It goes without saying that COVID-19 has forced organizations to reconsider every aspect of their operations, from service delivery to the role of technology in keeping their workplaces safe. As they continue to restart and ramp up operations, cybersecurity will rank among their top concerns.
A high degree of vigilance could help fend of cyberattacks and avoid financial disaster for particularly vulnerable companies—namely, those dealing in sensitive client information for which trust and credibility is an important corporate value proposition.
While cybersecurity has been a central concern for companies of all sizes for years, the number of incidents of hacking, malware, phishing and social-engineering attacks has continued to grow. A 2019 CIRA Cybersecurity Survey found that 71 per cent of responding organizations experienced at least one cyber-attack that impacted their organization in some way, from out-of-pocket expenses to ransomware payments.
In May 2020, law firm Blake, Cassels & Graydon LLP released its First Annual Canadian Cybersecurity Trends Study. Of the 250 incidents reported by respondents, 33 per cent resulted in some form of operational disruption, 25 per cent caused primary financial loss and 21 per cent impacted the respondent’s relationships with key stakeholders.
The 2019 annual Accenture Cost of Cybercrime survey notes that the average cost of investigating and remediating an attack among Canadian organizations in 2018 was a hefty $9.25 million.
The stakes have become even higher as the COVID-19 pandemic rages on across the globe. Cyber-attacks are gaining in frequency as hackers seek to capitalize on vulnerable organizations across industries.
As of April, according to an IT World Canada article, the UK-based cybersecurity firm Sophos had identified more than 1,700 malicious domains using “corona” or “COVID” in their names, of which 1,200 were still active. Google is detecting about 18 million malware and phishing Gmail messages per day related to COVID-19, in addition to more than 240 million COVID-related daily spam messages.
According to the Canadian Centre for Cyber Security (CCCS), Canada had taken down more than 1,500 coronavirus-related scam sites as of the end of April. These included sites that spoofed the Public Health Agency of Canada, Canada Revenue Agency and Canada Border Services Agency. In an IT World Canada interview, CCCS spokesperson Ryan Foreman referred to it as a “worldwide effort, and it’s a very automated process.”
Organizations facing economic uncertainty often have less time and resources to devote to cybersecurity audits and employee training as they focus their efforts on putting out more immediate operational fires. This is especially challenging when they’ve been forced to deploy remote workforces virtually overnight, exponentially increasing the number of at-home workers using unsecured devices and cloud-based apps.
At the same time, distracted and anxious employees tend to be more vulnerable to phishing and spear-phishing scams, and are being relentlessly exposed to misinformation campaigns around COVID-related products and non-existent solutions, as well as fake fundraising programs that exploit people’s desire to help those in need.
Simply put, COVID-19 has created the perfect conditions for cyber criminality. That’s because it’s placed many employees and business activities well beyond the limits of their organizations’ cybersecurity capabilities. This has created a wide range of vulnerabilities that have yet to be addressed. Even mid-sized organizations are threatened because many lack the robust technology and support resources needed to combat sophisticated cyber crime.
As workplaces have reopened, companies have been pressed to consider a wide range of security measures around social distancing, surveillance, business entry/exit protocols, sanitation practices, and securing online communications between their remote workforce, customers and suppliers.
Security weak spots range from the usual suspects to newly adopted collaboration and videoconferencing tools that have opened new doors to cyber-attacks. One critical area of concern is the unprecedented rise in video chats (both internally and with external partners), along with growing use of cloud services and ad hoc downloading of apps on the part of remote workers.
Zoom has come under scrutiny as rapid adoption and misuse have exposed a host of vulnerabilities, from privacy breaches and eavesdropping, to data theft and “Zoom bombing” where uninvited attendees can view a meeting or post offensive content during a live session. There are reports that Zoom-bombed video conferences were stored in a non-Zoom cloud service without appropriate password protection. This is only one of many incidents of cyber-attacks targeting a wide population of vulnerable users.
Organizations of all sizes should put their minds to developing fully-integrated security strategies. This may involve additional technology investment, establishing and monitoring new protocols and policies, and/or extensive and ongoing security training, among other initiatives.
A good starting point would be a security audit by internal IT staff or a third party security provider. Organizations using cloud-based services should also take the time to review security policies and updates with their providers. It’s even a good idea to conduct data recovery drills at least once to make sure you can respond to an online attack. Using a virtual private network (VPN) to protect your data is advisable whenever possible.
Training is also critical. According to the CIRA, only 22 per cent of respondents to a recent survey had conducted cybersecurity awareness training on a monthly or more frequent basis, despite the fact that 96 per cent said training was at least somewhat effective in reducing incidents. The organization also reports that more than 90 per cent of all cyber-attacks begin with some sort of user action—a compelling reason to initiate security awareness training if you haven’t already.
It doesn’t have to be an overly complicated or costly exercise. It’s relatively easy to conduct sessions or update staff on the basics of password usage, data protection, and reporting such as:
- How to spot spear-phishing and phishing attacks and the danger of clicking on unknown links
- Updating password policies
- Reviewing privacy and security settings for social media and email accounts and activating as many as possible (e.g. adding two-factor authentication)
- Making sure all apps and devices are up to date including anti-virus and anti-malware programs
- Policies around information sharing and storage
There’s no question that companies will have a full roster of items on their to-do list now that the economy is re-opening. That’s proving to be a slow process—and we could still face a new round of lockdowns if a coronavirus second wave takes hold—so there’s still time to ensure that your organization has effective, tailored security measures and protocols in place.
It could be the protection you need to protect your digital infrastructure and your company’s bottom line.
Jenny Lian, Partner