Don’t be a teleworking crash dummy Insight Article - September 10, 2020 Disaster Planning Business Operations Technology Sign in to save Marion Jenkins PhD, FHIMSS The most important and effective security tool is the person at the keyboard More than nine in 10 successful cyberattacks begin with a phishing email.1 If COVID-19 wasn’t bad enough — given the alarming news headlines and the ever-changing landscape of regulatory do’s and don’ts affecting practices — online threats are evolving and spreading like the pandemic itself. With work happening everywhere now, end users need to exercise even more vigilance. Here’s what to watch for to help keep virtual workplaces safer in the post-COVID-19 era. New places where threats live In today’s altered work landscape, new technologies and tools had to be adopted very quickly, with little or no planning or training. While the kitchen table or home office might seem familiar physical environments, the technical environment may be significantly more prone to attack. With users being outside the normal security perimeter of the practice, the “threat footprint” has significantly increased. Isolation during this crisis has made people hungry for information. Media headlines seem more focused than ever on sensation and alarm, rather than fact. The practice breakroom — where people once had informal but direct personal interactions while getting caught up with their friends and on current events — has been replaced by home office laptops and workstations, with little or no interaction with coworkers. This isolation removes informal interactions and collaboration with others, so subtle but important clues about online messages and behaviors are missing some important context. Homeschooling and other altered connections involving daily life also bring new and unfamiliar workflows into the work-from-home (WFH) environment, so teleworkers may interact with a mix of work-related and family/personal tools throughout the workday. Since attackers know all these circumstances, it’s easier than ever to trick people with online threats and scams. Cybercrime is a business Many perpetrators of cyberattacks and scams are actual businesses (with bosses, salaries, bonuses, etc.), and those businesses create threats tailored to every market and circumstance. At the small/personal level are fake test kits,2 highly marked-up critical supplies3 and numerous other products with unsupported claims that have prompted warnings from the Federal Trade Commission (FTC) and the U.S. Food and Drug Administration (FDA).4 Because of so many new or altered work and/or personal processes, such as stimulus checks and altered tax deadlines, scammers have built threats around those as well, targeting consumers and businesses. And because of the trillions of dollars in financial aid, scammers are targeting the Paycheck Protection Program (PPP) and other government relief efforts, including those specifically intended for medical practices. These threats may be a direct attack or merely a test of your organization’s security posture, as a precursor to more serious attacks. Leading the way in terms of financial and operational impact is ransomware, in which perpetrators attempt to encrypt an organization’s data and then extort very large sums of money — sometimes millions — to unlock the data. They frequently threaten to release the data publicly if the ransom is not paid. Technically ransomware does not harvest your data; it simply replicates itself to spread to other devices, encrypting the data associated with those devices and rendering systems inoperable. Other than paying the ransom, a complete system restoration from offline backups is the only route for organizations to restore operations. A battle of good and evil: tech alone can’t win There are millions of threats, with thousands of new ones being unleashed each month. Information security firms — including antivirus software companies, networking device manufacturers and security consultancies — work 24/7 to stay on top of threats. However, from a technical standpoint they can only respond to new threats as they arise and then create systems to detect and prevent intrusion going forward. Perpetrators then tweak their software to create a new threat. Until a threat is discovered and a “fix” is implemented, users and organizations are exposed. There is no “silver bullet” for security, contrary to some vendors’ claims. There are numerous articles on preventing cyberattacks, suggesting expensive security tools, the use of longer passwords, keeping operating systems and security software up to date, and reducing logout intervals. You should investigate and adopt the practices and tools that match your organization’s needs and budget. However, these approaches generally miss the most important component in the whole process: the end user. Preparing your workers for cyber threats Being forewarned is forearmed. Threats always follow what’s trending online or in the news, and today’s environment is causing perpetrators to ratchet up their game. While it’s impossible to cover every scenario, look for these red flags on inbound emails, social media, screen pop-ups and other communications: 1. COVID-19-related messages. This area is so broad that it’s impossible to list all the threats. The more sensational or urgent the message, the more suspicious you should be. 2. Financial: PPP, individual banks, taxes or Small Business Administration. Some businesses may have contacted multiple banks regarding PPP; scammers know this and craft emails with subjects such as, “PPP money is still available,” or “You didn’t complete your PPP application.” Knowing that some larger banks have millions of customers, scammers can easily craft a convincing-looking message branded with these banks’ logos that is full of traps. 