When staying safe means more than just washing your hands.
COVID-19 has impacted every aspect of our business lives and out of necessity a good deal of our activities have moved online. The overall increased volume of online activity, the new reliance on digital conferences, and the urgency resulting from the daily news of the pandemic are creating unparalleled opportunities for cyber criminals causing an increased risk of malicious activity. In short, COVID-19 has created the perfect set of circumstances for hackers as fear, uncertainty and doubt permeate our organizations.
While the coronavirus has created many new business concerns—including concerns about employees and dramatically shifting consumer preferences and financial markets—cybersecurity must now be added to the top of a long list of complications.
Ominously, for example, the FBI reported on March 31, 2020 that two interlopers interrupted classroom lessons taking place on the Zoom platform in Massachusetts. These hackers introduced unintended graphics and text into a Zoom online meeting in a new phenomenon called “zoom bombing.” This example suggests that hackers are attention seeking, creative and, much like improv actors, able to adjust their tactics and behavior quickly. Other examples suggest hackers have more nefarious goals; they want financial gains and personal information to exploit later.
Recent Check Point Research, for example, found a spike in coronavirus domain name registrations, exceeding 50,000 new website domains. Some of these sites are actually set up by hackers to exploit those seeking information about the virus. Hackers then use those sites to seek money or plant malware on devices who access them. Moreover, law enforcement has seen an increase in COVID-19 related scams, including “fake medicine” to treat the illness.
Challenges within the organization may be just as great. With most organizations opting for remote work, what cyber experts call “the attack surface” has increased exponentially including interrupting conference calls and phishing attacks using COVID-19 fears as bait to take over employee devices and access company networks. Well-run businesses have turned chaotic and in the urgency to respond to any and all requests, sometimes well-intentioned but ill-conceived responses can cause security breaches.
How do we make sure our organizations are cybersecure in this time of COVID-19?
Cybersecurity in the time of COVID-19 is not a fiduciary responsibility or a leadership challenge for the technology team. This is a time for executive leadership to lead by example both in terms of words and actions. CEOs must step-up personal involvement and communications. Senior leaders must make clear to everyone at every level the importance of heightened vigilance against opportunistic cybersecurity threats to the organization.
Our research at MIT’s Sloan School of Management found that one way to successfully change the values, attitudes and beliefs of employees is through role modelling at the senior level. Our research on building a culture of cybersecurity suggests that CEOs must act now to drive cybersecure behaviors of employees during this time of crisis and beyond by personally embracing cybersecure behaviors and then letting employees know it’s a personal priority. When senior leaders make cybersecurity a priority, it sends a very strong signal to the team.
Criminals know that a great time to attack is when there are high levels of fear, uncertainty and doubt and when change is occurring rapidly. In this turbulent time brought on by COVID-19, C-suite executives must make it clear that every employee has a role in keeping the company secure. This is not another training class. This is a time for executive leadership to demonstrate their personal commitment to keeping the company secure by personally upping their activity, telling team members that they are doing so, and supporting those who are your first responders in times of cyber-crisis. We believe that kind of leadership will go a long way to instilling a heightened awareness in every employee. And that might just save our companies from new vulnerabilities that have arisen in this time of chaos.
Dr. Keri Pearlson is the Executive Director of the research group Cybersecurity at MIT Sloan (CAMS).
George L. Wrenn is the founder of Leto Security, a graduate fellow and researcher at the MIT Sloan School of Management.