The ways we interact with the world have changed considerably over the past few months, and our connection with the digital world is no exception. As the COVID-19 pandemic has driven more people to work from home, significant vulnerabilities in digital communication media have been revealed, and companies are hard-pressed to find solutions. Fortunately, the cybersecurity industry exists to assess and combat just these issues. As we become more dependent on digital technology, cyber startups will be critical in the fight against viruses and other technological incursions.
What are the new cyber threats facing us since COVID-19?
Although it may seem that the threats facing us are new, many of these weaknesses in digital infrastructure existed prior to the COVID-19 crisis. However, according to a joint brief released in April 2020 by the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC), malicious actors have begun using COVID-19 themes to perpetrate cyberattacks against individuals and businesses. Increased use of unsecured digital platforms from employees working from home has further amplified the problem.
To combat these unprecedented challenges, businesses and individuals alike must be aware of potential threats and prepared to combat them. While many of the attacks follow previous patterns and methods, they now use COVID-19 as a theme to gain access to personal information. Types of attacks to watch out for include phishing, malware dissemination, false domain names, and remote infrastructure hijacking.
Phishing Scams
At its most basic, phishing involves the use of email, social media, and other messaging or telecommuting services to trick a victim into providing personal information. Although you may be familiar with some of the more common phishing scams that have been perpetuated over the years, cyber attackers continue to develop more sophisticated approaches. They will often use the names and titles of trusted sources to gain the victim’s confidence. Professional titles, government organizations, and even the names of people with whom the victim is acquainted may be used to obtain sensitive personal information.
In addition, victims may receive emails or communication on official letterhead or with the official seal or brand of a legitimate organization. With the advent of COVID-19, many phishing scams now include seemingly legitimate COVID-19 related information to lure victims into providing private information.
Malware Dissemination
Similar to phishing, malware dissemination uses email, social media messaging, and other communication methods to distribute malware via links or file attachments. Malware communications will often use real names, hacked email and social media accounts, and official organization information in order to encourage users to click on the link or download the file. The link or file downloads malicious software onto the victim’s computer or mobile device, and the malware can then be used to obtain personal information from the device and any associated accounts or networks.
Often cyberattackers use malware for “hack-and-leak” operations in which data is held for ransom under threat of being leaked to the public. They threaten to release sensitive information unless the organization pays a specific amount.
As COVID-19 drives more people to digital platforms, malware distribution is becoming more prevalent. Not only are there more users on hastily constructed platforms with poor security, but more overall communication is also happening via digital platforms. The increased usage and unsecured communication platforms creates the perfect environment for malware distribution. What’s more, malware distributors are using COVID-19 as a theme to take advantage of insecurity and fear surrounding the pandemic.
False Domain Names
In this time of uncertainty, many people are turning to internet resources to learn more about the COVID-19 virus, the state of the pandemic, and ways to prevent the spread of the disease. Cyberattackers are taking advantage of the situation by creating false domain names with COVID-19 and coronavirus related words and phrases. Once on the site, victims may be asked to enter private information in a phishing scam, or they could be encouraged to open a document or file which will download malware onto their system.
False domains will often have a similar name to an official site or organization and will make every effort to appear legitimate, from seals and graphics related to the organization to actual names of members and authorities. They can be used to duplicate websites where you may enter sensitive information, such as bank or credit card sites, healthcare websites, or even governmental sites such as the IRS.
Attacks on Remote Access and Telework Platforms
You may have heard about or even experienced the problems customers encountered on the Zoom platform when their business meetings were hijacked by cyber attackers. Unfortunately, Zoom is not the only platform to have been affected by this type of cyberattack. In the first wave of closures and stay-at-home orders, many businesses scrambled to find some means of maintaining business communication between employees working from home.
While there are a wide variety of digital communication methods available on the market, many platforms do not have sufficient cybersecurity to ensure that their communication remains private. Cyberattackers can hack onto these platforms and disrupt communications, or they can remain silent and obtain private information from the meeting. This information can be used to further hack your company’s infrastructure for data that the attacker can use for personal gain.
Many cyberattacks in the time of COVID-19 depend on social engineering and human nature to achieve their purpose. They understand the concern and curiosity surrounding the coronavirus pandemic and use these human reactions to entice users to provide personal information, download malware, or visit a false domain. It is incumbent upon both businesses and individuals to take appropriate precautions in order to avoid falling victim to these cyberattacks.
