Working from home is now a new normal in the face of a pandemic that is relentlessly giving the world sleepless nights.
However, as companies and employees get familiar to the nitty-gritty of working remotely, new dangers are emerging. Employees are now turning out to be the soft target of cyber attackers, posing great risks to companies.
In the past three months, the number of cyber-attacks targeting employees has increased by 55 percent. This is according to tech firm, Dimension Data, which attributes the attacks to a high number of employees working from home and the fact that companies lack robust mechanisms to remotely monitor their networks.
The sudden emergence of Covid-19 apparently did not give companies ample time to put in place necessary mechanisms to seal loopholes that hackers capitalise on to breach systems. And even if companies were prepared and had accordingly hedged their operations against hackers, still that would not have been a sufficient move.
Cyber criminals become more tech-savvy each day, says experts, and for businesses to ward them off they have to constantly innovate and adopt latest security measures. This is more urgent now that working from home looks set to be with us in the foreseeable future if not permanently.
Ishmael Muli, head of Dimension Data Intelligent Security business in East Africa, says the current Covid-19 crisis has seen an upsurge in use of technology in unprecedented ways, with companies allowing their employees to use their own personal devices for office work.
“This move has increased organisational risk and cyber security etiquette has begun shifting to the end users. As a result, the most prevalent attack vectors going around include phishing and social engineering,” he says.
Dimension Data says while a number of firms have watertight cybersecurity measures for working within premises, operating remotely is a totally different ball game. Because firms lack experiences in dealing with cybersecurity through mobile devices and external networks beyond their offices, hackers are having a field day.
Mr Muli notes that most cases of system breaches emanate from employee negligence and other close associates ignoring corporate cybersecurity policies, misuse of data, and installation of unauthorised applications among others. These kinds of breaches are bound to escalate in the current working environment, which is a fertile ground for cybercrimes.
Insiders, Mr Muli adds, are increasingly taking advantage of the fact that many firms are not sufficiently equipped to investigate successful cyberattacks due to constrained capacity to detect unusual activity when their network is compromised.
“Some of these attacks involve manipulation of transactional data, tampering of logs to limit tracing, as well as framing legitimate users – all of which make forensic investigations difficult,” Mr Muli says.
Data from the National Kenya Computer Incident Response Team Coordination Center (National KE-CIRT/CC) indicates that 87 percent of cyber-threat advisories in the last three months were due to system weaknesses.
Cybersecurity firm Kaspersky has flagged an uptick in business email compromise (BEC) aimed at compromising business correspondence with the ultimate aim of perpetrating financial fraud through access of confidential information.
Bethwel Opil, enterprise sales manager at Kaspersky in Africa, says firms must now shift focus to internal potential threats that are on the rise.
Covid-19 has particularly been a boon for cyberattackers. There have been numerous spam emails containing the pandemic information from sites purporting to be the World Health Organisation. Because it is not easy to differentiate the spams from genuine emails, many employees and companies fall prey to such phishing links.
Experts say firms ought to device advance systems to pick out spams and stave off attacks of their systems. Businesses, they advise, need to examine their weaknesses and address them holistically.
Mr Opil notes that emails are increasingly becoming one of the preferred ways for criminals to compromise a computer system or user data.
In the first quarter of this year, Kaspersky research shows that its anti-phishing system prevented almost 120,000 attempts to redirect users to scam web sites.
In the first three months of this year, Kaspersky security solutions detected more than 49,500 malicious email attachments, with the highest number of attacks classified as Online Stores (18.12 percent). Global Internet Portals segment came second with 16.44 percent, while Social Networks with 13.07 percent was third.
How can the firms then survive these waves of attacks in these perilous times of the pandemic? Mr Opil advises businesses to protect their devices with the right software and provide a VPN for staff to connect securely to the corporate network.
“All corporate devices must be protected with appropriate security software. Furthermore, the software must provide the functionality for data to be wiped from devices that are reported lost or stolen, segregate personal and work data, and restrict which apps can be installed,” Mr Opil says.
Firms, Mr Opil adds, should adopt the latest updates to operating systems and apps and access to the systems be restricted based on “the need-to-know and least privilege principles”.
It is important, he advises, to teach and impress upon employees about basic cybersecurity rules.
“Do not follow links in emails from strangers or unknown sources, use strong passwords,” he notes, adding that staff must at all times avoid responding to unsolicited messages.
“Also, it is essential to agree on rules of work, whether all questions are asked in protected chats and conference calls are made via secured channels,” he says.