5 Cybersecurity Risks Exacerbated By the COVID-19 Pandemic

5 Cybersecurity Risks Exacerbated By the COVID-19 Pandemic

Blog courtesy of Reciprocity.

Just like every other crisis, the COVID-19 pandemic has rocked the boats of most businesses. The fact that it has discouraged physical interactions has forced enterprises to embrace work from home initiatives. Most companies have had to increase their reliance on collaborative technology to keep their business operations afloat.

Sadly, while businesses are busy adapting to the new normal, hackers and threat actors have been taking advantage of the security loophole introduced by working from home. Most of these loopholes have been around for a long time, but the pandemic aggravates the threats they pose. If your business fails to look for solutions to these threats, you stand to lose a lot.

Here are five cybersecurity threats that have been made worse by the pandemic:

1. Phishing Attacks

Contrary to the norm, employees now have to communicate heavily through phone calls, emails, and social platforms. As such, it is easier for cybercriminals to send out phishing scams. A hacker could easily send out emails to an unknowing employee in the façade of a trusted authority in your business. If your employee isn’t careful enough, they could click on the email and end up downloading malware.

In other cases, these attacks result in the employees offering threat actors private information about the company or even sending out unwarranted payments. Aside from these direct attacks, hackers have also been preying on the need to know for all things COVID-19-related.

There has been a spike in the number of fraudulent links being shared on social media that claim to provide COVID-19-related information. Something as simple as an employee clicking on these links could be detrimental to your data security. The best way to tackle this threat would be to hire security experts to educate employees on how to spot and avoid current and emerging phishing attacks.

2. Unsecured Devices

It is easier for a business to control its cybersecurity posture when employees are working in-house. Since most of the devices they use are provided by your company, implementing the necessary cybersecurity control measures is straightforward. Also, you could send out updates anytime with little friction.

In the case of BYOD (Bring Your Own Device) policies, most businesses have implemented practices that have ensured that employee’s devices have the latest security updates. Sadly, controlling all of this isn’t as easy when employees are working from home.

It can be tough to send updates to all devices employees could use when logging into corporate networks. Even worse, some employees may connect to corporate accounts through Wi-Fi networks that aren’t secure enough. As soon as a hacker identifies such threats, your business is in trouble.

Business leaders can keep this threat at bay by creating and implementing policies that outline the kind of devices employees should use to access corporate data. These policies can also contain security best practices and outline how to handle software updates. Another valid option would be to implement data masking techniques like encryption.

3. Shadow IT

Shadow IT has always been an issue even before the pandemic hit. Employees who are always looking for more effortless ways to do their job are known to use unsanctioned apps from time to time. Sure, not all apps pose security risks, but a data breach might need only having a single employee use a malware-infested application.

What’s even worse is that IT departments might not know that employees are using these unsanctioned apps. When employees were working in the office, it was easier to spot the use of unsanctioned apps.

However, with more employees working remotely, they have the freedom to design their work environment, and this includes the apps they can use. Sure, IT departments might offer a list of sanctioned apps, but most employees will use other alternatives if the sanctioned ones can’t make their work easier.

IT departments can tame this menace by containerizing their corporate data on employee’s devices and involving employees in picking the ideal organizational tools for their jobs. Besides giving you more control over what employees can do with corporate data, containerization un-complicates most security complexities that come with remote work.

4. Poor Physical Security

It is tough to predict who your employees interact and live with at home. In some cases, the threat actors could also be neighbors. In the office environment, it is pretty easy to achieve physical security. Employees can store sensitive documents under lock and key. Your office environment is a sanctuary for your business operations, with little to no intrusion from the outside world.

The situation can be reversed when working from home. Employees who aren’t aware of common cybersecurity threats could leave sensitive documents lying around anywhere. They could also forget to turn off their computer screens when interacting with friends and neighbors. As for the disposal of confidential documents, employees may lack shredders at home to make the data unrecognizable. All these factors make it easier for threat actors to gain access to your corporate data.

Corporate leaders can implement cloud storage solutions to limit the amount of data employees store physically. Training employees on the best practices for physical security will also ensure that corporate data is safe, even while working remotely.

5. Insider Threats

Insider threats occur when employees expose sensitive corporate data either intentionally or unintentionally. With the stress levels brought about by COVID-19 and its effects on most employees’ finances, most people could be looking for additional income sources. Employees who have had to take a pay cut or were laid off might be disgruntled to the point of selling your data.

