Nine months in and the COVID-19 pandemic has taken a toll on many people’s physical and mental health. A distracted work-from-home (WFH) experience paired with lower overall morale makes staffs more susceptible to threats, and cybercriminals will take full advantage. Today, phishing has remained a prevalent threat, and continues to rise in sophistication and frequency.
A new Webroot report, COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, also found that one in four Americans (26 percent) have received phishing emails specifically related to COVID-19, and another 44 percent are more concerned about phishing now than they were at the beginning of 2020.
Despite this growing concern, many Americans remain overconfident in their ability to spot phishing scams. The same report found that while seven in 10 American workers say they know enough to keep themselves and their personal data safe from cyberattacks, one in three have clicked a phishing link in the last year. More than half (59 percent) claim phishing emails look more realistic than ever before.
In today’s distributed work environment, security leaders must reiterate how cyber resilience supports overall business resilience during these challenging times. With that in mind, here are a five ways to reinforce strong security habits among the workforce:
- Ensure workers have clear distinctions between work and personal devices. The report found that one in three Americans use their personal devices for work, much higher than any other country surveyed. An additional 8 percent use their work devices for personal matters, while a whopping 43 percent do both. With so many employees working outside of traditional office settings, it’s difficult to enforce good boundaries. However, by ensuring workers have clear distinctions between work and personal time, devices, and obligations, businesses can reduce the amount of uncertainty that can lead to phishing-related breaches.
- Invest in regular training. Despite many Americans claiming they know how to spot a phishing scam, 59 percent said they regularly click on emails from unknown senders. To help employees develop better cybersecurity habits as well as a healthy dose of skepticism, companies must invest significantly in regular training and education, including phishing simulations. In fact, 35 percent of employees said knowing what to do if they fall victim to an attack would help prepare them to handle cyberattacks, and another 30 percent said understanding the most common types of attacks would help prepare them to handle cyberattacks. As psychologist Dr. Prashanth Rajivan, assistant professor at the University of Washington, said: “I am a strong believer in reinforcement learning. Human behavior is shaped by past experiences, consequences and reinforcement. To see a real change in human behavior related to phishing and online risk-taking habits in general, people need frequent and varied experiences, plus appropriate feedback that incentivizes good behavior and disincentivizes poor behavior.”
- Create a cyber resilient culture. Only 19 percent of American workers said they think all employees should play a role in their company’s cyber resilience. However, a culture of cyber resilience recognizes that everyone – not just IT – has role in cybersecurity. When businesses internalize this culture, they are better prepared, better able to respond and better positioned to experience growth. In addition to regular employee training, businesses can reinforce a cyber resilient culture by publishing regular communications on security topics in the form of emails, internal social media, posters and videos. Businesses should highlight real-world threats employees need to watch out for in their work and personal lives, and industry news about other businesses that were adversely affected by attacks.
- Update software and systems regularly. Hackers often exploit security holes in older software versions and operating systems. Regularly updating software and systems closes those holes. Fortunately, the report found that about one in four people update their computer operating systems and software more often than they did when they did prior to COVID-19. Remind employees not to put off updates and to regularly update their passwords.
- Back up data and make sure employees can access and retrieve data from anywhere. Although the pandemic has brought a new reliance on cloud and collaboration services such as Microsoft 365, only 65 percent of American respondents said they or their company backup their Microsoft 365 files, leaving a huge gap in data recovery plans. Yet 58 percent have needed to recover lost files since the pandemic began. While Microsoft 365 ensures the availability of a company’s infrastructure, it’s important to remember that every employee must protect their own data. Microsoft recommends a third-party backup provider for the types of everyday data loss scenarios that businesses can face. Employees are dealing with a lot of stress today, and we don't have to add security to the list. By simply minimizing false confidence and empowering the workforce with tools and training, security teams can better equip employees to confidently -- and correctly -- make strong, secure decisions about what to click and what not to click.
Tyler Moffitt, security analyst, Webroot