From cancelling important events to converting our dining room tables into offices, the COVID-19 pandemic disrupted nearly every aspect of our lives. Unsurprisingly, cybercriminals took advantage of our collectively distracted attention spans and less-than-stellar security practices. The result? An uptick in cyberattacks, with phishing the most common form in 2020.
In the early days of the pandemic, organizational leaders and IT professionals worked quickly to ensure employees had the technology to work remotely. As a result, many relied more heavily on cloud-based emails and file-sharing platforms, like the one you’re probably using right now.
Organizations began transitioning to cloud-based systems about 10 years ago, but the pandemic accelerated the transformation. Though they’ve proven to be a quick, convenient way for teams to connect and share documents, these systems offer minimal cybersecurity protection, and certainly not enough to defend against today’s caliber of threats.
Cybercriminals know this, and wasted no time preying on individuals and organizations in these newly vulnerable positions.
Threats are evolving in quality and quantity
To protect your organization’s information, you may have installed a legacy secure email gateway (SEG). Though once the gold standard for server protection, SEGs aren’t built to handle the volume and types of incoming threats like business email compromise (BEC), internal and vendor impersonations, supply chain attacks, account takeover (ATO) and other financial frauds hyper-targeted against organizations.
During the height of the pandemic, cybercriminals realized that working in a home-based environment can invite distractions, which means employees may not be paying close attention to suspicious communications. They may be more tempted to use work tools for personal reasons, and adopt a generally casual, laissez-faire behavior, putting their employers at greater risk. This is especially risky when those same employees are deciphering whether COVID-related emails are legitimate or not.
Cybercriminals prey on our vulnerability
The last few months have seen an increase in illegitimate COVID-related emails, texts, and ads. Before that, according to CNET, the number of website domains mentioning vaccines grew significantly at the end of 2020. It’s a classic tactic: cybercriminals give their communications a legitimate-looking place to drive traffic/lure victims. But once the target arrives, instead of useful information, the user unknowingly gains some malware instead.
Do not respond to, or open hyperlinks in, text messages about COVID-19 from unknown individuals.
Be cautious of COVID-19 survey scams. Do not give your personal, medical, or financial information to anyone claiming to offer money or gifts in exchange for your participation in a COVID-19 vaccine survey.
Do not give your personal or financial information to anyone claiming to offer HHS grants related to COVID-19.
Be aware of scammers pretending to be COVID-19 contact tracers. Legitimate contact tracers will never ask for your Medicare number, financial information, or attempt to set up a COVID-19 test for you and collect payment information for the test.
These tips are true for emails and texts that aren’t COVID related, too.
Proactivity is essential
The highly contagious delta variant of COVID-19 will likely give cybercriminals another avenue to target their victims. We saw pandemic uncertainty lead to more careless decisions regarding emails from suspicious senders, and we know the unfortunate consequences of this. Get ahead of new threats and ensure your employees are taking proactive measures to protect your organization’s valuable information by having them:
Back up all important files, and store them independently from your system
Verify they are on a company’s legitimate website before entering login details or sensitive information — every time
Diligently review the validity of an email and its sender before opening and links or responding — every time
Develop a healthy skepticism for any email or text message that comes from a source outside of your organization
Enforce a culture of security
As an organization, you must take additional security measures to protect your data and your employees. Though legacy SEGs aren’t strong enough on their own, there are other forms of back-up to defend against cyberattacks, including:
Keeping the latest anti-virus software installed on computers and mobile devices
Strengthening home networks
Securing system admin vulnerabilities that attackers could abuse
Disabling third-party or outdated components that could be used as entry points
Downloading mobile applications or any other software from only trusted platforms
Performing regular health scans on your computers and mobile devices
As a leader in your organization, it’s your responsibility to model safe cybersecurity behaviors, and continuously support and encourage your colleagues to do the same. Build it into your organizational culture. Whether we enter another round of lockdowns or have the pandemic completely behind us soon, the cybersecurity of your organization and employees remains vulnerable and should be among your top concerns.