has rules or policies for telework, and if so, make sure you read them and comply with them. Organizations offer differing guidance on bringing your own device (BYOD), so be sure you comply with your organizations policy.
  • Protect your computer communications from eavesdropping. Configure your home Wi-Fi router for strong security and ensure it is protected with a hard to guess password.
  • If your organization has a virtual private network client, use it on your telework device.
  • If you are using your own device, enable basic security features (e.g., antivirus, multifactor authentication)
  • Keep your computers and mobile devices patched and updated.
  • If you are seeing unusual or suspicious activity, contact your organizations helpdesk or security operations center.
  • And last but not least, do not click on any links or open any attachments that you are not expecting or are sent from unknown senders. In these moments it is best to be cautious and verify.

As we know, cybersecurity threats are not solely a domestic issue. They span across all countries and impact all sectors. We can, and should, learn from all resources available on how to better prevent attacks and protect ourselves. Recently, the United Kingdom and the United States Security Agencies released a joint advisory providing information on exploitation by cyber criminals and advanced persistent threat groups of the current coronavirus disease. Additionally, the Australian government has a website that gives information on how to prevent phishing attacks. According to the site, the key elements in emails which should set off alarm bells are:

  • Requests for money, especially if urgent or related to overdue bank account changes.
  • Attachments.
  • Requests to check or confirm login details or credentials.

Ways to conduct safer meetings

Cybercriminals also understand that the physical IT infrastructure for many companies has shifted tremendously over the last couple of months as many companies shifted to remote telework. In a recent poll, cybersecurity experts said that the new top pressures they are under are providing secure remote access for employees (56%) and scalable remote access solutions (55%).

More secure online meetings are a top concern for remote workers, and NIST recently released a tip sheet for improving the security of conference calls. Those recommendations include:

  • Always using your organization’s approved web conference platform.
  • Using a roll call to identify new participants as they join in.
  • Being “conscious” of reusing access codes (i.e., periodically changing meeting access codes).
  • Not recording the meeting unless necessary.

The bottom line is that as the way we work has quickly evolved, so have cybercriminals tactics for exploiting these new ways of collaborating. It also means we should be especially wary of emails or websites which play on our emotions or ask us to send money immediately to help the fight against coronavirus. This means it’s especially important to rely more closely on existing cybersecurity standards like the NIST Framework. At times like these it pays to stick to the basics.

About the authors

Vincent Voci

Vincent Voci

Vice President for Cyber Policy and Operations in the Cyber, Intelligence, and Supply Chain Security Division at the U.S. Chamber of Commerce

Read more

Abel Torres

Abel Torres

Abel Torres serves as Executive Director in the Center for Global Regulatory Cooperation (GRC) at the U.S. Chamber of Commerce.

Read more