There has never been a situation like this before: The coronavirus has completely changed our everyday life within a few days. Uncertainty and worry are the order of the day: Whether it's the health of family and friends, the economic situation of one's own life.
Cybercriminals take advantage of these existential fears and the conversion to remote work: Media report on deceptive offers such as a "corona tracking app" or alleged real-time figures on the actual spread of the virus, concealing malware. This enables the attackers to read sensitive data like passwords and credit card numbers or to block the smartphone in order to demand extortion money.
This might just be the beginning - as the switch of many companies and organizations to homework is still in its early stages in many places. In this interview, Prof. Angela Sasse (Chair of Human-Centred Security) and Prof. Thorsten Holz (Chair of Systems Security) discuss vulnerabilities and issues that need to be addressed.
Many companies and organizations are currently converting to remote working, the staff is taking their laptops home or using their private equipment. Will there be more attack vectors for cybercriminals?
Thorsten Holz: The companies' IT infrastructure is now used in different ways than their administrators had planned. New attack vectors are potentially possible as a result. For example, a firewall and additional security solutions typically protect a company's IT systems, while the systems are also centrally administered and, in particular, updated. However, the home office does not necessarily provide these features, so it is necessary to rethink this approach.
Are there any technical solutions you can think of?
Thorsten Holz: With VPN solutions it is possible to establish secure connections to the company network, so from a technical point of view such problems might be addressed. Firewalls or security solutions may also have to be reconfigured or private equipment may have to be used.
Professor Sasse, you research the human factor in IT security. What other problems do you see?
Angela Sasse: Changes in work processes and internal communication can create weaknesses that attackers could exploit through social engineering attacks: One example would be a fake e-mail from the company's CFO, requesting that payment processes be changed due to the corona situation. Employees may respond to this. We already know that companies are particularly vulnerable during buy-outs or mergers when employees do not know what rules apply, where responsibilities lie - hence explicit communication about responsibility, accountability, and rules, through a secure channel, is very important.
Are employees currently particularly vulnerable to such attacks?
Angela Sasse: Nowadays, many employees experience general insecurity, stress and concern about their future. Under stress we are more likely to make mistakes, and in times of uncertainty we are more susceptible to seemingly attractive offers with the potential to solve my problems - e.g. a discount on goods currently out of stock in the supermarket. Rumours in social networks, for example about the solvency of the company, also tend to make employees more susceptible. Behind this type of information, however, malware can be hidden that gets onto the computer unnoticed.
How can companies support their employees at this point?
Angela Sasse: If communication is regular and frank, it can reassure employees, as well as offering the opportunity to discuss questions with people in charge. By the way, the same applies to technical staff, support desks are currently overloaded and confronted by more inquiries and requests from employees - some of whom are very stressed. I consider it most effective to display attempted attacks and false information on the company's website. The most important thing is the possibility to ask questions and to be able to report in case of ambiguity - that's where the capacities must be available.
People now use all kinds of tools to make it easier to work from home. How secure are these programs to exchange sensitive company data?
Thorsten Holz: New tools always offer new attack scenarios and potentially have vulnerabilities. For example, in September 2019 a major security hole was discovered in the popular video conferencing software Zoom, which has since been fixed. Besides, the data shared via such tools leave the company network and is stored on servers that are potentially located abroad permanently. Rules for data protection and data security should still be obeyed, especially critical and sensitive data should not be exchanged via such tools.
Angela Sasse: This is where training in the use of the tools and clear security instructions could help. For example, once it has been determined that customer data may not be sent via a certain channel, managers must adhere to this as much as their employees. However, attackers not only use new tools, but also attack via conventional channels such as telephone, SMS and e-mail - their methods are well-planned and create additional time or authority pressure on their victims.
Do users know if their computer has been hacked?
Thorsten Holz: It is not always easy to identify threats; attacker do their best to remain undetected. With phishing emails, for example, users are tricked into installing malicious programs unnoticed. As soon as the attacker can run the malware on the victim's computer, he hides and collects relevant information in the background. Only ransomware works differently: Attackers encrypt files on the victim's computer in order to extort a ransom. Obviously, the attack is conspicuous there.
Angela Sasse: In this case, it is particularly important that employees do not fear to report to the company that they have a problem or have made a mistake. The quicker a problem is reported, the better the security experts can react.
So what should companies and organizations achieve now to protect themselves?
Thorsten Holz: Before making changes in business processes, IT security and data protection considerations should not be forgotten in order to avoid potential attacks against company networks and to minimize the possibility of additional attacks. Apart from that, the current situation also offers the chance to test new methods of collaboration and to enable working in the home office. In the future, many work processes will be digitalized.
Angela Sasse: Employees should be involved through regular communication as well as specific training sessions. Security and data protection are building blocks for the digital fitness of each individual employee and the company. Especially in the German-speaking countries, there are several providers of proven IT security competence concepts and training offers for this.
Please direct press inquiries to
Prof. Dr. Martina Angela Sasse, Lehrstuhl Human-Centred Security
Mail: Martina.Sasse@ruhr-uni-bochum.de
Prof. Dr. Thorsten Holz, Lehrstuhl Systemsicherheit
Mail: Thorsten.Holz(at)ruhr-uni-bochum.de
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.