More than 60 percent of phishing expeditions are now COVID-19 related as criminal hackers exploit the global pandemic, producing malicious emails dressed up as legitimate correspondence and attempt to gain access to companies’ computer systems.
This warning was issued by panelists participating in NATIONAL Capital Markets’ Cybersecurity and Reputation Management virtual panel on May 13—Imran Ahmad, a partner at Blake, Cassels and Graydon LLP, who specializes in technology, cybersecurity and privacy law; David Masson, director of Enterprise Security at Darktrace, a leading cyber AI company, and Dan Brennan, Senior Vice-President of B2B Technology at SHIFT Communications in Boston.
Andrea Mandel-Campbell, Senior Vice-President, Financial and Crisis Communications at NATIONAL Toronto, moderated the hour-long panel, the second in NATIONAL’s exclusive web series exploring how various aspects of business are being disrupted by the global pandemic.
“All the support you get from IT or cybersecurity support, well that’s gone out the window because no one is there at the office anymore,” said Mr. Masson, “When you have a headquarters, threat actors have one place to attack but, if you’ve got 500 employees, well now they have 501 opportunities to attack rather than just the one place. It’s made it much easier for threat actors and so much more difficult for the defenders to actually look after themselves.”
Mr. Ahmad studies trends in cyber attacks. Prior to the pandemic, he said, ransomware attacks, where malicious software infects a company’s system and locks up its data, were popular, with ransom demands increasing in value from between $250,000 and $300,000 in 2018 to between $1.2 million and $1.5 million now.
Phishing attacks on the rise
Mr. Ahmad also saw business emails compromised—which seems to be where cybercriminals are now focusing their efforts during the pandemic.
“What we have seen is an increase in email phishing attacks,” said Mr. Ahmad. “We are seeing criminals who are actually studying the Canadian marketplace, so they are able to reference statements or comments made by our government officials in their correspondence. It seems legitimate, but, unfortunately, they are actually malicious emails coming through.”
Phishing is a practice used by criminal hackers to entice people to reveal personal information, such as credit card numbers or social insurance numbers. The hackers develop emails that resemble legitimate ones so that a reader will click on it, open it or open an attachment, which gives hackers access to their personal computer and possibly their company’s server, allowing them to steal data or paralyze a business’s operation.
Mr. Masson noted cybercriminals are using the public’s “great thirst” for information about everything related to COVID-19 to their advantage. For example, if an email with a subject line related to COVID-19 pops into an inbox, the temptation is to automatically click on it, allowing the hacker access to the email account.
“They are using that to trick people into basically clicking on the link and looking at the attachment,” he said. “It’s the classic use of fear, uncertainty and doubt by threat actors to get their attacks in.”
He describes these phishing tactics as “fear-ware”.
Panelists also warned that companies working on research involving a COVID-19 vaccine and other treatments for the deadly virus must be vigilant as their information and data are now extremely valuable.
Mr. Ahmad flagged that a key point of vulnerability is the supply chain—smaller companies lower on the supply chain may be easier to attack, allowing hackers to get in and eventually reach the main target.
“It is often easier to attack way down the supply chain than to go for the main event itself,” says Mr. Masson.
What should companies do to protect their data and their reputation?
Have strong security protocols
Mr. Brennan says it’s critical for organizations to not only have strong security protocols, but a strategic crisis communications plan in the event of a breach.
“Urgency, pace and timing makes all of the difference,” he said. “Ensure that your communications are consistent, control the message as best as possible and tell the whole truth, not part of the story.”
Show empathy and accountability
In responding to a breach, companies must also show a level of empathy, he said. There are victims in cybersecurity breaches, and companies must recognize their customers’ or clients’ information has been stolen and could possibly be made public.
“You have to take that with the utmost of importance,” said Mr. Brennan. “There has to be some sort of promise to make it right, to take accountability.”
Says Mr. Masson: “Disclose (the breach) sooner rather than later. If you don’t, someone else will, and it won’t be on your terms.”
Avoid creating new standards
When asked what is the biggest mistake that companies can make, Mr. Brennan says it’s breaking their own protocols and setting new and different communication standards as they go.
“There are a lot of one-off questions that come in and there is always that urge to respond. When you breach that protocol, you set a new expectation that you’re going to create a one-off communication for every question, and that’s just unmanageable.”
Make it a team effort
Mr. Ahmad says another common mistake is relying on IT to manage the entire response.
“A lot of clients assume that IT’s got it. They probably have a process. They probably have a protocol. They probably took care of all these things. And when you break down the different aspects of a cyber response, which ranges from insurance, to legal, to communications, to HR, to other aspects of it, you realize it’s a team sport. There’s no way a single IT department, or person or group within IT would be able to deal with all those pieces. That’s why preparation at that level is so key.”
After years of practicing law, Mr. Ahmad adds that in his experience lawyers tend to be defensive when it comes to communicating during a crisis, and the contribution from communications strategists is key.
“That voice is critical in those discussions with the client and they need to hear it,” he says. “Sometimes as a lawyer you have this tunnel vision for regulatory requirements and information protection. Having a voice from communications is critical in those discussions.”