In countries such as the UK, the rapid spread of the Omicron variant of coronavirus has prompted Government instructions for us to work from home where possible. This is welcome news for the cyber criminal and a threat we risk managers must address.
In England, many of us will have faced the news of returning to work from the home environment this week with a mixture of emotions. Around the world, the spread of the Omicron variant of Covid-19 is seeing workers return to their home office or kitchen table.
The morning commute will once again have been replaced with a leisurely stroll from the bedroom to the laptop, the quality of the coffee will have improved / worsened, and we will be forced to source our own lunch instead of popping out to the local sandwich bar. According to latest figures, a large group of us will be saving almost £45 per week because of working at home again.
Aside from the PM and his government advisors, there’s another group that will be delighted to see us working from home again: the cyber criminal.
According to IBM, back in March 2020 there was a 14,000% increase in the volumes of phishing emails that were sent to us. We’ve all seen increases in scams, in fake text messages encouraging us to click links to show us where parcels are, to provide a payment for postage for goods that we’ve never bought … the list goes on. The criminal is exploiting our isolation and reduced opportunity to check with colleagues and IT teams on the legitimacy of a emails, text messages and calls.
Technical measures to prevent this barrage of attacks are only part of the solution. In the UK, the recently revised question set for the Cyber Essentials scheme reiterates the simple controls that every organisation should be taking. Strong passwords are critical – gone are the days of ‘password1’ or ‘football’.
The average cybercriminal has IT equipment that can crack weak passwords in nanoseconds. If you’ve ever wondered if your password has been compromised, then you can find out for free at this website. Keeping software up to date is critical, and this is across all devices including laptops, tablets and phones.
Importantly the new question set from the National Cyber Security Centre (NCSC) reinforces the need for multi factor authentication. This is the simple addition of a secondary mechanism of validation eg. a text message to your mobile phone. None of the recommendations should be difficult and all are relevant regardless of the size of your organisation or the sector in which it operates.
Staff training and education critical
Technical measures are only part of the puzzle. What else can we do?
Training and educating staff to be aware is critical. Even if working from home, they need the ability to call out anything that looks unusual. Is that really an email from the boss asking for money to be transferred to a new supplier? Is that link genuine from the client / supplier? Giving staff the opportunity to pause and question emails that they receive is critical.
But what if we could fight back? As users, we’re often described as the first line of defence and that is true for cyber crime and there are government schemes worldwide to support this.
In the UK, if you receive a phishing email, then take 10 seconds to forward it to the government here . Just forward it, no message needed, no explanation required … just forward it … that simple.
In India, you can report suspected phishing emails to the Income Tax Department here.
In the United States, the FBI advises that you can flag potential e-scams to the Internet Crime Complaint Center and file a report.
In the UAE, there’s a special website to report cybercrimes. This website is where you can find out more about reporting cyber crimes in Saudi Arabia.
And when you’ve reported the scam, take a few moments to reflect and congratulate yourself that you’ve just helped the world of work become a little safer.
To the end of November 2021, in the UK, the NCSC had removed a staggering 68,000 scams. Wherever you are in the world, your simple action will have helped to reduce the number of scam emails issued by fraudsters, protecting other businesses and members of the public.