You’ve provided all of your IT users with teleworking platforms and now everyone in your organisation is able to work entirely remotely. But the pandemic is keeping you extra busy. Strangers start hacking into sensitive online meetings. Employees complain of chronic stress and fatigue and seem to be making more mistakes than usual. Several employees receive an email reportedly with an update from HR. They end up clicking links containing malware. Some of your employees start using personal devices, emailing documents to themselves and storing important documents on local storage systems. Data goes missing. You’re breaching your GDPR responsibilities and exposing your company to potential legal and financial risk. Confidential information ends up being posted online which you suspect may be linked to the observation that many of your employees share a workspace with family or flatmates…
Covid-19 has upended our social and professional lives. Following stay at home orders and concerns over safety, our day-to-day interactions have increasingly shifted online, resulting in an even greater reliance on digital communications and teleworking platforms. Moreover, the pandemic and resulting lifestyle changes have deeply affected our mental states and cognitive processes. This “new normal” offers a target rich environment for cybercriminals and increased risk exposure to employee error. Whilst many organisations enable employees to practice strong cybersecurity behaviours, the events of 2020 have changed the context rapidly, potentially leaving some organisations vulnerable. Thousands of businesses have already paid the price for not adapting fast enough.
Have you covered all of your key current user-related cybersecurity vulnerabilities?
Social Machines has created the STEP Framework to help cybersecurity professionals identify and mitigate Covid-19 related vulnerabilities across four key user-centric factors: Social, Technological, Environmental, and Personal:
Humans are driven by relationships, norms, and pressures. Malign actors seek to exploit these traits. Fraudsters frequently seek to manipulate their victims’ trust and the shift to teleworking has enabled these actors to more easily impersonate friends, family, colleagues, as well as professional authorities such as human resources. Malign actors will frequently use fear and create a sense of urgency in their social engineering approaches. Triggering strong affective responses in their targets can temporarily lower a victim’s ability to detect irregularities (such a typos), suspicious requests, or malicious communications, increasing their vulnerability. One such scam email proposed to have results of Covid-19 tests, another, purported to be from HR suggesting that the victim may be made redundant due to the pandemic.
In many cases, companies’ remote working systems and policies have been set up quickly, originally on a temporary basis. Operational risks could include poor data protection systems, which could result in irrecoverable data losses and expensive recovery efforts. Regarding legal risks, employees using their personal devices could facilitate accidental sharing of confidential or personal information, exposing the company to breaches of data protection regulations. Furthermore, workers now rely on a host of different platforms to communicate and do their jobs. Cybercriminals have taken advantage of this, impersonating employees, surreptitiously joining team meetings, and using URLs designed to mimic popular video calling platforms. Many companies have not enabled authentication mechanisms such as 2FA, or informal processes for employees to validate suspicious communications, which previously might have been done face-to-face in the office. These attacks rely on our awareness and trust in teleworking platforms but also our inability or unwillingness to challenge suspicious communications.
The need to avoid discussing sensitive information in front of family or housemates, provides an additional stressor for employees, particularly younger colleagues who are more likely to live with flatmates, who they may be less able to trust. Employees’ cyber security habits may worsen after working from home and companies may not be providing employees with the required data management or cyber security training for working remotely.
Attackers seek to exploit their victims’ personal vulnerabilities. This can be taking advantage of flaws in their cognition, striking early in the morning or late at night when they are not fully concentrating. This can be particularly effective currently given many employees are working longer hours and may be experiencing additional stress as a result of the Covid-19 pandemic. These conditions also increase the chances of human error. Furthermore, our home workspaces provide more opportunity for distraction and a lack of supervision may tempt employees to stream online content or browse social media whilst working, increasing the likelihood that they make mistakes or fall victim to social engineering attacks.
The deeper STEP Framework offers an easy-to-use methodology for identifying human factors vulnerabilities caused or exacerbated by the pandemic, helping your organisation mitigate the risks of cyber attack and data breach.
Please contact firstname.lastname@example.org to find out more.