With work and personal life boundaries blurred, cyber security is more important than ever and Inflexion's digital team, led by Alex Mathers, is in regular dialogue with our portfolio to keep on top of this. Dr. Jon O’Brien, Consulting Director at Crossword Cybersecurity plc talks to Inflexion about how the situation is evolving.

 

How can people differentiate genuine government and NHS alerts from the criminal ones?

It is crucial to increase the distrust people treat unsolicited emails with, as well as text messages and social media alerts– essentially adopting the mindset of ‘Be Paranoid and Trust No one’.

Assume that any alert is a malicious scam and:

(a) scrutinise any URL or email address contained within the alert even more carefully than one normally would, as cyber criminals are spoofing legitimate identifiers with increasing levels of sophistication, such as ‘@uk’/’@nhs’ etc. and

(b) verify the validity of the alert via a separate and trusted channel.

Malicious actors are exploiting the wider sense of deep concern about the spread of the virus and the current cultural tone that one must follow instructions from centralised authority to pressure you into urgently responding to the alert and so falling victim to their scam. Therefore it is crucial you take time to follow steps (a) and (b) carefully – hover over any URL, really scrutinise the address to which your click will take you and then, via another means, check that it is a legitimate government/NHS website.

Has the change in working environment changed hackers’ tactics for gaining access to the details of firms and people?

The change in working environment has indeed seen hackers change some tactics to exploit a number of well-known vulnerabilities in VPNs and other remote working tools and software. They are also exploiting the increased use of communications platforms such as Zoom and Teams by sending phishing emails with malicious links that appear to enable the user to join a meeting or update their Zoom/Teams account but in fact deploy malware onto victims’ machines.

A more disparate workforce is now largely relying on home networks rather than work systems. Does this put companies and their sensitive information more at risk of attacks?

Yes, as there are widely exploited vulnerabilities in certain VPNs and other remote working platforms, but there are also some other non-technical security measures that could be absent in the home environment, for example a lack of discipline about checking what one is visually projecting when on video calls – there have been instances where a lack of ‘clear desk policy’ in the home office has led to sensitive information such as contracts, CVs, proposals, and commercial terms being inadvertently left out on display.  It is also the case that the default privacy setting on a number of conferencing platforms is relatively open, meaning that uninvited individuals are able to join meeting and so potentially eavesdrop confidential and/or commercially sensitive information, unless the home worker has proactively checked and ensured that access controls were set to the strongest possible level, across all the platforms they use.

What security issues are there with adults using Zoom for work purposes during the day and children using the same account for socialising at other times?

There are a range of potential security issues, but the stand out one is probably due to a known unpatched vulnerability that allows an attacker to drop a malicious link into a chat window and use it to steal a Windows password. This is possible because Windows exposes a user's login name and password to a remote server when attempting to connect to it and download a file. For example, the children are messing around and using the chat window, an attacker drops such a malicious link in, the kids don’t realise it was anything other than a bit of fun and click on the link. Then those credentials are compromised. As Zoom was being used for work, those credentials would be associated with that work account and could then be used to maliciously exploit access to the account, accessing sensitive data and potentially corrupting or even stealing it.

What can people do to ensure they are minimising the risk of cyber attacks?

It is of course the case that all the standard principles remain absolutely key, particularly ensuring that they do not use the same password across multiple services.

People should check the privacy settings on each app, platform and service they use and also evaluate what personal information they expose publicly on social media as this is often exploited to establish sophisticated attacks.

Even if using the same platform (eg Zoom) people should set up separate personal and work accounts to minimise the risk of ‘less vigilant’ personal actions leading to compromise of work account credentials.

People should also ask themselves honestly if they are sufficiently well-informed to be able to check and maintain the security of their networks at home, the patching status of any devices (both corporate and personal) they are using to access corporate data and of any VPN they make use of. If they don’t believe they are, they should not feel ashamed in any way and should be assured that there are multiple highly-accessible (and free!) resources available on the NCSC website.

If they don’t believe they are, they should not feel ashamed in any way and should be assured that there are multiple highly-accessible (and free!) resources available on the NCSC website that they can use to get themselves up to speed in that regard. Having done that it is obviously then crucial that they follow the guidance and check security on those fronts and take the necessary steps to address any vulnerabilities they find. They should also remember that this is not a one-time activity, as vulnerabilities and threats evolve and require attention at reasonably regular intervals. That may sound like something of a pain, but it far less than that experienced when attacked and compromised!