What COVID is teaching us about our cyber vulnerabilities

What COVID is teaching us about our cyber vulnerabilities

Regardless of your business or your personal situation, it is hard to imagine that you have not been impacted by COVID.  Among other things, it has exposed how vulnerable we are personally.  How vulnerable our company is.  How vulnerable our communities are.

And these vulnerabilities can create a sense of anxiety, which can build on itself, leaving feeling us helpless.

Perhaps the single most important thing we can do when we are vulnerable is to connect.  To communicate.  To reach out to others.  If we do nothing but isolate, the vulnerabilities expose and consume us.

Cybersecurity professionals deal with vulnerabilities all the time.  Often these individuals work as a group separately or perhaps communicating with other IT members.  Unfortunately, apart from compliance audit reports or token security awareness programming, cybersecurity is rarely communicated and integrated into the overall culture of the business.  How many times do security professionals say of corporate users and leadership, “They just don’t understand” and c-suite, marketing or other department users say with regards to cybersecurity, “They just don’t understand.”  Imagine the understanding that could occur if everyone began to lean in and communicate about these issues as one team.

Just as during these times, a key way to address vulnerabilities in your systems is by connecting and communicating across channels.  The more the IT and cybersecurity team is engaging with business leaders and staff and other stakeholders, the stronger the organizational culture will be to mitigate vulnerabilities and build resilience.

CARES Act Phishing Scams Target Small Business

Online scammers continue to use the COVID-19 crisis to their advantage. We have already seen phishing campaigns against the healthcare industry. The newest target? Small businesses. This week, the Small Business Administration Office of the Inspector General (SBA OIG) sent out a letter warning of an increase of phishing scams related to the new CARES Act targeting business owners.

CARES Act Loan Scams

The uptick in phishing scams imitating the SBA is primarily linked to the recent stimulus bill the government passed in response to the ongoing COVID-19 crisis. The bill, called the CARES Act, includes $350 billion in loans for small businesses. Given the current crisis, many businesses are eager to apply for loans, opening the door to new forms of phishing scams.

In addition, the scale and unprecedented nature of the loan program allows phishers to capitalize on the confusion surrounding the loan services. Last year, the SBA gave out a total of $28 billion, but now has to create a system to provide roughly 12 times that amount over the course of a few months. In order to help with the process, congress allowed the SBA to expand their list of loan venders. While this may help speed up the process, banks with no prior experience with SBA loan programs will now be distributing funds. Speeding up the loan process will help certainly ease the pain of many small businesses, but it also opens the room for errors, errors that scammers can use for personal gain.

What to Look For

Business owners are already seeing this happen.  A small businesses owner recently applied for a loan under the CARES Act to help keep her business running. Shortly after filing her application, her husband received an email stating they would need to fill out and return a tax statement to complete their application.

The email included the SBA logo and looked legitimate. However, on closer inspection, she realized the account number listed in the email did not match the one she received when applying for the loan, and the email address was not from a SBA email account.

Breathe in, Breathe O-U-T

This business owner was savvy enough to not fall for the scam, but others are likely to be tricked into handing over sensitive information or paying money to online scammers. In order to protect people against phishing campaigns, we recommend what we call the Breathe O-U-T Process:

  1. When you first open an email, first, take a Breath. That’s enough to get started because it acts as a pattern interrupt in automatic thinking and clicking (that leads to people biting the bait).
  2. Next, Observe the sender. Do you know the sender? Does their email address match who they say they are? Have you communicated with this sender before?
  3. Then, check Urls and attachments. Hover over the links to see if the URL looks legitimate. Be wary of zip files or strange attachments. If you aren’t sure if a URL is legitimate or not, just go to google and search for the page there instead.
  4. Finally, take the Time to review the message. Is it relevant? Does it seem too urgent? Does the information match what you already know? How’s the spelling? Be wary of any email which tries too hard to create a sense of urgency. In addition, phish are notoriously known for poor spelling and grammar. While we don’t all write as well as our fourth grade teacher, be careful when you see a lot of “missteaks”.

We’re living through strange and confusing times, and there are people out there who will use that to their advantage. Just taking a few extra minutes to make sure an email is legitimate could help save you a lot of extra time, worry, and money — none of which we can spare these days.

If you want to learn more about phishing scams and how to protect yourself, we are now offering the first month of our cyber awareness course entirely free. Just click here to sign up and get started.

Communication Key to Keeping Remote Workers Engaged and Cyber Safe

At this point, many companies have instituted work at home policies.  And, assuming that the organizations have taken the right steps to secure their remote workers and increase their bandwidth to handle the increased loads and redundancies, business can get back to the new normal, correct?

Not quite.  The key to managing remotely is communication.  And I’m not talking about emails from the company referencing COVID-19.  I’m talking about ongoing communication that keeps the staff engaged, strengthens the culture and overcomes isolation.

There are many ways to do this.  Here are a few you can do right away.

  1.  Daily virtual standup meetings.  Have your teams jump on a video call same time each day to have a quick chat about what went well and what blockers have come up since the prior days call.  Make it video so people can see each other which improves the socialization aspect of the meeting.
  2. Catch them doing something good.  Each day call out someone for doing something well, especially if it involves helping clients or each other.  Support is now a key differentiator and it should be rewarded.
  3. Conduct white-hat phishing exercises.  Phishing hasn’t gone away.  In fact, COVID-19 has given the bad guys something else to use a lure.  Keep your team digitally aware by running phishing simulations, but let them know you are doing it and reward them for any phish they report.  That way you both sensitive the team to be on the lookout for suspicious emails and keep them positively engaged at the same time.
  4. Step up security training for privileged users.  With the changes to network access and perhaps the installation of additional technologies to support remote access, it is critical you spend the time with your systems, application and network teams on security role-based training to ensure that the assets are appropriately configured.  Misconfiguration poses a large cyber threat in the best of times;  even more so now.  Of course, make sure you are catching them doing something good, as well. (See #2 above.)
  5. Create standing “tea-times”.  Let’s face it, part of working together is socialization.  For teams not used to working remotely (and therefore not used to connecting with each other on a social basis remotely), carve out some time each day which permits them to reach out and talk to each other about whatever they want.  You don’t have to over engineer this, giving permission might be all you need to do.

The resilience of an organization’s ability to respond to any challenge is in no small part due to the strength and resilience of its culture.  Focusing on, communicating with, and recognizing your staff will go a long way to keep people working together.  Even when they’re apart.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog