I wanted to steer clear from the topic of SARS-CoV-19. But it is now clear that thee global coronavirus epidemic/spread introduces an extraordinary situation, warranting special considerations for individual and organization, as well as collective cybersecurity.
We are all in this is due to a confluence of many related events, specifically:
- unprecedented event on a global scale…
- that touches global societies at large…
- ...and makes States and organization seriously reconsider how they function
- ...so exceptional measures are introduced, this way or another
Way more employees working from home. Sometimes invited to install additional software. Including on employee personal devices. Way more organizations finalizing or deploying business continuity plans. Way more coronavirus-themed information in the news and inboxes of everyone, in an environment of a rapid situation change and clear and present uncertainty.
This means that everyone will be familiar with the coronavirus theme, and will be much less surprised to get an email subscribing to the template of “due to coronavirus you are asked to…”. Including legitimate emails - from employers, or institutions, or various services, portals, whatnot. At all times in an environment of rapid changes and uncertainty.
People at large, perhaps for a long time, will be used to the theme. As wel las to the messages. Such a situation may give rise to an informational availability bias/heuristic (a psychological term) effect, which will provide the underlying background impacting on decision making. This is the case because people are now getting familiar with exceptional measures introduced as a matter of daily business. Many forced-work-from-home users will find themselves using software they don’t know, as well as less familiar organisational process, Especially a case of places where work-from-home is scarce; but the essential, new and emergent phenomenon is not just due to technology. Less known technical environments increase risks in themselves. So do out of ordinary requests (install this new software? click here?), and sometimes out-of-band reports of distress. Phishing attempts may take advantage over this new and emergent “environmental situation” in people’s minds. Only that with coronavirus we risk seeing it function at an unprecedented scale. This is incomparable with previous such circumstances. This makes for an attractive target for misuse, abuse, fraud, scams, phishing, or otherwise unauthorised entry to the system ("access"), by criminals, state actors, and who-not. I’m afraid that the sense of urgency and the feeling but also experience of exceptional measures will only help in scam and fraud.
Unique cyber risk
To some degree this is already happening,ith a steady rise in coronavirus-themes scam/phishing attempts. One, for example, which purported to be employees of the World Health Organization, or the UK Tax Revenue office (relevant in time of crisis to purchase products of importance?). Hospitals are already affected, in such an event adding a crisis in an element of on top of an already a crisis facing collective health system does not help. Much more can happen, and very likely much more will happen. As organizations move to an increased work-from-home setup it is now of paramount to enforce common sense. It would be fascinating to study this but the only players who have knowledge of the past, current and future events (after CoV) data are the big platforms (or some cybersecurity companies). This is severely limiting our view. Let’s hope they will do this because this is a unique situation to study such a problem of cyber risk at a scale. It would be a shame not to benefit out of an otherwise extremely bad situation the world found itself.
In general, what can you do? As usual, educate… wait, now it’s too late for that. So what can you need to do is to realize and appreciate that this is an exceptional situation, it is already happening, and that cybersecurity is perhaps not at the top of the agenda at the moment, but it is nonetheless important today because that's the world we are in.
Usual technical advice applies. Multifactor authentication, common sense, and so on, are always welcome. No need to repeat it here. Among the primary goal of phishing is to convince the victim to do something quickly. So the primary defense is to educate employees to detect and avert such situations? If so, well, coronavirus is perhaps challenging this notion at least in the short term (and IT teams are likely overwhelmed anyway with deployment of business continuity plans). If you have an idea for changing this advice feel free to let me know.
Possibly special measures for a special time
For organizations it might also be a good idea to clearly explain and delineate the needs but also limits to any exceptional measures (how do you do this if it’s “exceptional” in the first case is another story).
For individuals, do not fall into being in haste. Avoiding panic and acting in calm is probably a good idea. Do not assume that in an exceptional time everything is exceptional and nothing is as it used to be. Because this is the particular angle for exploitation. Sooner or later someone will realize this. It’s best if they are defender side.
Lastly, organisations should consider conducting work from home exercises on a regular basis. Not just a single day a year. Perhaps a (continuous) week would do better. But the time for this is not now.
Also, while you can maybe forget about cyber insurance, please feel free to read the International Committee of the Red Cross report on the human cost of cyberattacks.
Did you like the assessment and analysis? Any questions or comments? Feel free to reach out: firstname.lastname@example.org