KPMG is warning businesses in the South East of a dramatic rise in Covid-19 related cyber attacks and is sharing some tips for thwarting their success.
The business advisory firm says attacks are primarily of two types: phishing scams preying on people’s concerns about the virus; and hacks that exploit the IT security risks associated with mass homeworking and an IT function under pressure. Thomas Collins, who leads KPMG’s Private Enterprise practice in London and the South East, says: “We are seeing that the region’s organisations are at significantly greater risk of a cyber incident at the moment due to an increase in attempts by organised criminal gangs to exploit the uncertainty which COVID-19 brings. Many cyber criminals have changed their tactics to use Covid-19 related materials on health updates, fake cures, fiscal packages, emergency benefits and supplies.
“The lockdown in human terms has triggered the opposite requirement from systems in some cases, which have had to open up to a greater extent than ever before to facilitate a significant rise in home working. As the region’s workforce copes with new ways of working and using technology, IT systems and processes, including some security protocols, are also being altered. Both the human and the infrastructure elements of business may be more vulnerable to cyber crime during this time. “Clearly, with business directors already focused on multiple challenges, the last thing they want to fly onto their agenda is a fraud or a hack.”
Tips for reducing cyber risk
Social engineering is often used, making people the weak point. Raise the workforce’s awareness levels, letting them know it’s a time of heightened risk. Don’t just rely on annual training; freshly educate the workforce to be vigilant to suspicious activity, looking for the usual giveaways of a phishing email in a work context, for example:
- Poor email quality in terms of grammar, spelling and design
- Not addressed by name but uses terms such as “Dear colleague,” “Dear friend” or “Dear customer”
- Includes a veiled threat or a false sense of urgency
- Directly solicits personal or financial information
- Includes a link to a website asking you change something
- And, of course, if it sounds too good to be true, it probably is.
Run a helpline or online chat line which staff can easily access for advice or report any security concerns including potential phishing.
Make sure strong passwords are set up, and preferably two-factor authentication, for all remote access accounts; particularly for Office 365 access.
Ensure that critical security patches are applied and update firewalls and anti-virus software across the IT estate, including any laptops in use for remote working.
Disable USB drives to avoid the risk of malware, offering employees an alternate way of transferring data such as a collaboration tool.
Ensure that finance processes require finance teams to confirm any requests for large payments. This can help to guard against the increased risk of business email compromise and frauds. Ideally, use a different channel such as phoning or texting to confirm an email request.
Back up all critical systems and validate the integrity of backups, ideally arranging for off-line storage of backups regularly.
Ensure the organisation has an alternate audio and video conferencing environment available. This will be needed if a ransomware incident disrupts IT systems and also offers another option if the primary conferencing provider has capacity or availability issues.
Thomas Collins concludes: “Covid-19 is driving changes in how organisations work, stay safe and secure.
“There’s no such thing as a technology safety blanket but the winners will be those with a proactive mind-set, who take action around consistent monitoring, reporting and education.
“That said, as well as preventative measures, organisations also need to think about their ability to recover in the event of an attack and to ensure they can communicate with all of the workforce whenever required.”