As concerns regarding the COVID-19 pandemic grow, computer hackers are taking advantage of the situation to launch cyberattacks, spreading insidious viruses of a different sort.
To share insights on what companies should be aware of while operating in these uncertain times, we asked three of our top cybersecurity experts: Prashant Pai, vice president of cyber solutions for Verisk; Eric Schneider, Verisk’s chief technology officer; and Scott Stransky, vice president of AIR Cyber at AIR Worldwide, a Verisk business.
"Because of (remote work), if a personal computer gets attacked, it actually could lead to some business interruption for a company"
What are some of the different attacks you’re seeing since the outbreak began?
Scott: The bad actors are really taking this COVID-19 virus as an opportunity to social engineer and get into businesses. Many of the things we’ve seen are typical social engineering attempts just under the guise of COVID-19. For example, you’ll get an e-mail that says, “Here’s the latest information about our business continuity plan,” or “Here’s the latest information from the CDC or the World Health Organization.” Because of how panicked and rushed everyone is in the current unsettling environment, people are clicking on those e-mails more and more, perhaps more than they would in a normal time. But of course it’s not a real e-mail from the CDC or their management; instead, it’s a virus. These types of attempts aren’t unusual, but because of the COVID-19 outbreak, people are far more concerned about other things and have let their guard down when it comes to cyberattacks.
Prashant: A huge percentage of personal laptops, printers, and other devices on home networks have malware. The flight to “work from home” is opening up many doors and windows for the bad actors to gain access to corporate networks and sensitive data. My concern is that we’re potentially going to have a wave of cyber incidents coming in the wake of the coronavirus pandemic. As Scott mentioned, in addition to clicking on phishing e-mails, people can just as easily click on websites that offer “information” on the coronavirus pandemic. We should all be extra vigilant because all of us are on the front lines of protecting our company and our customers from these cyberattacks.
Are hackers mainly individuals, or is there such a thing as “organized cybercrime”?
Scott: Hackers come in many forms. Sure, there are individuals sitting in their basements who hack for the glory and pride. We also know that some nations are involved in state-sponsored hacking. And yes, organized cybercrime groups are quite prevalent too.
Prashant: Absolutely, there’s organized cybercrime. Social engineering and technical hacking go completely hand in hand when it comes to cybercrime. Many petty criminals and gangs that used to deal in drugs, kidnappings, et cetera, have realized that they can take their talents to the cyber world and earn far more money with much less risk of being apprehended and charged. It’s quickly becoming the hottest crime industry.
Is there a greater danger of cyberattacks with more people working from home now than in an office setting?
Scott: Because more people are working from home, there are more types of aggregation risks. For example, employees are using Skype, Zoom, Teams, and GoToMeeting more so now to connect and collaborate than they would have if they were in the office. All these different points of aggregation, which in general are important for a business, have now become extremely critical. So, should one of these meeting software programs have a hack or downtime, that could cause more business interruption than normal because so many employees are working from home.
Eric: Absolutely, as Scott stated, many different programs are being used because organizations are quickly trying to adapt to full-time work-from-home programs. Unfortunately, in that haste, sometimes bad things can happen. Individuals should not install any programs without checking with their IT teams first.
Who are these cyberattackers targeting more, commercial businesses or private individuals?
Scott: It’s a bit of both, which is not unlike usual. We see them targeting businesses to get ransom payments and try to exfiltrate data, and we’re seeing them target individuals, mainly for the purposes of ransom. The one thing that may be a bit different now is that a lot of people are using their personal computers to access work from home due to the COVID virus. Because of that, if a personal computer gets attacked, it actually could lead to some business interruption for a company because the employee may not be able to connect to the corporate network.
How do ransomware and other malicious software work (for example, WannaCry), and what would be the best defense?
Eric: In a ransomware attack, criminals encrypt the contents of your computer. To recover the contents, a ransom is required—usually around $300 to $500, payable in an online currency like Bitcoin. Most ransomware attackers have good customer support and will help get your data back if you do pay. The ransom is insurable, and many cyber policies tend to include coverage with respect to it. With WannaCry, very few companies ended up paying the ransom, though many of them suffered business interruption while their systems were down. WannaCry only encrypted computers that were not up to date with Windows updates. In addition, those companies that have current off-line backup of their files could restore their systems without paying a ransom.
Prashant: We find that some of the best defenses are sometimes the most basic: software patching and upgrades, for example. The largest software manufacturers have gotten much better at releasing new patches as soon as they’re aware of existing vulnerabilities. Ransomware such as WannaCry and Petya/NotPetya spreads from one computer to the next when it finds another machine on the network with a vulnerability left unpatched. Another piece of sound advice would be running virus scans and not connecting to any open public WiFi networks. Cyber pandemics have many analogies to several human health emergencies. We can’t stress basic health and hygiene habits enough.
Is there a typical method of attack (for example, phishing) that businesses can prepare for?
Eric: Social engineering is one of the most common and often successful attacks. Businesses can implement programs that teach employees what to look for to avoid falling victim to those hacks, and we have such a program at Verisk. The other all-too-common, but often easily avoidable, exposure comes from failure to keep computer systems up to date with known security vulnerabilities. So, establishing and maintaining a program in this regard is key. Everyone should be operating under a simple principle: If you’re at all unsure of the source of an e-mail or phone call, then don’t click on anything in the e-mail and hang up the phone.
Prashant: Businesses should prepare for data and privacy breaches, ransomware, and denial-of-service (DoS) attacks. Phishing—especially spear phishing (that is, targeted phishing)—through e-mail attachments is one of the most common methods by which intruders get in. It’s essential to regularly train your staff so that they know better than to automatically click on links and open attachments in e-mails. A trained and aware staff is one of the best cyber defenses an organization can erect.
Given the growing numbers of global hacks, how can businesses better prepare for cyber threats?
Eric: Awareness, training, and simulation are the three key elements here. Creating awareness of the risks inherent in one’s business practices is the foundation that will very often drive the appropriate investment in people, process, and tools that make up a quality cybersecurity program. Training employees, both business and technology, regarding the risk and regulatory landscapes they operate in is also fundamental to have the proper technology platform and process in place to protect and respond in the event of an incident. Finally, practice is key in my opinion. Like everything else, the more you practice, the better prepared you’ll likely become. There are many ways to simulate threats and attacks—drills facilitated by third parties that simulate an attack and all facets of responding to an attack—that are very authentic and often instrumental in improving a cybersecurity program.
Prashant: This really starts with evolving the security culture of the business. Every employee has to be made aware that they’re part of the security apparatus. Cyber incidents occur involving people, process, and/or technology. The human element is extremely important. In addition, the security culture needs to evolve from prevention to management. Security incidents are going to happen; businesses that prepare and plan their response and recovery will likely emerge better and stronger than others.
So, how effective is cybersecurity software?
Eric: Software can be highly effective when properly implemented and maintained, but it’s only part of the solution. I think employee training is one of the most critical measures a business can take to prepare for cyberattacks. If employees are vigilant and always have some degree of suspicion when they receive an unexpected e-mail, many attacks could be prevented.
Prashant: Yes, I agree. Cybersecurity software is important, although people tend to be the weakest link in an organization. A company can have the best software, but a single employee can expose the business to phishing by simply clicking a link in an e-mail.
What should new remote workers do to keep us cyber safe?
Prashant: I would share a few of my own best practices. First, only use your work laptop for work and stay on office VPN. Second, if you’re using a personal machine, then create a work profile or account. Stay on office VPN through that and log off that profile once you’re done with work. Third, keep antivirus and firewall on and updated on the machine you’re using. Four, don’t directly connect that machine to any printers, USB drives, et cetera. Five, be extra vigilant about suspicious e-mails and websites, especially from social media. And six, stay educated from trusted information sources. Sometimes we feel compelled to “chase” a story by clicking on link after link. Let’s avoid that. It’s good for our digital safety but also our mental safety.
Eric: I’d suggest ensuring that all computers being used for work purposes have disk encryption enabled and that people use strong passwords on their personal machines. Many people share home computers, so create separate accounts for family members to ensure that business information is accessible only by the employee and restrict the ability of other family member accounts to install any software.