Cybersecurity threats are moving as rapidly as the Covid-19 pandemic. What should you be doing today to protect your company’s assets?
More than 60 per cent of us were working from the kitchen table or the home office by the last week of March. But as the great work-from-home experiment continues, new cybersecurity risks emerge and established risks escalate.
“Whenever there is haste to make change, people – both employees and those setting up systems – make mistakes,” says Tommy Viljoen, Deloitte’s partner responsible for cyber risk strategy and governance.
While companies “relax their risk tolerances” to maintain business continuity, this leaves their data and intellectual property vulnerable to opportunistic cybercriminals, Viljoen explains.
The Australian Competition and Consumer Commission’s Scamwatch has received hundreds of coronavirus-related scam reports since the virus outbreak. The Australian Cyber Security Centre notes thousands of Covid-19-related websites have been registered in the last few weeks, many of them delivering ransomware to unsuspecting users.
Viljoen says more than 400,000 incidents of Covid-19 spam emails were disseminated between 13-26 March alone. Alongside the “massive spike” in phishing scams, Viljoen points to “socially-engineered cyberattacks” – where hackers use psychological manipulation to trick users into making security mistakes or giving away sensitive information.
“We’ve seen hackers take over someone’s email, pretend to be a supplier, and then insert themselves into a transaction to divert money,” Viljoen adds.
According to Richard Watson, EY’s lead partner for cybersecurity risk management, the three biggest risks in the property industry prior to Covid-19 were defraud of accounts payable, ransomware on building management systems and malicious insiders.
“The cybersecurity threat was big before but has been amplified because, with Covid-19, we have a sure-fire trigger,” Watson says.
People are hungry for information and “this gives cybercriminals the perfect cover. Send an email about urgent policy updates or changes to working conditions and people will read it”.
Watson also expects to see a small increase in employee malfeasance.
“There has always been the threat of insiders selling personal information to the highest bidder. But the longer people are working from home, the greater the risk they will become detached from the business and their loyalty may be tested.”
Corporate monitoring systems “aren’t set up for this massive change in network behaviour,” Watson adds. “All the triggers and alarms that detect unusual activity and data breaches have gone haywire, so you are less likely to pick up bad behaviour right now.”
Viljoen notes that building management systems – now being operated remotely – could be more vulnerable. Legal sites that search for internet of things devices can help enterprises identify and lock down security vulnerabilities – but can also reveal those same securities to hackers.
“In some cases, these security breaches may not affect the organisation today. Cybercriminals may watch what the organisation is doing for the next three, six or 12 months and then strike,” Viljoen explains.
Bob Hennessy, chair of the Property Council’s Cybersecurity Task Force and group chief information officer for Lendlease, urges companies to “take a systematic review of all of the changes to normal practice”.
“Given the fast pace at which companies have needed to move, it is likely that risk considerations have taken a back seat as changes needed to be made urgently,” Hennessy says.
“Many of these contingency workarounds could be in place for months, and in some cases may become the new standard practice, so they need to be properly assessed with the normal risk lens of the company.”
The call to action from the experts is clear. While there’s no need to sound the alarm, the property industry must remain alert.
“It doesn’t matter if people are sitting at home in shorts and t-shirts, or working on their own devices, they need to be reminded that the same rules still apply to protecting company assets,” Watson concludes.