Above: John Robinson is President and CEO of Intega IT, an Ottawa-based IT support company that specializes in protecting small and medium-sized companies’ data.
Canada is being targeted by almost 70 per cent of global cybercriminal phishing attacks during the pandemic and they’re succeeding by exploiting the easiest prey: COVID-era office employees working from their kitchen tables.
According to the recently-released RSA Quarterly Fraud Report, Canada attracts a staggering 66 per cent of all fraud phishing attacks worldwide, a figure made even more alarming when compared to the next most targeted country – the United States – which accounts for only seven per cent of phishing attacks.
And Ottawa is top of the list for most hit cities, says the Canadian Internet Registration Authority (CIRA), which recently released its 2020 Cybersecurity Report.
“Ottawa is home to a lot of sensitive information from governments, crown corporations and national associations. As the city has shifted to remote work during the pandemic, the threat landscape has fundamentally changed, which makes this sensitive data even more tantalizing for cyber-thieves,” notes Spencer Callaghan, CIRA’s communications manager.
CIRA found that, as a result of the shift to work from home during COVID-19, one-third of Canadian organisations have reported cyberattacks, with another third saying they use personal devices for work.
And that creates the perfect storm, says John Robinson, President and CEO of Intega IT, an Ottawa-based IT support company that specializes in protecting small and medium-sized companies’ data.
“This is happening because the remote work model is inherently vulnerable. People are using home computers. They’re not logging on to their networks using the right protocols. They have no or out of date virus protections and their kids are doing the IT support,” he says. “All of a sudden, a company with 50 employees in one spot now has 50 home offices to oversee.”
In that scattered environment, he says employees often don’t report attacks or don’t even realize they have been hacked. For example, ransomware typically starts when an employee clicks on an innocuous-seeming email link, which downloads a cryptolocker. Once network drivers are affected and a company’s entire digital world is gone, cybercriminals send an email demanding bitcoin to unlock a company’s data. Yet, often, the key to unlock the ransomed data contains another bug that will appear later.
While the new CIRA report notes that half of organizations have implemented new cybersecurity precautions in response to COVID-19, the pandemic has made it infinitely easier for cybercriminals to attack with ransomware and phishing.
“Our report found that hackers are using the anxiety around COVID-19 to increase the efficiency of their phishing attacks. Only half of all Canadian organizations have mandatory cybersecurity awareness training for every employee. Until this gap is closed, the pandemic will continue to be a target-rich environment for cyber-thieves,” says Callaghan.
Our vulnerability to attack is also due to insufficient or non-existent policies for remote workers using personal devices, such as phones, computers and tablets, notes Robinson.
“One third of Canadian organizations have employees use personal devices for work, which is fine if the company has a great bring-your-own-device protocol. But in the scramble during lockdown, many didn’t. We do those onboarding and offboarding of employee IT, because without it, you are vulnerable,” says Robinson.
Yet, while technical solutions are important, he adds, employee education is the actual frontline of defense.
“We’re doing phishing campaigns to test vulnerabilities, remotely-accessed educational videos that teach employees how to detect suspicious cybercriminal behaviours, as well as using a whole host of IT support tools,” says Robinson.
While technical solutions are important, the best defense is a workforce that understands the threat and has the skills and awareness to combat it. Here are a few problems and their solutions.
Robocalls
Laughable as it can be to hear a robotic voice claiming to be a sheriff from Service Canada, “fraudulent robocalls keep happening because they work,” says Robinson. He recommends employees using personal cell phones install a call control feature from their network provider that requires the caller to physically press a button to be connected.
Test your vulnerabilities.
IT support companies like Intega IT offer clients their very own internal phishing campaign to see who is – and isn’t – paying attention to emails. The campaigns involve educational videos outlining cybercrime tactics for employees, followed by emails with links that seem legit. Once the campaign is over, Intega IT sends a report card rating employees on attendance and awareness.
Read the fine print.
Cybercriminals depend on social engineering to fool receivers into clicking on links in masked emails. They count on people’s trust in known entities and that they won’t look too closely at the sender’s actual email address or pick up on subtle logo changes or spelling errors.
Do a security risk audit
“An IT support company can do an audit of your email policies, test for vulnerabilities in your Office 365 and install multi-factor authorizations,” says Robinson. “People find it inconvenient to change their password every 90 days, so it’s a risk they’ll take. But the threat these days is from internal weakness. It’s not the old days of hackers banking on your weak firewall; the weakest link is amongst your employees.”
Don’t use public Wi-Fi
Although sitting in a coffee shop to work remotely is not on the COVID agenda now, Robinson says shared or public Wi-Fi will continue to be a key source of strain on the system. “It’s an open network. People jump on their VPN and if someone is savvy on the same Wi-Fi, they can open the door to everyone. They could put malware on your company network or your computer.”
Don’t use chargers or USB sticks you don’t know.
Cybercriminals don’t’ just take, they’re are happy to give back, too. Studies have shown they leave virus-laden USB sticks in public places for unsuspecting people to pick up. Research by Google and the Universities of Illinois and Michigan showed that, when 297 USB sticks were scattered around campus, 68 per cent of users took no precautions when plugging them in. Cybercriminals use social engineering to count on innate honesty – people plug them in to identify the owner – and curiosity as weapons. Even the charger you borrow to boost your phone at the coffee shop could be suspect. Cybercriminals will leave one behind and when it’s picked up by staff and kept for patrons to use, it can contain malware.