COVID, ICU rates, ventilators, job loss, vaccines, death, supply chain, mental health, unemployment.
Since early 2020, we have been subjected to constant barrage of stressful and fear-laden stimuli. Unfortunately, cybercriminals have seen this as an incredible moment to strike. Not only were the opportunities boundless with a slew of individuals shifting to work from home — often immediately weakening cybersecurity structures — but the criminals are taking advantage of our overall more exhausted, weakened state many find themselves in these days.
After almost two years of that constant bombardment of stress and uncertainty, many people have gone into survival mode. This has caused many to accept situations or standards that they normally would not accept under a healthier, happier mental state.
As we know, things will eventually cycle back and our more clear-headed selves will be back running the show. As such, we should do our future selves a favor and start taking control of some of the elements that may have been slacking or that we can improve in the face of these opportunistic bad actors. Here are some of the cybersecurity weakness and attack trends we have seen in healthcare as well as across the business spectrum. We recommend you reflect internally on where you may have had similar shortcomings and then create a plan with your leadership and IT teams to overcome any weak points.
Healthcare Under Attack
The world’s increased focus on healthcare hasn’t escaped the attention of cybercriminals. With the colossal burden that has weighed this sector down, hackers saw an opportunity to attack hospitals, agencies and even individual doctors. This is bad enough in any computer user, but when subject to HIPAA regulations, the risk is even greater.
In March 2020, the U.S. Department of Health and Human Services reported its servers had suffered a massive denial-of-service attack. Almost at the same time, one of the biggest COVID-19 blood-testing centers in the Czech Republic also had its databases attacked. Doctors were stopped from processing vital COVID-19 tests and were even forced to cancel surgical operations.
There are plenty of examples of cybercriminals targeting a wide range of organizations fighting the coronavirus pandemic. The infamous Lazarus Group of hackers tried to attack a company that was working on a COVID-19 vaccine. A few weeks later, they also attacked a health ministry.
In the United Kingdom, plenty of scammers tried to trick doctors and nurses out of their online credentials by providing a fake registration for a COVID-19 seminar. And unfortunately, some healthcare employees were also to blame for cybersecurity issues. An ex-executive in Stradis Healthcare, an American company, disrupted the vital supply of medical equipment in a bid for revenge for being dismissed.
Phishing in the Age of COVID-19
While governments across the globe have been busy dealing with the pandemic and trying to support citizens and businesses, nefarious cybercriminals are attempting to capitalize on the worldwide panic and fear of the virus. Various surveys have concluded that half of Internet users have received at least one malicious email falsely providing information on COVID-19-related topics.
For instance, scammers tried to disseminate fake emails from the CDC asking victims to fill out a survey related to the coronavirus in their neighborhoods. In actuality, the link was a phishing link where they were supposed to provide their email credentials which would have been taken by the criminal and used to log into their real email and wreak havoc.
Online scammers also frequently send malicious emails regarding welfare benefits — almost five times as many as they did before the pandemic. These were usually from fake email addresses claiming to represent everyone from local governments to the World Health Organization and the International Monetary Fund. They’d promise their victims some sort of compensation while just asking for a tiny “commission” for the process. But, of course, there were never any real benefits to begin with. Similar issues cropped up with news of grants for small businesses, which malicious hackers readily exploited.
Bad actors also took this opportunity to play on the wants and needs of many people, by sending virus-laden emails (either through links or attachments) targeting the desire of people to have the latest information on the virus, contact tracing, exposure alerts, etc. Users not subject to regular cybersecurity awareness and policy training were at an increased rate of falling for these tactics.
Remote Work
Whether you’re working from home, or you have a second office at home, you cannot afford to let your guard down when it comes to your home computer setup. When we saw the huge spike in work from home in March 2020, people were focused on the hardware and accessing files. Security took a back seat. While understandable to a degree in needing to keep your business afloat, it’s time to review what policies are in place for remote employees. Even with many companies being back in the office, more and more people have adjusted to doing some work from home from time to time, even if simply supplementing a full day at the office.
Studies have shown that over 70 percent of employers hadn’t organized any special courses or training on safe usage of corporate resources online. While this would have undoubtedly reduced the number of security breaches caused by human error, key decision-makers and managers dropped the ball in terms of cybersecurity.
Home Equipment
The scramble. When the world seemingly “shut down” back in March 2020 and people were forced to work from home to keep their businesses alive, business owners scrambled. It was yet another survival moment inflicted upon our world. Revenue needed to continue. They needed employees to fulfill job roles to make that happen. So, they got them up and running the quickest way possible. Many companies didn’t give their remote workers the necessary technical equipment for their newly established home offices. Instead, they allowed their employees to use their personal home devices to connect to the corporate IT infrastructure remotely and often insecurely.
Even companies that did provide the hardware (laptops or desktops) were intermittently using the device for personal reasons or accessing company networks from a personal computer. Structure was simply not put in place. Many employees who transitioned to home offices set up their networks and routers themselves, creating further security risks in the process. Companies that did not have cybersecurity policies in place prior to account for remote employees were forced to triage their business issues, leaving cybersecurity to fall behind serving customers and making payroll.
For obvious reasons this quick handling that resulted in skipping proper cybersecurity strategy and implementation has created a huge cybersecurity gap, one that malicious online actors were more than ready to exploit. Between unsecure access to company files and data to preying on mix use of devices connected to the network or company information, cybercriminals hit the jackpot.
Vulnerabilities from Collaboration Tools
In physical offices, workers would often collaborate by gathering around a single computer to edit documents and by attending in-person meetings. However, the new realities of remote work have forced them to resort to online collaboration tools and videoconferencing software to a much higher degree, dramatically increasing the associated cybersecurity risks.
Plenty of legitimate software for videoconferencing had previously unnoticed security gaps, including world-renowned solutions like Microsoft Teams. In 2020, Microsoft discovered and eliminated a vulnerability in their Teams software, which allowed cybercriminals to use it to gain access to every account on an organization’s network. Also, Zoom developers fixed some bugs on their macOS version, allowing attackers to do the same thing and take over remote devices.
Advice for Protection
One of the biggest lessons we have learned is that, while cybersecurity threats have increased in volume, most of them aren’t any radically new and inventive schemes. Instead, they’ve simply exploited people’s fear and anxiety over the current situation as well as the increased number of pain points due to shifts to a remote workplace.
However, it is time to sit back and reflect on how this process was handled and what may still be looming as a threat to your company. Once you review potential areas of weakness with your leadership and IT team, you can work on fixing the issues and become better prepared for the future.
Bahar Ferguson is president of Wasatch I.T., a Utah provider of outsourced IT and managed compliance services for small and medium-sized businesses.