Australians are now working from home offices and kitchen tables as social distancing measures to slow the spread of coronavirus ramp up. But this change to how we work makes us more vulnerable to cybersecurity threats.

Key points:

  • • Criminals are taking advantage of the coronavirus outbreak using phishing scams
  • • The healthcare industry could be particularly targeted by hackers during the disruption
  • • Businesses with employees working from home need to boost cybersecurity

Australia’s cyber spy agency has warned of scams and phishing attempts, as criminals try and take advantage of the disruption.

Scamwatch has also received 94 reports of COVID-19 scams since the beginning of the year, with numbers expected to rise.

Karl Hanmore, the acting head of the Australian Cyber Security Centre — part of the Australian Signals Directorate — said there are already examples of coronavirus-inspired cybercrime.

“I’d be suggesting people be cyber-alert but not cyber-alarmed,” he said.

“Most importantly, don’t click on links you receive via text message or email, especially if they’re around the coronavirus.”

Phishing scams using COVID-19-themed text messages are already circulating in Australia.

One of them appears to be sent from “GOV” and shares a link that claims to help people find out where they can get tested for coronavirus.

But the link and the sender are fake. Clicking on the link could install malware designed to steal your banking details.

“That’s criminals trying to steal your banking details at a time when you’re least able to protect yourself,” says Mr Hanmore.

Healthcare sector at risk

Some critical industries like healthcare may be subject to increased threat of ransomware attacks during the pandemic, among other risks.

In the United States, the Department of Health and Human Services has reportedly been targeted in recent weeks.

Criminals may focus on industries people are particularly reliant on, according to Ian Atkinson, director of the eResearch Centre at James Cook University.

“So, you can imagine health, banking, people looking at their superannuation funds,” he said.

“People stressed, doing things quickly in panic mode, that’s a great time for a cybercriminal to come in.”

Colin Denver is the chief executive of the start-up SpeeDx, which makes respiratory virus tests, and has a COVID-19 test in development.

His company already had many staff members working remotely, so he believes they are well prepared.

“Realistically, keeping our workers healthy and keeping our business open is probably the biggest concern,” he said.

In his view, it’s vital the companies which make important components like protective medical equipment or ventilators stay online during the pandemic.

“It’s got to be something that is focused on from a much wider level,” Mr Denver said.

“[Ensuring] all the companies that are servicing the increased need for healthcare are able to operate during these times.”

Phishing and the ‘human firewall’

To protect against the potential for “increased opportunism from bad actors”, businesses should undertake basic cyber hygiene, such as patching servers, according to the Australian Cyber Security Centre’s Mr Hanmore.

He also recommends people visit for warnings and updates.

To protect yourself from phishing:

  • Don’t click on links in emails or messages, or open attachments, from people or organisations you don’t know
  • Before you click a link, hover over that link to see the actual web address it will take you to (usually shown at the bottom of the browser window)
  • If you do not recognise or trust the address, try searching for relevant key terms in a web browser. This way you can find the article, video or webpage without directly clicking on the suspicious link
  • If you’re not sure, talk through the suspicious message with a friend or family member, or check its legitimacy by contacting the relevant business or organisation (using contact details sourced from the official company website)

Source: Australian Cyber Security Centre

David Eaton, who helps lead cybersecurity at the IT company Datacom, helps manage the risks faced by more than 6 thousand employees around the world.

From Monday, more than 80 per cent of them will work from home.

He said Datacom views employees as “a human firewall” against phishing scams and other attacks — something that may become more challenging as employees are out of the office.

“One of the key defence mechanisms against phishing is a peer who sits alongside you,” he said.

“You can say, ‘look at this, what do you think I should do?’ That peer is no longer there.”

When employees work from home, here are some security practices he recommends businesses consider:

Alerting employees about the potential for phishing

“Part of this is ensuring staff know how to spot a phishing email,” Mr Eaton said.

This could include tell-tale signs, like odd email addresses or malicious links.

He suggested circulating a sample COVID-19 phish to employees, so they have some idea of what to spot.

Using multi-factor authentication

When they’re at home, workers may have to identify themselves to online work systems in a new way.

“That requires multi-factor authentication,” Mr Eaton said, “to allow us to be comfortable that the employee is who they say they are, regardless of the location they work from.”

Multi-factor authentication could include using a separate app to permit entry to online workspaces.

In some cases, it may be appropriate for employees to access critical systems via a virtual private network, or VPN, to help ensure the end to end communication is secure.

Patching your computers and locking down home Wi-Fi

Mr Eaton said he recommends that if employees are doing work, they’re using a work device.

If that’s not possible, it’s important to ensure the device using the latest software update, has been patched, and is using secure Wi-Fi.

In other words, while we work from home, workers must ensure their Wi-Fi is locked down — at least password protected.

Deciding on a chain of command

If your team is spread across the country, or even internationally, Mr Eaton suggested it’s important to decide how decisions get made in case of online disruption.

For example, can decisions be made entirely via email or should a second “factor” (such as video or phone calls) be required?

“Can the process be subverted by a party wanting to cause disruption?” he asked.