Companies must ensure cyber security, education for home workers: experts

Cybercrooks still using COVID-19 as a phishing lure


As more people work from home, companies’ digital protections, data and financial information may be increasingly at risk as people toil outside their employers’ digital cocoons.

“This crisis will test the cybersecurity posture of Canadian businesses, and for many, the lessons will be harsh and expensive,” Gowlings lawyer Brent Arnold said.

Derek Manky is chief of security insights and global threat alliance for Fortiguard Labs, a California-based company with a research and development centre in Burnaby.

He said cybercrooks would continue to leverage COVID-19 as they seek to take advantage of the crisis for their own gain. He said he’s seen hundreds of such scam attempts.

“The threat landscape is fluid,” he said. “It’s changing every day.”

And, Ryan Kalember, senior vice-president of cybersecurity strategy for California-based global online security firm Proofpoint (NASDAQ:PFPT), doesn’t expect attacks from cybercrooks to let up any time soon.

“We’re into week six of COVID-19-themed phishing,”he said.

Kalember said such criminals – from nation-states to Nigerian scammers – have picked up on COVID-19 fears to lure people into clicking on things they shouldn’t.

“I don’t know how these people sleep at night,” he said.

Kalember said systems must be secure and users educated. Further, Kalember said, companies should ensure employees know how they will be communicated with. To that end, he suggested not sending attachments or links. Put things in the body of emails, he said.

“It is worthwhile to be very clear about how you are going to communicate with your employees,” he said. Further, Kalember stressed ensuring cloud accounts are not compromised.

And, said Manky, companies need to be clear from the top down in working to ease the threat landscape. Everyone needs to be doing his or her part, he said.

“Just one click will open a malware document and not just affect them, by a waterfall, the entire company,” he said. “Attackers can route through and get access to critical systems.”

A worthwhile program, Manky said, could be a cyberphishing exercise with staff so they know what to look for.

It’s all part of cyberhygiene, he said. “They need to really be aware of how vulnerable they can be.”

A silver lining to the cloud, Kalember said, is that companies are now finding improvements in their system security.

Arnold said the pandemic has forced many to work from home with little training, a case that heightens cybersecurity risks for businesses of all sizes.

Arnold said remote work increases the likelihood of devices such as laptops and thumb drives being lost or stolen, that people will use devices outside company firewalls and therefore less protected than office equipment and use unsecured connections such as Wi-Fi in pubic spaces.

“These factors increase the likelihood of loss of corporate data and of privacy breaches from the leaking of private information belonging to employees and customers,” he said.

Arnold stressed the need for educating workers on company policies governing device use and security. 

“If you don't have such policies, now is a good time to consider putting them in place,” Arnold said.

The need for heightened awareness, Arnold said, is that cybercriminals and recreational hackers are turning people's curiosity and anxiety against them with attacks targeted to users seeking COVID-19 information.

Canada has already seen such attacks with criminals sending emails purportedly from the Public Health Agency of Canada. 

“The proliferation of such attacks increases the likelihood that some will succeed. Remind employees of their information security training and the danger of clicking on unsolicited emails,” Arnold said. “If you haven't implemented mandatory regular information security training for employees, you should do so as soon as practicable.”

Kalember predicts attackers will move on from public agencies into vendors and supply chain companies.

So, what if there is a breach? 

Contact your cyber insurance company if you have one. And, contact your designated breach coach immediately, Arnold said.

“If you don't have cyber insurance, you should call your lawyers immediately and ask for a breach coach to coordinate your response and recovery efforts,” Arnold said. “Every hour and day counts in responding to a data breach.”