Conversations in Risk-Based Security

Don’t get caught failing to protect yourself against phishing and social engineering in the ‘new normal’

Posted by Lynx Technology Partners on Jul 6, 2020 1:20:00 PM

Covid-19 forced organizations and CISOs to restructure basically overnight.  Rapid changes in networks and working practices means increased attack surfaces and security gaps.  Now we are moving to the ‘new normal’ as organizations begin to lift restrictions.  The pandemic may be easing but don’t expect the increased attacks that it initiated to end any time soon.

In this ‘new normal’, companies are having employees work from home on average 4 out of 5 days a week.  A remote work environment easily results in more vulnerabilities and threats to both employees and the company as a whole.

According to NetSTAR, Overall phishing attacks globally have more than doubled, and in some geographies have reached 600% of previous levels. So, the question is, what should the main priorities be during this time in order to keep you safe from phishing attacks or any other threats?

According to a recent survey by Check Point Software Technologies Ltd.:

  • 79% of respondents said their main priority is tightening security and preventing attacks as employees continue to work flexibly from home. 
  • 43% stated they plan to implement mobile security solutions
  • 39% plan to consolidate their security estates to help eliminate ‘blind spots’ across their enlarged network perimeters.

Roughly 75% of companies believe their biggest concern was an increase in cyber-attacks, especially phishing and social engineering exploits. Social engineering, in the context of information security, is the psychological manipulation of people into performing actions or divulging confidential information (Wikipedia).  Phishing and social engineering attacks are and will continue to be one the largest area for cyber security attacks. It will likely continue to be the most utilized form for breaches. There will also be more sophisticated phishing campaigns, backed by ransomware requests, targeted at large US companies. We will also likely see a large increase in SMishing as more and more confidential and personal data resides on cellphones and work from home environments. That said, 51% of companies according to Check Point said that attacks on unmanaged home endpoints was a concern, followed by attacks against employee mobile devices (33%).

The University of Pittsburgh identified some of the main types of Phishing scams to be:

  • Fabricated notices from health organizations (e.g., the CDC or local/state health departments) 
  • Fake updates from an employer about policies or procedures to address the risk
  • Phony websites containing maps and dashboards 
  • Information about protecting yourself, your children or your community that contains malicious links or attachments
  • Charitable appeals to help victims of the virus, which are not legitimate

With so many employees working from home recently, more concerns arise around cybersecurity and many security measures need to be taken in order to not only educate but secure your company’s information from possible attacks.  Below are some suggestions from the HIPAA Journal on how to secure yourself while your employees are working remotely.

  • Organizations must ensure that the latest versions of VPNs are used and patches are applied promptly
  • Implement multifactor authentication for all VPNs to further enhance security.
  • Because it is difficult to maintain a persistent and routable connection to users’ devices when working remotely, the cloud should be considered for managing cybersecurity rather than in-house corporate cybersecurity solutions
  • Ensure multifactor authentication is implemented for all applications accessed remotely by employees.
  • Implement a zero-trust architecture on the network for remote workers and apply the principle of least privilege.
  • To prevent data loss and impermisible disclosures, ensure all data on portable devices is encrypted. Firewalls should also be enabled.
  • Lastly, It is important not to underestimate the importance of training

In addition to the HIPAA recommendations, :  You need a multifaceted defense strategy, in addition to raising security awareness for your workers. Our cyber experts recommend taking these steps:

  • Perform your own Phishing tests so you can see where your organization is as a whole and define areas of risk
  • Stay alert for emails with Links or Attachments that you weren’t expecting and verify with the sender if necessary
  • Train your users to be on the lookout for the Top Red Flags, ie. emails sent at odd hours, grammar issues, unknown senders
  • Invest in an email scanning solution, you aren’t the only one seeing these threats, be proactive!

In the end, cyber-attacks aren’t going anywhere, whether it is during Covid-19 or not.  Companies need to take the threats seriously and take the steps in preparing and protecting themselves.  With all the information, how will you protect yourself?  What will you do to survive the ‘new normal’ we live in today?

A couple documents you can use as a reference for staying secure during Covid-19:

2020 Phishing by Industry Benchmarking Report

Phishing Infographic

SEC Malware Handout

Want to take a quick test and find out what percentage of your employees are Phish-prone™ with your free phishing security test. Plus, see how you stack up against your peers with the new phishing Industry Benchmarks! Take the test here!

 

Resources:

https://www.technology.pitt.edu/security/covid-19-phishing-scams

https://www.prnewswire.com/news-releases/netstar-sees-rise-in-phishing-scams-related-to-covid-19-301057467.html

https://en.wikipedia.org/wiki/Social_engineering_(security)

https://www.globenewswire.com/news-release/2020/06/09/2045445/0/en/Securing-the-new-normal-survey-shows-organizations-security-priorities-as-they-emerge-from-Covid-19-lockdown.html

https://www.hipaajournal.com/cybersecurity-best-practices-for-protecting-remote-employees/