How can we combat cyberattacks now and in the future?
In order to guard against and prevent cyberattacks in your organization, it is important to stay abreast of current developments and maintain a high level of cybersecurity for your in-house and remote systems. There are two primary ways to safeguard your information: remain alert and use adequate cybersecurity technology.
Remain alert and informed
In the digital world, knowledge is power. Simply being aware of the ways in which cyber attackers obtain information can help you to avoid phishing scams, malware distribution, and false domains. The NCSC offers a comprehensive guide to “Dealing with suspicious emails, phone calls, and text messages“, which provides some information on the more common scams, as well as guidelines to avoid them:
- Authority: Since cyberattackers often use the names or titles of important agencies or individuals, be wary of communication that claims to be from someone official such as a bank, healthcare professional, or governmental agency.
- Urgency: Attackers will try to cause a panic so that you will perform the requested action quickly to avoid negative consequences.
- Emotion: Cyber attackers use your emotions against you. If a communication seems to be playing on your emotions, it may be a scam.
- Scarcity: If the communication you receive creates a sense of urgency by claiming that something is in short supply, it may be a scam. The goal is to make you respond quickly without taking the time to consider whether the sender has malicious intent.
When using online communication platforms for online meetings, the FBI also recommends taking the following precautions:
- Ensure that all meetings are private, with a password or waiting room option to prevent unwanted guests.
- Protect the meeting link and password by transmitting it directly to specific people, not via public platforms such as social media.
- Preven unwanted screen sharing by setting it to “Host-Only”.
- Be sure that all patches and updates have been installed by all remote application users.
- Create and maintain telework policies that specifically address cybersecurity.
Even with these precautions, the CISA and NCSC both indicate that some phishing and malware attacks will be successful, so it is best to plan for every eventuality.
Use adequate cybersecurity technology
In addition to ensuring individual and organizational vigilance, the use of the latest cybersecurity technology is critical for the success of your online operations. Although phishing and malware distribution communications are largely caught by users using the above guidelines, organizations can further protect themselves by using technology geared toward preventing attacks. The NCSC suggests a four-layer technological approach to stave off cyberattacks.
- Make it hard for attackers to contact your users. You can reduce potential contact through the use of firewalls, filters, and other protections geared toward identifying and eliminating questionable communications.
- Use software to help identify and report phishing emails, so that you can continuously improve your security processes.
- Have policies and protections in place to mitigate the effects of undetected phishing communication and malware distribution.
- Respond to attacks quickly, and update your security protocols and systems accordingly.
How do Cyber Startups Help Fight Cyber Attacks?
The world of cybersecurity is complex and ever-changing, even more so during this unprecedented time. Although there are a variety of reliable resources for cybersecurity techniques and procedures, companies should work with cybersecurity professionals are dedicated helping them find the best security options for their company’s particular needs.
As digital business and communication methods continue to evolve during and after the COVID-19 pandemic, organizations will need to find ways to remain ahead of changing cyber threats. Cyber startups are the best way to ensure that companies stay abreast of new and potential challenges. Cyber startups offer the advantage of independent innovation and in-depth cybersecurity knowledge. With the freedom to develop products and engineer solutions outside the purview of corporate or organizational authority, cyber startups can fully dedicate their time and money to new ideas and approaches.
Cybersecurity Investment in the Time of COVID-19
There is no question that cybersecurity plays an increasingly critical role in the daily operations of companies and organizations around the world. In order to facilitate the development of key privacy technologies and engineering techniques, investment in new cybersecurity ideas and innovations is crucial. Through thoughtful investment in new techniques and technology, the world of cybersecurity can continue to provide advanced security solutions that will help companies and organizations stay ahead of hackers and other potential threats.
With increasing legal and regulatory demands for organizational accountability, cybersecurity firms need the resources to innovate, develop, and deploy unique security solutions to their clients. Investment in cybersecurity provides the solution that security firms and privacy engineers need.
At Option 3 Ventures LLC, we specialize in the investment and development of cybersecurity and adjacent technologies. We are dedicated to finding the perfect security solutions for companies that fall outside the realm of traditional cybersecurity. Our seasoned experts draw on the specialized knowledge and experience of managers and advisors in the United States national security community, whose extensive understanding of operations and technology investments provide unique insights. With a combination of insider knowledge of the industry and investment capacity, we have become a driving force in the development of cybersecurity and privacy engineering services.