3. The 2020 Census. Since much of the census is not able to be done in person, online census scams have become more prevalent. 4. Voter registration/virtual voting/political fundraising. This is an election year like no other, making it the perfect time to target unsuspecting and socially isolated individuals who are getting much of their information online and likely voting online or by mail. 5. New CDC or CMS guidelines, especially those governing medical practices. This is especially devious, since new regulatory guidelines come out nearly every day and practice executives have to understand and follow them. Scammers are counting on this vigilance to work for them. 6. Items relating to business or personal tax deadline extensions. IRS scams have been around for years, but this year’s changes in deadlines and deductions represent new opportunities for scammers. 7. Software updates. That “new update” for Zoom, Microsoft Teams, Google Meet or other service may be nothing more than an attempt by a scammer who knows you are using these new software tools for web meetings. They will use fake update messages to trick you. 8. Add-ons for web meetings. At a minimum, these funny backgrounds, filters or masks might contain annoying adware or send more annoying web pop-ups your way. At the extreme, they may be avenues for harmful malware. 9. Anything related to cybersecurity, hacking, antivirus and the like are common user-bait. Scammers are especially skilled at scaring users in a bid to make them click on anti-malware links that are themselves malware. (Hint: Look closely, usually there are misspelled words, bad grammar, garish graphics or a plethora of exclamation marks — those are telltale signs of a hoax.) 10. Windows 10 and browser updates. Many practice applications require specific (and sometimes non-standard) browser versions, and there’s been a lot of chatter around the new Edge browser. Scammers know this and hope you will think some quirkiness might be related to a browser issue rather than malware. 11. Emails from human resources or building management saying “someone” has tested positive for COVID-19. A scam message might say that HIPAA privacy rules prevent them from identifying the individual, and ask you to fill out a form detailing your recent movements. Buried in that form is a place for you to include your personal info to be harvested. (Note: The bigger/more top-down the organization is, the easier it is to pull this off.) 12. Snail mail. Digital threats not scary enough? There are others that can arrive in your physical mailbox. For example, there have been recent snail-mail scams involving a postcard from a fake HIPAA officer, directing users to a fake web link.5 See something, say something. Many symptoms that might denote malware, such as slowness, programs freezing, applications behaving strangely, etc., are symptoms of literally dozens of “normal” issues. However, it’s better to be safe than sorry — contact your IT help/support line if you detect any unusual activity. At a minimum, it may help them troubleshoot other IT issues. Disconnect if you suspect an attack. Ransomware is designed to replicate itself across the network and corrupt all your data. During an attack, it’s important to limit the spread of the attack. If you suspect your computer might be infected, do not click on more links or open more windows or apps. Just power it down and contact your IT help/support line. End users who embrace these principles will help their organization and technology teams minimize cyber threats in the “new normal” work environment. Key steps These three keys will help minimize damage and speed recovery when* your practice is attacked: Find and stop the exploits as soon as possible. Shut down/disconnect suspected systems immediately to limit access to files and systems. Restore your systems from offline backups that are completely isolated from your production systems. * Most security experts agree cyberattacks have become a matter of “when,” not “if.” It is no longer feasible to prevent them; you need to take steps to mitigate their impact. Notes: PhishMe. Enterprise Phishing Susceptibility Report. 2016. Available from: bit.ly/3gDZUJO. Chmura C, Jackson J. “Feds Work to Snag Fake COVID-19 Test Kits, Bogus Virus Products.” NBC Bay Area. April 30, 2020. Available from: bit.ly/3ayesJl. Department of Justice. “Combatting Price Gouging & Hoarding.” Available from: bit.ly/3aF1g5B. FTC. “FTC Coronavirus Warning Letters to Companies.” Available from: bit.ly/2Yy8gfL. Dyrda L. “HIPAA-compliance postcards a scam, Office for Civil Rights warns.” Becker’s Health IT. Aug. 11, 2020. Available from: bit.ly/3hEkqLP.