COVID-19 Cyber Risks: What to Do to Protect Yourself

As the CEO of a cybersecurity company, I’ve been observing the effects of the coronavirus pandemic from a different perspective than most. Heightened cybersecurity risks are a consequence of the COVID-19 pandemic, and I’ve seen two major kinds of security vulnerabilities: an increase in threats using coronavirus itself as bait and mass exploitation of our remote working environments.

Cybersecurity Risks: How Coronavirus Affects You

Despite what you might think after binging Netflix, most cybercriminals aren’t solo hackers in hoodies. It’s global, organized crime whose structure looks more like your workplace than you think – it has departments, an organization chart, profit sharing and a robust supply chain.

Cybercrime, as an industry, rakes in more than USD600 billion annually. And most of that money comes from targeting individuals and smaller businesses – ones that don’t have a six-figure budget for enterprise-grade cybersecurity or the full-time cybersecurity experts required to manage it. Malware merchants are excellent at smelling market opportunity and will adapt the packaging of their malware to capitalize on clickbait trends.

COVID-19 is the latest market moment, and cybercriminals have mobilized around it. We’ve seen an increase in coronavirus-related phishing campaigns designed to spread malware and steal credentials. Re-used malware has been distributed in ads, phishing mails and text messages. Sample attacks:

  • From your local government: “Alert in your area” or “Coronavirus payroll relief fund”
  • From your company HR or leadership: “New paid leave policy”
  • From a medical provider: “COVID-19 tests available”
  • Internet deals on masks and hand sanitizer
  • Malicious apps and malware disguised as COVID-19 tracking maps

It’s not just coronavirus used as bait. With the increase in remote work, more people are using online meeting services and getting more at-home deliveries. We’ve seen a spike in attacks that impersonate Amazon, FedEx, Netflix and Zoom.  At the root, cybercriminals are trying to tempt you to do something. The phishing hooks want you to click, download malware, enter your credentials or give up any personal information.

Cybercriminals also know that we are all working from home, connecting to our very basic, insecure home networks, without onsite IT support to lock things down. With most people using the same device for work and personal activities (including checking email, downloading homework assignments for your kids and ordering supplies online), both your personal and business worlds are at risk.

You need 3 zones of security

Security is about layers.  To truly be secure online — especially outside the walls of your office — you need to lock down three zones of security: devices, internet connection and accounts.  If any one of them isn’t protected, then you (and your business) are exposed.

Here are some common examples of security holes that I see every day:

  • You may have a super-secure, locked-down corporate laptop, but if you are connecting that device to your insecure home Wi-Fi to access your company email, files and accounts, you are susceptible to a man-in the-middle attack (where attackers can intercept your internet traffic from your device to get to your accounts).
  • Alternatively, you may have a secure connection to the internet and multiple layers of access controls for your accounts – but if you have malware on your device (the type of malware that can take screenshots, or record and send every keystroke you type) — then the attacker can see everything you access

Let’s dig into some practical tips for how to secure each of these three zones of security.

Cybersecurity risks are increasing during the pandemic.

4 ways to protect your devices

  • Update all software. Do it for phones, laptops, operating systems, browsers, all applications and software. Each time a company releases a software update, there is almost always a security patch included.  Not updating means this known security trapdoor is left open for cybercriminals to have easy entry into your device. Schedule automatic updates and book weekly update reminders on your work calendar.
  • Enable full-disk encryption. Toggle it on in settings on any Mac or Windows device.  If your laptop gets stolen, then your data on it is protected and encrypted.
  • Audit app permissions. Many apps, by default, have overreaching permissions to access and use information on your device. Use common sense. Signal Messenger or another secure communication app might need access to your microphone and your contacts, but there is no reason that your weather app needs this information.  Restrict access or remove apps that seem sketchy (and might be malware in disguise).
  • For the pros:  Antivirus is not good enough.  Ninety-three percent of modern malware is polymorphic (morphs in real-time to evade detection by antivirus tools). Staying ahead of cyberattacks requires real-time threat monitoring and analysis of the traffic flowing to and from your devices. Look for a solution that includes network-layer threat detection and prevention.

Run as a standard user, not an admin. Set up a basic user account, login, and use your device with only basic user rights. This way you won’t be able to accidentally install new software without being prompted first to make an explicit decision to trust that new program. This also limits the scope of damage if your device gets hacked under that basic user’s credentials – since the hacker then will also lack admin privileges.

“Our personal and business landscape has shifted over the past few months to a new normal where we’re differently vulnerable than before.” – Frances Dewing, CEO & Co-Founder Rubica

3 ways to protect your internet connection

  1. Use a reputable personal VPN. Make sure it works on all devices, especially laptops and phones.
  1. Update your router. Firmware updates are important. The infamous Mirai botnet exploited simple credentials. Change the default router credentials. When choosing a WPA2 key, make it long and strong, not something you reuse.
  1. For the pros: VLAN segmentation/Guest Network. Segmenting a VLAN prevents cross-contamination if one of your devices gets infected. Only change settings on your router if you know what you’re doing, otherwise you can mess up your network and make your router unusable.

2 ways to protect your accounts

  1. Multi-factor authentication. Even more critical than your password, multi-factor authentication (MFA) protects data theft at the account access level. With MFA for account login, it’s much harder to hack because the cybercriminal would need both your password and the additional code that’s texted to you or generated via app or hardware token.  Use it everywhere that it’s offered, especially critical accounts like email, financial accounts, and social media, and your iCloud account.  Where possible, use app-based code or hardware key (not SMS/text message). If you must use codes by SMS, make sure you password-protect your mobile phone account against SIM porting.  Do this by contacting your carrier.
  1. Disable auto-fill. Never auto-fill passwords in browsers.

1 thing to remember

Our personal and business landscape has shifted over the past few months to a new normal where we’re differently vulnerable than before.  As we learn to collaborate differently, taking steps to protect our digital lives needs to be part of our new normal.  The cybercriminals are certainly watching, and a few precautions taken at the digital level means one less thing to worry about.

Hear more from Rubica CEO Frances Dewing chatting about #cybersecurity during a #pandemic and how you can protect yourself.

For more crisis leadership stories like these check out the COVID-19: Leading Through Crisis page on YPO.org. All YPO members can find breaking news, offer insights and view current discussions happening about COVID-19 impact within the YPO community on the YPO member-only platform.

Frances Dewing is a YPO member and the CEO and Co-Founder of Rubica, a cybersecurity company specializing in advanced threat protection for individuals, remote teams and mobile workers. Dewing regularly consults to boards, Fortune 100 executives, and high-net-worth private client groups on cybersecurity issues and best practices. She was formerly Chief Operating Officer of Concentric Advisors, a consultancy specializing in cyber and physical security for some of the world’s most high-profile figures. Dewing is a Washington State attorney with a JD from the University of Washington.