In other cases, the lack of a nearby IT department to approach security concerns also increases the chances that employees will make costly mistakes. While IT departments might be reached through a phone call, there are instances where the responsible people might be out of reach. Having employees sign, NDAs could help mitigate common insider threats from disgruntled staff members. As for common security errors employees can commit, solving them can be as easy as educating employees and ramping up your IT team’s availability.

Businesses that want to survive through the pandemic will need to find ways to deal with the threats above. One great way to start is by educating employees on cybersecurity best practices. Business leaders will also need to continually monitor their businesses to identify security loopholes that pose the most significant threats.

4 Cyber Security Horror Stories (That Are Totally Real)

4 Cyber Security Horror Stories (That Are Totally Real)

It’s that time of year again when people want to be scared by stories of ghosts, ghouls and monsters! These stories can give us chills, but what about the real horrors that wait for us out there on the internet?

Like ghosts from horror movies, hackers and cyber criminals are out there constantly seeking a way to enter our (digital) world. They want to access your Facebook, your Instagram, your Paypal, your Amazon, your banking websites: everything. They might even use your information to try and hack your friends and family.

Scared yet?

Check out these 4 cyber security horror stories, below

Invasion of the Facebook Account Snatchers!

The Horror Story

You wake up on a weekday morning and see an email notification on your phone. It lets you know that your Facebook email has been changed to an old Hotmail address you haven’t used in years. The next email in your inbox informs you that your Facebook password has been changed.

You sit bolt upright in bed. This can’t be right! You try to log into Facebook, but your old password won’t work.

Okay, don’t panic. This can be fixed. You find that one of the notification emails has a link to secure the account if this change was unauthorized. Relieved, you click it, ready to get your account back. But the whole page is in Turkish, incomprehensible. You can’t make heads or tails of it, or find a way back into your account.

Pulling up your account by URL you find somebody else’s face on your profile, and somebody else’s name. Your account has been invaded, and somebody else has taken your place. They have access to all your messages, your friends, your photos and personal information about you stored in your account. Even other websites and apps that you use Facebook to access.

Somebody has stolen your digital life from you!

The Reality

This really happened to Jeff Bercovici, Inc.’s San Francisco bureau chief.

So how did the hacker get access to his Facebook profile? Through an old Hotmail address that Jeff hadn’t used in years. Hotmail will release old addresses to be re-registered if they haven’t been in use for two or more years.

This old email account was still connected to Jeff’s Facebook profile, and the hacker was able to use it to get in. He then changed the password and the primary email and took total control of the account. If Jeff wasn’t a tech journalist with connections at Facebook, it might have taken him a lot longer to get his account back.

What can you do to prevent this?

You should check your security settings on your Facebook account.

  • Check for any connected email addresses and remove old ones.
  • Make sure you have two-factor authentication enabled.
  • Lock down privacy settings to prevent people from using your Facebook account to gather information about you.

The Silence of the Phones

The Horror Story

You’ve had a great weekend up in the mountains, enjoying the clean air and beautiful weather. You phone hasn’t rung once, and you honestly haven’t missed it.

You pull into the driveway, and suddenly your phone blows up with messages, emails and notifications. It seems your bank card’s PIN has been changed and multiple withdrawals have been taken out of your accounts.

How was this possible? You set up two-factor authentication for all of these services, nobody should be able to access them without a code sent only to your phone.

You immediately call your bank, only to find that you have no cell service. You only got these messages because your home wifi connected. You can’t make or receive calls at all! Somebody has stolen your phone number. And with it, your bank information, your social media accounts, your email.

You see messages pop up from some of your friends, wondering why you’ve been asking for so much money…

The Reality

This is exactly what happened to Christine, who writes the Her Money Moves blog. She suspected that hackers somehow got to her money through her use of a mobile banking app, despite the fact that she never saved her password in the app.

It’s impossible to know how exactly they got access to her banking information, but they certainly took control of her phone number.

This kind of theft is becoming more and more common. With a few basic pieces of information, like the last four digits of your Social Security Number (perhaps from a website breach), somebody can impersonate you when calling your cell service provider. They might even go so far as to walk into a cell phone store and impersonate you, complete with a fake driver’s license.

Once they have your number attached to their phone, all of your two-factor authentication becomes meaningless.

What can you do to prevent this?

It might seem like there’s nothing you can do here, but there are a few important preventative measures you can take.

  • Call your cell phone company and set up a “verbal password” or PIN.
  • Make sure that this password is required for all account changes.
  • Make sure that web access to your account is highly secured and also uses two-factor authentication.
  • Once this is completed, try to hack yourself. Call you cell company from a friend’s phone and see if they’ll let you make changes without the pin.

210 Days Later

The Horror Story

You wake up one morning and find yourself locked out of your Instagram. Checking your feed, you can see that somebody has been deleting your photos, uploading other ones.

Somebody has stolen your Instagram account. You don’t want to care, but it’s an important part of your professional life. You had a verified account, surely it can’t be that hard to get it back.

But the company is run by ghosts. Nobody responds to your support requests. You try their website, but the “help center” is useless. Every article leads back to an article you’ve seen before, a form you’ve already tried. You wander this maze of “help” pages endlessly, submitting forms and getting no response.

And through all of this, nobody will talk to you. Not one single human has reached out to you about your issue. Days turn into weeks, and you try everything again. Weeks stretch into months. Still no response. You try every help form again, and again, and again.

Finally you realize that you are alone. Nobody is ever going to help you get your account back. The only replies you can expect are from robots: cold, uncaring, and unable to help you.

The Reality

Rachel Tsoumbakos detailed the arduous process of trying to get her account back in this blog. She submitted form after form, tried every support address she could locate, and nobody would help her.

Her blog chronicles months on end of trying to get her account back, as well as the process that finally helped her get access. Eventually, in the depths of the “lack of help” center as she calls it, she found this link: https://help.instagram.com/368191326593075 (but you may need to access it from your phone, not a PC).

She was contacted by what seemed to be a person but was probably just a bot, asking for a picture of her holding a hand written sign including a code they’d sent her. It took a few tries, and she found that writing in thick black marker was what did the trick.

After 7 months of waiting, she was finally granted access to her account again.

What can you do to prevent this?

First, do everything you can do lock your account down. The best way to deal with this is to prevent yourself from getting hacked in the first place. See our instructions for Facebook above, which include:

  • Check for any connected email addresses and remove old ones.
  • Make sure you have two-factor authentication enabled.
  • Lock down privacy settings to prevent people from using your Instagram account to gather information about you.

If you’ve already been hacked, here are a few Instagram resources:

The Purge

The Horror Story

After countless hours spent grinding enemies, you have amassed a Runescape collection rivaled by none. Some would say it’s just a game, but for you this is your life. After two years devoted to the game you’ve earned friends, fame and lots of money!

So when you see an ad for an app that will finally let you play Runescape on your phone, you can’t believe how lucky you are! This is just what you’ve been looking for. You click through, and are directed to what you think is the legitimate Runescape website to fill in some information.

They ask for your username and password, so you enter those first. You’re so excited that you don’t even bother to make sure you connection to the site is secure. When the next screen asks for your in-game bank PIN, you find it a little odd, but you can’t wait to get going so you enter it anyway. You authenticate your account, ready to be able to play your favorite game any time.

The next morning, the reality of your mistake becomes clear. You log in to find your bank account and character have been completely cleaned out. All 19 million dust runes, 4.2 million Marrentill herbs, 347,000 cballs, over 7,000 bandos pages, 106,000 potato seeds, 20,000 dwarf seeds… everything is gone. And all because you fell for their scam.

The Reality

You might think that after such a blow, quitting the game would be the only sensible answer. Instead, this experience helped reddit user zedin27 to enjoy the game all over again. Kudos to zedin27 for being an indefatigable optimist!

So how did it happen? This was a fairly complex phishing attack, using an ad as the entry point instead of an email or Facebook message. If zedin27 had been careful to check the page’s URL and make sure the site was secure, he would have noticed something amiss. As we covered in our blog on 7 Cyber Security Tips for Anyone Who Uses the Internet, pages designed to mimic real websites are easy to spot if you’re on the lookout.

What can you do to prevent this?

Phishing attacks are everywhere. Here are a few ways to protect yourself.

  • Be suspicious of links and attachments. Make sure the sender or website is who you really think it is.
  • When filling in forms, check for HTTPS in your browser. Usually you should see a lock icon if the site is secure. This is especially important for any financial sites or transactions.
  • Check the URL to make sure it’s really the site you think it is.
  • If something seems “phishy,” don’t follow any links provided. Open a new browser page and go directly to the site in question. This will prevent you from going to a faked version of a site you use often.

Cyber Security Doesn’t Have to be Spooky!

Are you interested in cyber criminals, what they do, and how they can be stopped?

A career in cyber security could be perfect for you! LeaderQuest offers accelerated training designed to help people with zero experience gain the skills and certifications they need to get hired in IT. Advanced cyber security positions will require more experience and training, but now is the perfect time to start.

If you’re interested in IT, click on the link below. We’ll contact you and walk you through a career assessment to see if IT is right for you!