The COVID-19 outbreak provides ripe opportunities for criminal actors to exploit fear, uncertainty, and companies ill prepared to to secure remote workers, driven to home offices by travel restrictions and social-distancing.

The first threat comes in the form of misinformation and weaponized websites and documents. Websites and apps with outbreak maps are attracting unwitting victims to these COVID-19 watering holes. Coronavirus-themed campaigns use PDF and Microsoft Office 365 documents to deploy remote access tools (RAT), spyware, credential harvesting tools, and a cornucopia of malware. Other attacks will use phishing lures that invite employees to coronavirus-related remote conference meetings. As isolated employees starve for information and connection, they are unwitting carriers of COVID-19 malware.

And the second threat comes from a remote workforce, adapting to life in home offices with little to no warning. Actions designed to stop (or at least slow) the spread of COVID-19 will likely accelerate cyberattacks that exploit your own tools. Criminals will harvest VPN credentials, access your network through PowerShell or Remote Desktop Protocol (RDP) and hijack administrative privileges to access critical business systems. It’s a well rehearsed play. And it works. In essence, criminals will use your own employees’ privileges as a backstage pass to your corporate assets.

Back in 2012, eSentire reported similar attacks during and after the chaos caused in New York by Hurricane Sandy. The hurricane redefined standards for business continuity plans (BCP) and disaster recovery (DR). COVID-19 will redefine our work-from-home policies and the security practices we apply to our distributed workforce. And like Hurricane Sandy, the natural disaster will not erode your accountability. Remote workforces should have always been considered in any security program. There are a few things you can do to minimize your risk and secure your employees, diligently working from home:

  • Discourage the sharing of COVID-19 information. Use official company channels only.
  • Keep your employees informed of coronavirus-related scams, frauds and compromised websites and phishing schemes. Knowledge is power.
  • Provide tips to secure consumer-grade internet devices like routers. Most routers are easily exploited as the admin account is still set to publicly known manufacturer’s defaults.
  • Use a VPN to encrypt remote connections.
  • Enforce multi-factor authentication for remote access to reduce the risk of compromised VPN credentials.
  • Disable administrative rights for remote workers to eliminate the risk of compromised VPN accounts used to create new users with admin privileges.
  • Revisit your Business Continuity Plans (BCP) to ensure they cover a pandemic-driven remote work policy.
  • Consider running a COVID-19-based incident response. Gather your executives and leaders to run a simulation in which a key employee tests positive for COVID-19, after accessing the office while symptom free.

This isn’t a seasonal migration from congregated masses to isolated offices of one. COVID-19 is an acute test of the industry’s ability to secure a distributed environment. The reality is, threats like COVID-19, adoption of cloud-based services, and a scattered workforce creates a climate-level change that requires a rethink of how we secure our workers beyond the traditional perimeters.

Watch eSentire’s new Coronavirus: You Don’t Get a Pass on Cybersecurity webinar to learn more.

Mark Sangster, Vice President and Industry Security Strategist, eSentire