COVID-Related Digital Attacks on the Rise Prompting Organizations to Revisit Internal Security Training

Malware and viruses have once again proven to be quite accurate digital analogues of their organic counterparts when it comes to their ability to endure, mutate, and proliferate. While the COVID-19 pandemic continues to unfold, causing sudden infection spikes across different countries worldwide, so do COVID-19-related malware and cybersecurity attacks. Their primary objectives include taking advantage of the ensuing disorganization to spread panic, deceiving end users and infiltrating their victims’ systems, manipulating organizations, and causing chaos and millions of dollars’ worth of damage (also in the form of ransomware) during a time of global uncertainty.

Both the International Criminal Police Organization (INTERPOL) and the World Health Organization (WHO) have issued informative and educational statements regarding COVID-19-related cyberattacks since the pandemic began and to aid organizations’ first line of defense: their employees. By the end of April 2020, the WHO had already reported a fivefold increase in cyberattacks related to COVID-19 and INTERPOL issued a statement regarding the ever-changing cyberthreat landscape, urging increased care and digital vigilance.

According to digital security statistics offered by the two leading organizations, the most common forms of cyber threat related to the pandemic are malicious domains (usually positing as helpful sites aiming to help users gather information regarding virus statistics), phishing and social engineering campaigns, infected links disguised as helpful tips, and fraudulent applications supposedly aimed to assist in tracking down the spread of the virus but that instead spawn various malware and ransomware lockdowns. According to the more recent data made available by INTERPOL in August 2020, phishing/online scams/frauds equate to 59% of the total COVID-19 cyber-threat horizon, while private sector attacks increased many fold (in the ranks of upward of 500%) for certain organizations.

Recently, organizations and journalists contacted ABI Research about this matter, posing questions regarding how organizations should protect their employees and increase their perimeter defenses, whether cybersecurity training should be mandatory and what cybersecurity employee training should target, where organizations should focus their sights, which assets to protect first, and other similar inquiries. ABI Research posits that organizations should a) pinpoint their high value assets and then b) outline their weak points based on the end market or primary applications their employees are involved in. Not all organizations or Internet of Things (IoT) markets or verticals have the same connectivity, access management, privilege management, device management, or cybersecurity requirements in general.

Surely, this pandemic has forced many companies to come face to face with the grim reality of their cybersecurity posture, but the principles remain the same as they were prior to the outbreak and will remain the same in its aftermath: security services need to be tailored based on what companies need to protect, and companies need to be taught how to protect their weakest links and lower their overall threat surface. For COVID-19-related cyberthreat scenarios specifically, organizations that depend highly upon the human factor need to invest more in:

• Employee authentication—e.g., through Multi-Factor Authentication (MFA), biometrics, etc.
• Privilege access management—i.e., separating what is necessary to access and what should be withheld. For example, a sales employee should not have access to (more or less) the same resources as a tech person
• Perimeter defense, endpoint software protection, and Information Tecnology (IT) device visibility management options
• Training regarding phishing and social engineering attacks
• Lastly, as an extension of all the above, improving employee mobility and remote authentication (especially in the post-COVID-19 era)

These steps are essential to protecting both an organization and its employees and, by extension, its clients and operations.

Cybersecurity training vendors can even employ the use of penetration testers or white hat hackers to make sure their customers’ systems do what they are designed to do and their employees behave the way they are supposed to behave. In most cases, this can be summed up as “be vigilant of all external comms and oftentimes times internal ones if they seem suspicious.” That is basically the clear-cut motto. Some security testing revolving around COVID-19-themed information (whether it is true or not) should be on the schedule at random times to test the organization’s internal security strategy. Different security protocols will follow based on type of interaction (e.g., phone, email, etc.), type of social engineering attack (e.g., attempt to steal information, learn employees’ schedules, email prompting employees to access an online resource or attachment, etc.), and even knowledge of the organization or employees—usually a higher-ranking member like a CEO or Information Technology (IT) manager—forcing the employee to comply immediately and without giving it a second thought.

Cyber-attacks have increased in sophistication and quantity during the COVID-19 pandemic, but they still prey on a basic modern need for information and the human element will oftentimes be the first and last line of defense in most cases. Automated security software can monitor both incoming and outgoing traffic through Machine Learning (ML)-empowered security software and can stop certain attackers in their tracks, making it an essential weapon in the IT security arsenal. However, note that humans can oftentimes allow attackers to bypass certain security software altogether and gain network or privileged access if a social engineering attack is executed correctly.

However, constantly testing employees should not be done to a point where it slows down operations by forcing them to constantly scan for cyberthreats in each and every interaction, causing alert fatigue and only exacerbating an already stressful situation. Instead, it should be organic to their line of work and to a point where the employees are knowledgeable and capable of handling most interactions and incoming attacks. While the human factor can be responsible for many cyber-breaches, employees (oftentimes not due to any fault of their own) are overburdened by the new cyber-threat horizon and should not be seen as a threat themselves. Rather, cybersecurity tools training should help empower employees instead of blaming them.