April 27, 2020

Simple cyber security moves for businesses in COVID-19

Cyber threats soar as offices empty. Here’s how to keep your systems as well as your people safe.

With workers at home on remote access technology and a heightened reliance on online and ecommerce, businesses face greater cyber security risks. Two experts share their tips on reducing threat for minimum cost.

Such is the fallout from COVID-19 that even the best-prepared businesses have been taken by surprise.

“The usual approach to business continuity planning is to focus first on the most likely risks,” says Alex Woerndle, Cyber Security Principal Adviser at Ecosystm. “A pandemic with the impact of COVID-19 would be regarded as a once-in-100-years event. Even relatively mature organisations weren’t ready for that.”

Practically overnight, as social distancing and lockdowns became the norm, business owners found themselves scrambling to transform the way their people work.

“That isn’t an easy task at such short notice,” Woerndle says. “Many companies have been racing to provide access to their internal networks for people working from home. Some businesses might also be trading online for the first time or trying to cope with an increase in online traffic as more home-bound people shop online.”

At the same time, cyber criminals have sought to take advantage of less secure connections and less robust systems. In a crisis, they are often the fastest to react. “Home systems can provide an easy way into a corporate network,” Woerndle says. “Hackers can leverage the chaos to gain information, or even persuade people to send them money.”

It’s also important for business owners to remember that, however your business is operating at the moment, you’re responsible for protecting customers’ personal information by law.

Businesses too small for a dedicated IT team, a sophisticated helpdesk or a generous security budget can feel particularly vulnerable. The good news is that understanding the threats and putting a few free or low-cost precautions into place can significantly reduce the likelihood of a cyberattack.

Falling victim to cyber ransom

According to Richard Watson, Lead Partner of APAC Cyber at EY, a ransomware attack is one of the major threats associated with remote working for businesses of all kinds. In such an attack, an attacker uses malware to encrypt the victim’s files then demand a ransom to restore access to those files.

“This could cripple your systems when you need them most,” Watson says.

Watson explains that ransomware is usually introduced via a phishing email – an email that tricks people into clicking on a link or providing information – and he has seen a significant increase in such emails with a COVID-19 theme.

“These claim to provide up-to-the-minute information, lab results or even products to help fight the virus,” he says, “but clicking the link will actually install malware and ransomware on to the user’s device. Business owners should also be on the lookout for emails purporting to offer precautionary guidance or policy updates.”

Keeping data safe from loss

Data loss is another serious risk when people are working from home.

“Home systems tend to be less secure, and there’s a danger that people will forward confidential data to computers or printers without up-to-date virus protection,” Watson says.

“Also, few people think to change the default password on their wi-fi router but, when they don’t, anyone who can receive the signal is able to log on and potentially access the data passing over the network.”

The risks of counterfeiting

Working remotely can also have an impact on less technical processes.

“Hackers are becoming increasingly skilled at creating counterfeit invoices, or changing the payment details on authentic documents, in an attempt to divert money to their own accounts,” Woerndle explains. “When you’re in an office it’s easy to walk over and check with the boss. When you’re all at home, simple systems like that can easily break down.”

Simple steps to greater protection

COVID-19 has seen most businesses rely increasingly on digital, whether that’s remote working or an increase in ecommerce and online activity. Taking into account these three suggestions can help you avoid or, if the worst should happen, recover from a cyber-attack.

  1. Make sure you’re familiar with the threat

If you’re new to buying or selling online, you need to know about the various ways cyber criminals might target your business. You’re also responsible for protecting your customers’ personal data. Business.gov.au has up to date information on cyber threats and how to protect your customer’s information .

  1. Make staff training a priority

If you have staff, frequent communication will help maintain a sense of community while people are working remotely. And, as Watson points out, it’s also an opportunity to keep security top of mind with regular reminders wherever they’re working. For example:

  • be on the lookout for phishing emails, particularly those related to COVID-19
  • if you’re working remotely, apply the same protocols to sensitive data as you would in the office
  • don’t use personal devices for work, even when you’re at home
  • don’t connect to public wi-fi
  • don’t let family use your work devices.

“It’s well known that people are the weakest link,” Woerndle says. “But, properly trained, they can become be your strongest defence.”

  1. Protect your data

Not all cyber events are the result of accidents or mistakes. Some employees deliberately leak confidential data for financial gain, or to cause damage or disruption to the business.

Woerndle recommends limiting the potential impact by enforcing strict controls around access to data. “No-one should have access to more data than they need to do their job,” he says.

  1. Test for weaknesses

Cyber audits can identify any weaknesses in your technical security and, if you have staff, whether they are suitably trained.

“Regularly conducting phishing simulation exercises is a very good idea, as are penetration tests designed to identify specific vulnerabilities and defects in your software,” Watson says.

However, he stresses that no amount of security can guarantee protection.

“If you are attacked, the most important thing is to recover quickly, and that means incidents must be reported immediately,” he says. “Your people need to know who to call, and they must feel absolutely confident they won’t be punished if they made a mistake.

You should also make it a top priority to have some sort of agreement in place to support your recovery.”

For more information on protecting your business from cyber threats, see NAB’s dedicated cyber security hub for businesses.