When Covid-19 took hold early last year and the world reeled from its deadly fallout, cyber criminals quickly spied an opportunity to take advantage. At the time, many businesses were in chaos, struggling to stay functional as offices became a no-go, workers were scattered to remote locations and operations disrupted.
But in those dark days when we faced an unprecedented and fast-growing health crisis, another less obvious threat was emerging. Disorder was stretching corporate security systems and handing unscrupulous cyber criminals a soft target to exploit. Attackers took aim at enlarged attack surfaces which could be struck relatively easily using tried and tested techniques honed long before the onset of Covid-19.
So, how has the pandemic changed the face of cyber security? Here are four key areas where Covid-19 has increased risk across the threat landscape:
1. More Homeworking, More Risk
Many of us experienced the sudden shift of workspace from office desk to kitchen table. WFH became the big new work challenge of 2020: how to balance educating the kids with walking the dog, running a household and managing a seemingly endless daily sequence of Zoom and Teams calls.
But the sudden switch to remote working soon made workers and corporate networks more vulnerable to attack. Employees resorted to using and sharing a range of insecure devices to handle sensitive data and connect with their office networks. Internet usage soared as our shopping, work and recreation went online. Millions of us worked in household environments which are relatively insecure and unprotected. Often, as we juggled daily priorities at home, cyber-protection slipped down the daily agenda.
2. Humans Make Mistakes
Human error has always been a headline cause of cyber security incidents. According to IBM research, as many as 95% of cyber-breaches are a result of human beings doing the wrong thing at the wrong time. Covid-19 seems to have amplified the problem by creating a working environment that’s less controlled and more stressful. For many, the pandemic turned their business world upside down, forcing them to work outside their comfort zone for longer hours with unfamiliar routines.
Staying productive became a struggle as work-from-home staff tried to balance work priorities alongside the competing needs of children, pets and family life. With so many distractions, it’s easy to see why employees are more likely to drop their guard, lose concentration or fall victim to even the most basic cyber criminal tactics.
3. Ransomware on the Rise
According to research from Group-IB, ransomware attacks are now among the biggest money-spinners for malicious cyber criminals, with the incidence of ransomware attacks increasing by 150% in 2020.
Thanks to the widespread confusion precipitated by the pandemic, incidents rose in scale as well as frequency last year. The average ransom demand doubled to $170,000 and the biggest extortions topped in excess of $1 million. Attacks are becoming more sophisticated and creating more havoc, causing an average downtime of 18 days for victim businesses.
4. Phishing for Covid
As Covid-19 crossed national borders and spread throughout communities, our fears and anxieties redoubled. At first, the new virus was poorly understood and we craved information about its symptoms, treatments and modes of transmission. With medical professionals overwhelmed, many of us readily engaged with any source of information we could find. Even today, emails with wording such as ‘Covid-19’, ‘Coronavirus’, ‘Covid Test’, ‘Track and Trace’ or ‘Vaccination’ are guaranteed a receptive audience.
Cyber criminals saw this as an opportunity to tap into our emotional vulnerability. Research shows that Covid-themed phishing emails have become significantly more effective at duping their innocent victims than other phishing methods. Average click rates increase from 3.1% to 4.1% for Covid phishing emails are over 50% higher for some organisations. A simulation in the USA conducted in March 2020 revealed that people were three times as likely to click on a phishing link and provide their credentials as they were pre-Covid.