Covid_19 or the Corona Virus as it is affectionately known has not only affected the health of individuals, plummeted local and international stock markets but its effects on cyber security could have drastic ramifications if individuals and businesses alike do not take the necessary steps in preventing cyber security risks. With baited breath, on Sunday the 15th of March 2020, we all awaited Cyril Ramaphosa, the President of South Africa to inform us on the steps the state would take in order to curb the spread of this pandemic. Travel bans were issued, events were cancelled and what became clear is that individuals would need to take the necessary preventative and/or screening measures to ensure health and safety. In response to this, organisations have taken drastic measures such as having employees work remotely from home to minimize social contact amongst individuals. Whilst this is a progressive and preventative measure taken by employers, it opens up other risks that could harm the revenue and overall reputation of the business. Without robust cyber security controls and the general employee knowledge and etiquette around cyber threats, individuals and firms could be at risk of various forms of malware. Importantly, big conglomerates with cyber insurance policies may be able to recover, though an attack could have ever lasting effects for businesses, irrespective of organisational size.
A large number of cyber security attacks are executed as a result of user error. Frequently, cyber-incidents and the root cause thereto can be attributed to internal users either failing to follow security protocol or data protection policies. This is primarily due to the fact that when users access the internet through devices, they are often forced to make difficult security decisions without having the necessary information to equip the employees/users to adequately deal with such threats. Criminals in their nature are opportunistic, and during this trying time, they unfortunately will seek to take advantage of users working remotely in this state of disaster and as employers look to safeguard employees.
Below, is a summary note, comprising of how users and employers can work together to proactively guard against security threats, incidents and breaches.
Common types of attacks business face
i. Ransomware attacks: Most ransomware attacks manifest themselves through electronic mail (“email”) and the weakness herein is that a large number of users have not received properly trained and/or educated to recognise a malicious email attachment. Training employees to be more cognisant of attacks can be time-consuming and expensive, however, it is deemed to be one of the most effective ways that an organisation can defend itself against ransomware attacks. Weak passwords are attributed to most ransomware attacks as users seldom change their passwords.
ii. Phishing attacks: These attacks are a means through which user’ computer systems are infiltrated by exploiting the behaviour of human users which can be achieved by way of targeted, fraudulent emails, which aim to persuade employees to click on malicious links, download malicious attachments or transfer organisational funds or other sensitive information. This is commonly referred to as spear-fishing. A 2016 Cyber Incident Report highlighted that 1 out of 10 employees clicked on links or opened attachments contained within sanctioned phishing email tests. Organisations and users need to guard against phishing attacks by continuously doing stimulated phishing tests, which involves the sending simulated, targeted phishing emails to a number of employees and monitoring the resultant ‘click-rate.
iii. Social Engineering: When cybercriminals cannot find a security vulnerability, they’ll attack in other ways. Enter social engineering. This involves gathering information needed for an attack by relying on human weaknesses (manipulating the users to perform an action or gather confidential information that can be used by the attacker. This type of attack is more of an attack on the mind of the user, rather than on the device, to gain access to systems and information. Especially with the information publicly available online and over social media, cyber criminals come up with creative ways to target users.
Ensuring information and cyber security is the dual responsibility of organisations and employees.
Important Security Tips to keep in mind:
I. Limit and avoid using your work device for personal reasons
When it comes to running a personal e-errand (electronic/digital), stick to your personal devices. Avoid accessing social media sites, online-shopping site and downloads unrelated to work, as these sites may contain malicious advertisements with links that may cause a security threat on your work device.
II. Remain attentive when working on your device
As mentioned above, a large number of cybersecurity incidents are as a result of user error. When users access a number of websites, they have extensive information at their disposal in one instance – this can make it challenging for users to remain attentive to the contents of such websites. Therefore, you should always remain attentive when using your work device.
III. Keep track of your digital footprint
When you monitor your accounts, you can ensure you catch suspicious activity. Can you recall everywhere you have online accounts and what information is stored on them, like credit card numbers for easier payments? It’s important to keep track of your digital footprint, including social media, and to delete accounts you’re not using, while ensuring you set strong passwords (and that you change them regularly).
IV. Creating strong passwords
It is essential that users create strong passwords to ensure that they take the necessary precautions towards guarding against password breaches. Strong passwords are long and complex, and the limiting factor herein is human memory, in that it is limited in itself.
Examples of the most common passwords are set out below, and if your password appears below (our little secret), I would highly recommend updating your current password:
Authors: Sandile Xhakaza and Thebe Matlhaku