Q&A: Data thieves exploit COVID-19
Q: What kinds of cybersecurity problems are cropping up for teleworking and online learning?
A: As schools and businesses transition their workforces and students online due to the pandemic, Iowans need to take internet security measures seriously. Be aware that home networks are vulnerable to malicious actors looking to steal personal information as well as sensitive work-related data. Cyber thieves have long targeted vulnerabilities within employers’ information systems. Now, criminals and unfriendly state-based actors have set their sights on home-based systems and virtual private networks (VPNs). According to the Department of Homeland Security (DHS), attacks are being perpetrated by solo hackers and advanced persistent threat (APT) groups. These sophisticated organizations target government agencies, businesses and individuals. As COVID-19 disrupts nearly every facet of society, cybercriminals are taking advantage to cast a wider net with phishing and other internet-related scams to hook the enormous influx of teleworkers and online learners across the United States. The FBI’s Internet Crime Complaint Center (IC3) has reported a spike in cybersecurity complaints during the pandemic, climbing from a thousand up to 4,000 complaints daily. COVID-19 is producing a sustained surge in cybercrime.
When connecting home networks to office networks, teleworkers need to protect their devices from data breaches. Although VPNs are meant to establish secure tunnels to encrypt digital traffic, the DHS has found cybercriminals target unsecure networks. When hackers identify an unsecured network, they seek to infiltrate individuals’ computers and also take advantage of vulnerabilities in home-based routers to gain access to sensitive company information. Cyber thieves are seizing upon the fear and uncertainty stemming from the pandemic to trick victims into clicking links or opening files that contain malware or ransomware. These attacks include SMS (text messaging) and email phishing scams, malware distribution, registration of new domain names containing COVID-19-related terms, and business email scams. Phishing emails may appear to come from the World Health Organization or from sources using titles such as “Dr.” to persuade victims to visit phishing websites or download malicious files. More information on COVID-19 related cyberattacks can be found here.
Q: How can Iowans protect their business and home-based networks while teleworking?
A: Although it may seem like an unnecessary hassle, don’t skip security measures that protect devices and laptops connecting to home networks. Small businesses with a few employees don’t have large IT departments to trouble-shoot security breaches. Like locking one’s car or front door, every household should take steps to secure home-based networks used for work, school, entertainment or online shopping. Internet security experts advise individuals to use strong and unique passwords, enable multi-factor authentication, enable automatic updates for all routers and modems, replace old or outdated equipment, turn off remote management services, turn on router encryption, and install anti-virus, firewall and anti-spyware on personal devices. For more hands-on tips, check a resource guide specific to the COVID-19 pandemic published by the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security.
The Federal Trade Commission (FTC) has issued security recommendations for securing wireless networks and routers. For example, changing the name of your router from the default ID assigned by the manufacturer can help prevent cybercriminals from gaining control and stealing personal information or misdirecting individuals to fraudulent websites. The National Cyber Security Alliance (NCSA) compiled a resource library specifically for those working from home during the COVID-19 pandemic. Iowans may check FTC’s year-to-date map of pandemic-related fraud complaints and internet-related crimes here. By mid-August, Iowans have reported $280,000 lost to fraud.
Q: What should employers do to protect their networks when employees telework?
A: The nonprofit Center for Internet Security (CIS) recommends best practices for employers to prevent cyberattacks. For example, companies should secure corporate VPNs by enabling multi-factor authentication (MFA) whenever possible. Employers should also ensure the VPNs employees are using at home are up to date and include the latest software patches and security configurations so that networks cannot be infiltrated. CISA has issued guidance on patching and updating software and securing network infrastructure devices.
Businesses and individuals can help thwart cybercrimes with prevention, awareness and planning. Be smart and exercise caution. Don’t open suspicious emails or click on links in suspicious text messages that may contain harmful attachment files. If you believe your home network has been corrupted, contact your employer immediately. Attempts to gain unauthorized access to a system or unwanted disruptions, phishing or malware can be reported to CISA at DHS. Report incidents to the FBI’s Internet Crime Complaint Center and the FTC regarding internet criminal complaints and consumer scams, respectively.