COVID-19 has been impacting the world for at least five months, and cybercriminals have not let up in their attempts to manipulate the crisis for their own gain. For example, in the week before Easter—the original hoped-for date to “re-open” the country—Google reported 18 million phishing and malware scams related to COVID-19 every single day. Not 18 million for the entire week, but 18 million per day for a week.
“The phishing attacks and scams ‘use both fear and financial incentives to create urgency to try to prompt users to respond,’” The Verge reported. “These scams include impersonating government organizations like the World Health Organization to try to solicit donations or trick users into downloading malware; pretending to have information about government stimulus payments; and phishing attempts aimed at workers who are working remotely.”
This is just the tip of the COVID-19-related security threats. Cybercriminals are taking advantage of the massive numbers of people who are working from home. “As a result,” Elad Shapira, head of research for Panorays, was quoted by Healthcare IT News, “companies now face technology risks such as unmanaged devices, shadow IT and insecure access, along with human risks like increased phishing attempts.”
Despite the increase in attacks, particularly those surrounding the coronavirus, and despite concerns that remote workers aren’t practicing good cybersecurity hygiene, a new study from CrowdStrike found that a majority of business leaders believe their companies aren’t at greater risk of suffering from a cyberattack and aren’t properly educating employees about emerging threats.
Overconfident in the State of Security
Of course, remote work has been the norm for millions of workers and thousands of companies before COVID-19 arrived, and even more have been using BYOD and shadow IT for years. But now work from home has been formally instituted in organizations that may have never before thought it possible or had no interest in allowing remote work. And these businesses are now facing a new reality and new security challenges, which, according to a CrowdStrike blog post, include:
- Use of personal devices and email for business or handling sensitive information.
- Provisioning corporate assets to support remote working arrangements.
- Proper deployment and configuration of remote services, corporate VPNs and related two-factor authentication methods.
To be clear: Many companies that have had longstanding remote work and BYOD policies have struggled to enforce security policies surrounding these issues. It would be reasonable to think that organizations that had work from home dropped on them suddenly and needed to adjust on the fly would be unsure of how well their cybersecurity efforts would be.
However, the CrowdStrike global survey, “Work Security Index,” found that business leaders are confident in their cybersecurity efforts, with a whopping 89% of respondents believing their devices are secure against advanced cybersecurity threats while working from home.
Yes, There Is an Increase in Attacks
That confidence in the security of their devices does not match what is actually happening—CrowdStrike also reported twice as many intrusions in Q1 2020 than all of 2019. And this was before massive WFH efforts when people were following longstanding protocols. Expect those numbers to go up in Q2.
Yet, according to the study, half of business leaders don’t think there is an increase in attacks due to COVID-19. Also, this attitude is spilling over into security training for remote employees. According to the report, although 56% said WFH increased due to the virus, and 60% are using their own devices for work, about half of the respondents said they aren’t offering security education that focuses on remote work and there is no guarantee that those personal devices have adequate security to meet corporate guidelines.
“We have seen a rise in COVID-19-themed scams, phishing and even disinformation campaigns, and there’s no sign of these attacks slowing down,” said Michael Sentonas, CTO at CrowdStrike, in a formal statement. “As more work is conducted from home, and in many cases on personal devices, businesses must stay vigilant, ensuring that their employees are trained on possible risks and taking the necessary precautions to maintain security of their networks, devices and data.”
And they shouldn’t fall into a trap where they think this is all going to go away soon. “There’s no sign of these attacks slowing down, which aligns with the spike in remote working due to the pandemic,” James Yeager, vice president of public sector and healthcare at CrowdStrike, told TechRepublic. “This tells us that devices are vulnerable and more needs to be done in order to protect and defend them.”