10th April, 2020

 

An increasing number of malicious cyber criminals are exploiting the current COVID-19 pandemic for their own objectives.

In the UK, the National Cyber Security Centre (NCSC) has detected more UK government branded scams relating to COVID-19 than any other subject.  At the same time, a surge in home working has increased the use of potentially vulnerable services, such as video conferencing, which in turn amplifies the threat to organisations across the board.

Yesterday, the UK’s National Cyber Security Centre (NCSC) and the US Department of Homeland Security (CISA) issued a joint advisory.

Both have observed a large volume of phishing campaigns that use social engineering techniques to persuade potential victims to click on a link or open a file in order to harvest valuable credentials or to deploy malware to compromise devices.

Many have imitated trustworthy sources such as the World Health Organisation (WHO) and Government departments such as HMRC.

NCSC’s guidance for organisations on mitigating against phishing attacks is split into four layers:

  • 1. Make it difficult for attackers to reach your users

    By implementing the 5 key controls outlined in the UK Government endorsed Cyber Essentials scheme, organisations protect themselves from 80% of cyber attacks.

    2. Help users identify and report suspected phishing emails

    The NCSC has a useful guide to dealing with suspicious emails and messages.  This should form the basis of employee education on how to deal with phishing emails.

    https://www.ncsc.gov.uk/guidance/suspicious-email-actions

    You should also implement a straightforward process that allows users to report when they are concerned they’ve opened a suspicious email.

    1. 3.  Protect your organisation from the effects of undetected phishing emails

    Despite your best efforts, assume that your organisation will fall foul of a small percentage of phishing campaigns.  Planning for this will minimise the damage caused to your organisation.

    1. 4.  Respond quickly to incidents

    2. As is the case in many situations, the speed and effectiveness of the way respond to a phishing attack will also limit your exposure.

 

More details are available on NCSC’s website.

You can also find out more about protecting your organisation by visiting our Business Support Hub.