Cyberattacks have increased in both frequency and sophistication since the pandemic began as threat actors seek to take advantage of the unusual circumstances under which nearly all of us are working. Once a cyberattack occurs, companies largely are on their own to deal with the aftermath, so companies should take these seven steps to ensure they’re ready: 1) Review your incident response plan, 2) Stay up to date on current scams, 3) Enable multi-factor authentication everywhere, 4) Educate your employees, 5) Determine an alternative method for senior leadership to communicate, 6) Password protect your videoconferences, and 7) Check your cyber-insurance policy.
Prior to Covid-19, most companies perceived their worst-case cybersecurity scenario as a computer virus that would shut down company computer systems. In fact, just the opposite happened: a human virus has forced virtually entire workforces online, making companies more reliant than ever on their systems. The stakes of protecting those systems from a cyberattack could not be higher. In the words of the old American Express commercial: “What will you do? What will you do?”
Over the past several weeks, we’ve observed that cyberattacks have increased at a rate of three to five times compared to pre-Covid. Phishing attempts have increased in both frequency and sophistication as threat actors seek to take advantage of the unusual circumstances under which nearly all of us are working. Scams focusing on treatments and cures for the novel coronavirus have been rampant — one recent operation by Interpol against fake Covid-19 “cure” sellers resulted in 121 arrests. Thousands of fraudulent coronavirus-themed websites are sprouting up per day. And Zoom, having skyrocketed in popularity, has experienced such a surge in videoconference hijacking that it has its own name, “Zoom-bombing.”
Once a cyberattack occurs, companies largely are on their own. They have to scramble to counteract the attack and ensure that the threat actor is out of the system. They then may have to navigate industry regulators, while also trying to steer clear of the dreaded post-breach class action suit.
What is a company to do?
1. Review your incident response plan.
Every company should have an up-to-date, written plan in the event of an attack. It should be crystal clear as to who is to do what, who you will call for outside assistance, what the lines and protocols on communication will be within the company (such as board notification). This will protect the company from the confusion and early mistakes that often are made and that waste precious time in a crisis.
In this environment, having a paper copy of the plan handy at home is also a good idea in the event of a systems breach. The chief privacy officer at one large financial institution recently told us that the last thing he did before he left the office for the quarantine was to grab a paper copy of the company’s incident response plan.
2. Stay up to date on current scams.
Make sure all employees are aware of the most current scams and that your information security program has prepared a defense. Right now, the most ubiquitous is the “business email interruption” scam, where Office 365 or Gmail accounts are hacked via a phishing email. If an employee clicks on a bogus link, the cybercriminal has complete access to their inbox and can download malware onto their system. Sophisticated threat actors will most often target senior leadership or those with payment authority. By studying the contents of the particular inbox, the hacker is then able to gin up a very convincing fraudulent invoice purporting to be from a legitimate vendor, with changed wiring instructions so that the money is diverted to the hacker’s account and not to the legitimate recipient.
While most of these attacks are “smash and grab” attempts to divert funds, in recent weeks, some criminals have focused instead on obtaining confidential company information — particularly with companies that may be working on breakthrough technology or cutting-edge health care products, sometimes for competitive purposes or sale on the dark web, among other things. With virtually all employees working remotely and the ordinary course of operations disrupted, this type of fraud is more likely to succeed, and the hackers know it.
3. Enable multi-factor authentication everywhere.
Fortunately, there is a fairly effective tool to reduce the risk. Enabling MFA will stop all but the most sophisticated threat actors and it should be used on all accounts that are used by the company, not just administrative accounts. Remind employees to utilize MFA on their own devices as well.
In one recent attack, a health care platform had MFA on its company systems but had failed to enable it on its Instagram account. The account was taken over by hackers for several hours while the criminals posted content and intercepted the direct messages of customers, among other things.
4. Educate your employees.
Make sure your employees know that phishing attempts are on the rise and special care is needed as hackers try to take advantage of the crisis and a disrupted workplace. Cybercriminals will play to emotions. If it seems too good to be true, it is. If it is not a sender with whom they would normally interact, or a platform on which that person would communicate, they need to be on high alert. The CEO of the company is not likely to reach out to them and ask them to do something if he or she has never done so before, and especially not on a platform like LinkedIn or WhatsApp.
Remind employees that if there is any question about the validity of an email, they should contact the sender via telephone — and make sure to use existing contact information, not the number on the email in question.
Be sure that anyone within the company in a position to send money out the door knows to be on high alert and not to wire any money or make any payment off of changed instructions without calling first. You can reduce the risk even further by wiring one dollar, and then calling your vendor to make sure it was received before sending the rest.
Hackers have gotten so bold that in one recent fraud, they wrote in an email that they understood that they were asking for a large amount and so “Joe would call the company to confirm first.” The hacker himself called into the company to verify that the payment was “legitimate.” It wasn’t.
5. Determine an alternative method for senior leadership to communicate.
If the unthinkable does happen and an attack brings down your company systems, how will senior leadership communicate among themselves and with employees? It is important to have an alternative means of communication ready to go so as not to lose precious time in a crisis.
A regular text may be compromised — if a hacker has access to the company systems, it is easy for them to be able to set up a mechanism to intercept texts from the cell phones of senior managers. Consider setting up a secure texting app chain in advance so that a secure line of communication is ready, especially among those who will need to manage the breach if the normal email system is disrupted or compromised.
6. Password-protect your videoconferences.
“Zoom-bombing” has become so rampant that the FBI has issued a warning. Recent cases involve unwanted guests shouting profanity and displaying other inappropriate content.
To protect your videoconferences, do not post the link publicly. Make sure to require a meeting password, share the link and password only with authorized guests, and lock the meeting after it begins. Finally, if the content of your Zoom meeting is especially sensitive, consider doing an old-fashioned conference call instead.
7. Check your cyber-insurance policy.
Do you have good cyber-insurance? These policies have become more comprehensive and cover more than they did a few years ago. Contact your broker now to determine what is “market” in your industry. You want to be negotiating that policy before you have an incident, not in the midst of one or just after.
A good cyber policy will cover most costs associated with a data breach including counsel to guide you through the crisis, a forensic firm to come in (under the direction of counsel so as to be sure the work done is protected by attorney-client privilege and work-product doctrines) and, in many cases, even for ransom that the company pays to unencrypt its data.
Given current conditions, the work from home paradigm is not likely to end anytime soon. Cybercriminals are notorious for their ability to adapt their malware and scams to meet companies’ defenses. It is an arms race to stay ahead of them. Staying up to date and keeping your workforce informed on the latest scams will help reduce the risk for your company.
If our free content helps you to contend with these challenges, please consider subscribing to HBR. A subscription purchase is the best way to support the creation of these resources.