H2 Weekly Newsletter Edition 3
As you may know, I like to start with a scam or two. These can apply just as much to the employee as to the individual as it can happen in any environment.
Scammers may try to get in touch with you by phone with some phone scams reling on smartphones' capabilities to access the internet and install malware.
- Robocalls: Robocalls have people's phones ringing nonstop with increasingly natural-sounding recorded voices. They may offer everything from auto warranties to vacations, or issue a threat to try and get your attention. Some robocalls can even respond to your questions.
- Texts: You may receive a text message from an unknown number or email address. Often, these smishing attempts include a link to a scammer's website or app.
- Impersonators: Scammers impersonate HMRC personnel, police, survey takers, relatives, delivery people and well-known companies to threaten you or gain your trust. They use scare tactics related to your NI Number, criminal record or account before asking for your personal, account or credit card information.
- Apps: Scammers may try to get you to install a malicious app to steal your information. Or, they might create a nearly identical copy of an existing app and then make money from in-app purchases.
- QR codes: QR codes have gained popularity as a touchless option to do things like read a restaurant menu or make a payment during the pandemic. However, scammers place their QR codes in inconspicuous spots, and scanning the code could prompt you to make a small purchase or enter your credentials on a look-alike website.
One-Time Password (OTP) Bots
I think we've all had experiences of being sent a code to identify ourselves to an application. It applies in our private lives where more and more applications are using 2 factor authentication, which of course, is now common in our work environments. The OTP scam uses so-called OTP bots to trick people into sharing the authentication codes that are sent to them via text or email, or that they have to look up in an authentication app or device.
The bots may initiate a robocall or send you a text imitating a legitimate company. For example, the robocall may look and sound like it's coming from a bank. The voice asks you to authorize a charge and tells you to input the code you're texted if it's not one you made. In reality, the bot is attempting to log in to your account, which triggers the system to send you the code. If you share the code, the scammer can then log into your account.
So what is the new normal? That's a difficult question which not only means different things to different people and organisations, but also is a very fluid issue at the moment as many try and work out exactly how they are going to proceed in the future.
We hear a lot from certain Government ministers about working from home and how it is inefficient and is causing issues within industry etc etc. But there are some very good contrary arguments with many companies, small and large, having been forced to adopt a remote operating model during COVID and who have, as yet, not returned to full time working from the office. The attractions are obvious in terms of cost reduction, as are the potential pitfalls.
There are now surveys by HR consulting companies, suggesting that 60 to 70% of companies of all sizes are planning to adopt a hybrid model. In the IT industry, particularly amongst IT consultancies, this model has been in use for many years and is well regarded, allowing the downsizing of office space and a lower cost base.
As organisations of all sizes begin the decision making process which allows them to seriously consider the recalibration of their operating model to adapt to the new normal, then there is a real need to re-evaluate their cyber security stance, involving policies, processes, people training and technical defences.
When COVID hit, many SMEs had to move very quickly in order to keep going, adopting remote working without the time or luxury of any real planning. It was a knee jerk born of necessity and certainly not the way they would have liked to do it. There are multiple cases of companies not having the necessary equipment, in terms of hardware, desktop, laptops etc, and allowing staff to work from home using their own home machines, connecting to both office and cloud-based systems, without any check on how those machines were configured, whether or not they were kept up to date with the latest patches, or whether they were used by other family members. This situation is still happening today in some cases.
Cyber criminals have used this shift in working patterns to their advantage and their attacks have increased hugely, across the globe. Working from home has increased the footprint of IT operations whilst weakening its defences and the scope for cyber criminals to develop new attack methods, new scams, and to generally increase their revenue, exponentially.
Cyber-attacks and data breaches tend to only hit the headlines when it’s a large company involved. However, SMEs are hit every day, but for somewhat smaller sums of money and there is an argument that often these attacks go unreported to protect reputations and even go undiscovered for long periods of time. Data breaches do get reported because of the requirement to make such a report to the Information Commissioners Office, but even then, actions taken by the ICO often fly under the radar. For instance, this year alone there have been over 40 fines by the ICO, many to companies categorised as SME. A finance company was fined £48k and a solicitor was fined £98k. You can research all of this on google if you want confirmation.
The major cyber security companies are forecasting that ransomware is becoming more prevalent and growing in sophistication. SMEs are subject to such attacks because they take little effort on the part of the attacker and SMEs often pay up because they have no defence against it and no business continuity plan in place to enable them to keep going in the face of such an attack. Phishing will continue to be a big problem for SMEs as will social engineering attacks, email spoofing and other scams. Home working being a target because being isolated, they can’t just look up from their desk and ask advice before taking some action and will often just respond to an authoritative looking email or phone call.
So, what needs to be done if hybrid working patterns are to continue? Well, first and foremost comes your policies. Do they reflect the new hybrid working model? Have you laid down what is and what is not an acceptable use of company IT equipment if it’s being transported to a home address? Do you allow the use of home machines, and have you laid down how those machines must be configured before they can be used for company business? That list is not exhaustive.
Secondly comes user training. Cyber awareness training for staff, along with a broad understanding of data protection principles, becomes even more important when staff are working from home. It is a clear no brainer which many SMEs still don’t recognise as necessary.
Finally, technical security must be reviewed and made suitable to support a remote working model. If an SME hasn’t moved to a cloud operating model, they should consider it without delay.