Coronavirus is sweeping the world and causing widespread disruption to all areas of our lives. International travel is restricted for many people. Vacations are canceled. The global economy is taking a hit. And businesses everywhere are preparing for an entirely different way of operating. In many ways, we’re still in the early days of the outbreak. The virus hasn’t yet reached its peak in the US so it’s too early to tell what the exact consequences will be on businesses, the people who work in them, and their loved ones.
There’s a lot of doom and gloom rhetoric floating around and many people are starting to panic. We don’t want to be alarmist or contribute to this panic, but rather help our local businesses prepare for all possible outcomes. One thing we do know is that hackers often use crises like these to their advantage. Today we’re going to look at how bad actors exploit emergencies, and how you can protect yourself.
How Hackers Exploit Emergencies Like Coronavirus
National or global emergencies provide a unique opportunity for hackers who want to strike while the iron is hot. During times of crisis, people often become less vigilant about anything that isn’t directly related to the crisis. This isn’t intentional, but it’s human nature. We only have so much time, energy, and resources and we have to decide where it’s best to allocate them.
In times like these, cybersecurity can seem like a less pressing matter than preserving the health of the workers or ensuring the business can function under reduced capacity. This is exactly what hackers rely on. They rely on people shifting their focus away from cybersecurity and taking a more relaxed approach to protecting their systems. Let’s look at the ways that hackers can use this situation to their advantage.
Reduced IT Labor
Many businesses will experience a reduction in the number of active IT workers. This may be due to people going off sick, or due to businesses scaling back their temporary IT staff. Some businesses may even choose to stop using an IT provider. Reducing IT labor force leaves companies vulnerable to cyber-attacks. It means there are fewer people available to monitor for suspicious activity on the network, and fewer people to jump into action if or when a breach takes place.
Outdated Systems or Advice
One key way that hackers gain access to systems is through the exploitation of known vulnerabilities. No code is perfect, despite developers’ best efforts. Vulnerabilities are found in code all the time and the software publishers will provide a new patch of the software to ensure that vulnerability can’t be targeted. However, not everyone will update their software at the same time, or in some cases, update their software at all. It’s estimated that 60% of breaches involve vulnerabilities where a patch is available but not applied.
Targeting a known vulnerability is one of the easiest methods a hacker can utilize. In movies, hackers are often portrayed as some kind of elite hyper-intelligent computer whizzes. The truth is, hackers often aren’t working with cutting edge techniques or pushing computer science to its limits. They are looking for quick wins. They want low risk, low effort, and high reward. What’s more low effort than developing malware for a vulnerability someone else has discovered? Minimum effort and maximum destruction is the MO of hackers.
This is one of the reasons that macOS is often considered more secure than Windows. It’s not that all of the best developers work on macOS and develop highly secure software while Windows is full of holes. A lot more people use Windows and therefore a lot more software is developed for Windows. This means that targeting Windows-based software is just more lucrative most of the time so that’s where hackers focus their efforts.
The same logic is also why hackers target small businesses. People often think this is counterintuitive. After all, hackers surely have more to gain by targeting a large business than a small one, right? Large businesses have more capital, more sensitive data, and more money to pay up. This logic would be absolutely correct if hackers were only targeting one business. If a hacker could only target one business and had to pick between a large business and a small one, it would make more sense to focus their efforts on the large business. However, when you consider that over 99% of businesses in the US are classed as small or medium-sized businesses it’s easy to see how a mass attack on smaller businesses is highly lucrative.
During times of emergency people often forget to update their software, leaving their systems vulnerable to attack. There may even be a delay in software patches becoming available as publishers suffer from a reduced workforce.
Cybersecurity advice is also evolving at a rapid rate. For example, 8 character passwords with complexity (a mixture of numbers, letters, and symbols) used to be the norm. However, leading cybersecurity bodies are now recommending against this in favor of longer passphrases without the need for complexity. It can be hard to keep up with the latest advice in general, but during an emergency, it’s even harder.
Reduced Cybersecurity Awareness or Hygiene
One of the best ways to protect your company from a cyber attack is to ensure that all employees are regularly trained on cybersecurity best practices. An alarming number of cyber-attacks are made possible by human error or oversight. Training should apply to everyone in the business, no matter their rank or position. However, as people go off sick or work from home, training may become less viable. Formal training sessions may also be canceled to mitigate the risk of the virus spreading.
The less educated the workforce is on cybersecurity matters, the more likely they are to fall victim to phishing attacks. Phishing attacks often rely on suspicious emails or documents flying under the radar or rely on creating a sense of urgency for the person receiving the communication. During an emergency, your attention is already split and you’re less likely to spot when something is up. You’re also more likely to act quickly when asked for something so you can move on to more pressing issues.
When you’re operating with reduced capacity, roles can become less well defined as an “all hands on deck” approach becomes more appropriate. This means that employees may be trusted to take action in areas that were previously not under their remit. Hackers can exploit this for their own gain by utilizing the inexperience of the staff.
An alarming number of businesses hand over money when they fall victim to a ransomware attack. When faced with the reality of extended downtime and loss of company data, some businesses will act quickly to try and regain control. We expect that ransomware attacks will spike during the coronavirus outbreak as hackers try to exploit vulnerable companies who are struggling to survive and cannot afford more downtime.
How to Protect Yourself
Alarmingly, small businesses spend less than $500 on cybersecurity. This is despite the fact that small and medium-sized businesses are the target of 43% of cybersecurity attacks. The unfortunate reality is that most small businesses cannot survive a significant cyber attack. In fact, 60% of small businesses close within 6 months of a cyber attack. The best way to protect your business from falling victim to an attack is to be proactive about cybersecurity. In times of emergency, it can be tempting to just keep everything ticking over rather than take proactive steps for a better future. However, not doing so may cost your business. Here’s how you can take a proactive approach to your cybersecurity during the Coronavirus outbreak.
- Use a dedicated IT provider. IT providers are experts in their field and know how to protect your company from a variety of cyberattack scenarios. By using an IT provider you get access to highly skilled and experienced professionals who know how to implement change quickly and effectively. They will be knowledgeable on the latest cybersecurity best practices. They will know immediately when patches for your software become available. They will also be able to advise you against using sufficiently vulnerable software where no patch is available, and suggest appropriate alternatives.
- Provide cybersecurity e-training. Where you can’t hold formal meetings and get everyone together, create online material instead. Encourage employees to complete cybersecurity training from their desk or even their home. You should also reiterate advice about phishing emails and what to do when an employee receives a suspicious email.
- Review your password policies and consider whether a strong approach is needed. If your company is planning on transitioning to home working, you need to be proactive about making your company devices safe and secure. Passwords remain a weak point for all systems, especially when poor password hygiene is used. You should be using multi-factor authentication to ensure that only authorized persons can access your devices. An IT provider can help you get all of this off the ground and ensure you’re following current best practices.
We hope you, your family, employees, and colleagues, are staying safe in the current climate. Times like these are stressful, but they can also present opportunities or provide incentives to take actions you would have otherwise not considered. If you haven’t been proactive about your cybersecurity before, then now is the time.
Still have questions?
The Cheap Squad is here and ready to help with any IT or tech-related questions. We're not some face-less company on the web, we're real people and we'd love to chat. Let us know if there's anything we can help you with.