Cyber Attacks Increase During Pandemic; Proactive Measures Employers Can Take

By John Murrill, Partner, Executive Committee, Technology Committee Chair
Litigation, Labor and Employment, Data Security
john.murrill@taylorporter.com

As the coronavirus continues to spread across the globe, people carefully scrutinize the daily news reports for evidence that social distancing and other preventative measures are helping to “flatten the curve.” Metrics such as infection and hospitalization rates, numbers of new cases, numbers of ventilators, and numbers of deaths are carefully monitored for indications of the virus’ progress.

As businesses are forced to implement work-at-home policies to help combat the spread of the virus, there is another ominous metric that has not received as much attention from the media. Specifically, cybercriminal activity has dramatically escalated during the pandemic. Cyber-crimes always tend to increase during times of emergency, but the current crisis presents even more fertile opportunities for mischief because IT staffs (who are themselves frequently working at home) are stretched thin supporting the remote workforce, and because employees working at home are often using their own personal devices to access their employer’s networks. The FBI recently reported that since the beginning of the pandemic, complaints to its Internet Crime Complaint Center have increased three- and even four-fold to as many as four thousand (4,000) per day, and the deputy assistant director of the FBI’s Cyber Division recently observed that “we have increased vulnerabilities online, and increased interest from threat actors to exploit those.”

In particular, use of phishing e-mails has escalated dramatically during the pandemic. Hackers are crafting phishing e-mails using pandemic-related themes intended to create a sense of fear and/or sympathy in the people receiving the e-mails. For example, some phishing e-mails have posed as communications from food banks and other NGO’s seeking solicitations to offset pandemic-related expenses. Other e-mails have posed as communications from the World Health Organization, the National Institutes of Health, and other trusted organizations. Still others have offered free face masks or mimicked routine e-mail traffic between employees working from home. All of these phishing e-mails have one goal – convincing the recipient to click on a bogus link that will then spread various forms of malware. Furthermore, the phishing campaigns are not limited just to profiteering cybercriminals, as Google recently reported it has identified at least twelve (12) state-sponsored efforts to use the pandemic to spread malware.

Another cyber-threat that was largely unknown prior to the pandemic is “Zoombombing.” As more and more employers have been forced to adopt work-at-home policies, employees have often relied on the videoconferencing service Zoom as a professional lifeline to host remote meetings with employees, clients, customers, etc. Businesses use Zoom to conduct team meetings, courts use Zoom to conduct hearings, attorneys use Zoom to take depositions, and teachers and professors use Zoom to teach classes at high schools and colleges around country. But with the explosive growth of Zoom has come increased and unwelcome attention from cyber-intruders who have hijacked Zoom videoconferences for their own purposes. Zoombombers have disrupted meetings of Alcoholics Anonymous, Sunday-morning worship services, online college classes, and a city-government meeting. And the threat posed by Zoombombers goes beyond the simple disruption of meetings and posting of hate-speech and offensive images. A much more serious threat to businesses and law firms hosting remote conferences on Zoom is the possibility that Zoombombers can eavesdrop on sensitive conversations involving the discussion of company trade secrets, confidential and sensitive health information protected by HIPAA, legal strategies, etc. The risk is compounded by Zoom’s poor track-record with respect to its encryption and security measures; indeed, the founder and CEO of Zoom apologized to the app’s millions of users in early April 2020 after coming under fire for the app’s many security issues. Zoom has been working to increase its encryption and security features, and a new version 5.0 is set for release on May 30.

Clearly, cybercriminals consider the current work-at-home model to be a target-rich environment. So what are some of the steps employers can take to protect themselves and minimize cyber-risks?

• For starters, employees need to be reminded more than ever of the critical front-line role they play in helping their employers minimize cyber-risk. Just because you’re working at home while wearing your pajamas with your pet dog curled up at your feet does not mean it’s okay to let your cyber-guard down. To the contrary, employees need to be more diligent than ever, and it behooves employers to periodically remind employees of their critical role. Always verify the sender’s e-mail address; the managing partner’s name might appear in the “From” field, but phishing e-mails usually originate from unknown e-mail addresses, so take the time to verify the sender’s actual e-mail address. 
   
• Never click on a link or attachment unless you are absolutely certain it is legitimate. And if you have any doubt at all about a particular e-mail, notify your IT department and let them take a look.
   
• Employees should also be required to have strong passwords that must be changed periodically. Password managers can help to automate the process for both the employer and the employee.
   
• Employers should strive more than ever to keep current with software patching and, if resources allow, to consider accelerating patch schedules for systems and applications supporting the remote infrastructure. As vulnerabilities are identified, hackers will move even more aggressively than usual to exploit them during the pandemic, and keeping current with patching will help to minimize a business’ cyber-risk.
   
• Additionally, employees who are working remotely should not be allowed to access networks except via multifactor authentication. Past research has shown that multifactor authentication can successfully help to block the majority of network attacks, and a 2019 Microsoft report found that multifactor authentication can successfully block up to ninety-nine percent (99%) of account attacks. Businesses that are slow to adopt multifactor authentication are even more exposed as a result of the increased activity attributable to the COVID crisis.
   
• Finally, Zoomers should use a personal meeting ID (“PMI”) for each meeting, and the meeting host should enable the Zoom password feature. Neither the PMI nor the password should be shared online. The meeting host should also enable the Waiting Room feature, which prevents users from actually joining the meeting until manually admitted, one by one, by the host. Finally, the host of a Zoom meeting should disable guest screen sharing to ensure that the host – and only the host – controls what is seen by other participants.

Don’t be caught with your cyber-pants down!

About John Murrill: Taylor Porter Partner John Murrill’s practice is concentrated in the fields of commercial litigation, labor and employment, data security, e-discovery, higher education law, government purchasing, procurement and contract law. He has been selected for inclusion in Best Lawyers in America® in Mass Tort Litigation/Class Actions - Defendants. John serves as chair of Taylor Porter’s Technology Committee, co-chair of the Business and Commercial Litigation practice, and also is a member of the Firm's Executive Committee. 

Taylor Porter attorneys continue to monitor the legal developments pertaining to COVID-19. For the latest legal news and developments, please visit the Taylor Porter Coronavirus – Legal News and Business Resources section of our website.