A MAJOR business advice firm has warned businesses of a dramatic increase in COVID-19-related cyber attacks.
The most common are phishing scams, which prey on people’s concerns about coronavirus, and hacks intended to exploit the IT security risks of so many employees working from home putting the employer’s IT function under pressure.
But there are steps that businesses can take to foil the would-be cyber attackers, led by organised criminal gangs. Business advice specialist KPMG has issued a list of advice on how a business can reduce its cyber risk.
Thomas Collins, who leads KPMG’s private enterprise practice in London and the South East, said: “We are seeing that the region’s organisations are at significantly greater risk of a cyber incident at the moment due to an increase in attempts by organised criminal gangs to exploit the uncertainty which COVID-19 brings.”
Many criminals have changed their tactics to use COVID-19-related materials on health updates, fake cures, fiscal packages, emergency benefits and supplies, he added.
“The lockdown in human terms has triggered the opposite requirement from systems in some cases, which have had to open up to a greater extent than ever before to facilitate a significant rise in home working. As the region’s workforce copes with new ways of working and using technology, IT systems and processes, including some security protocols, are also being altered.
“Both the human and the infrastructure elements of business may be more vulnerable to cyber crime during this time. Clearly, with business directors already focused on multiple challenges, the last thing they want to fly onto their agenda is a fraud or a hack.”
Tips for Reducing Cyber Risk
Social engineering is often used, making people the weak point. Raise the workforce’s awareness levels, letting them know it is a time of heightened risk.
Do not only rely on annual training. Freshly educate the workforce to be vigilant to suspicious activity, looking for the usual giveaways of a phishing email in a work context, for example:
- Poor email quality in terms of grammar, spelling and design;
- Not addressed by name but uses terms such as “Dear colleague,” “Dear friend” or “Dear customer”;
- Includes a veiled threat or a false sense of urgency;
- Directly solicits personal or financial information;
- Includes a link to a website asking you change something;
- If it sounds too good to be true, it probably is.
Run a helpline or online chat line which staff can easily access for advice or report any security concerns including potential phishing.
Make sure strong passwords are set up, and preferably two-factor authentication, for all remote access accounts; particularly for Office 365 access.
Ensure that critical security patches are applied and update firewalls and anti-virus software across the IT estate, including any laptops in use for remote working.
Disable USB drives to avoid the risk of malware, offering employees an alternate way of transferring data such as a collaboration tool.
Ensure that finance processes require finance teams to confirm any requests for large payments. This can help to guard against the increased risk of business email compromise and frauds. Ideally, use a different channel such as phoning or texting to confirm an email request.
Back up all critical systems and validate the integrity of backups, ideally arranging for off-line storage of backups regularly.
Ensure the organisation has an alternate audio and video conferencing environment available. This will be needed if a ransomware incident disrupts IT systems and also offers another option if the primary conferencing provider has capacity or availability issues.
Mr Collins said: “COVID-19 is driving changes in how organisations work and stay safe and secure. There is no such thing as a technology safety blanket but the winners will be those with a proactive mind-set, who take action around consistent monitoring, reporting and education.
“That said, as well as preventative measures, organisations also need to think about their ability to recover in the event of an attack and to ensure they can communicate with all of the workforce whenever required.”
