“Safe at home, not stuck at home” has been the mantra of many during the COVID-19 global health crisis. But are people starting to feel too safe at home, at least when it comes to their internet practices? Remote workers can be distracted due to competing priorities at home. Combine distraction and personal device use with an elevated ‘always online’ culture, and the result is a perfect storm for effective cyberattacks.
Indeed, the massive increase in remote work has led to an explosion in cybercriminal activity like phishing. Not only is phishing still prevalent, it’s rising in sophistication and in frequency, making cyber resilience more important than ever.
Office workers across the globe were recently surveyed about how their online lives, namely email and click habits, have changed since the beginning of the COVID-19 pandemic. From there, the COVID-19 Clicks – How Phishing Capitalized on a Global Pandemic report was created, shining a light on what people know about phishing attacks, what makes them click on a potentially malicious link, and overall cyber-resilience habits in the time of COVID-19.
Prashanth Rajivan, Ph.D., assistant professor at the University of Washington, studied the report data and offers his perspective on how the COVID-19 pandemic and general increase in working from home could affect individuals’ and businesses’ cybersecurity status. “Like with distracted driving, working while doing other household chores or even watching TV seems easy enough when doing mundane tasks such as email processing,” he says, noting that this type of distraction can make people vulnerable and even less likely to properly notice or weigh the risks of a potential phishing message.
The report suggests companies and consumers are falsely confident when it comes to cybersecurity. Breaking down the numbers, 95% of respondents worldwide recognize phishing remains a problem for businesses and households alike. More than three-quarters admit they have opened emails from unknown senders, a known cybersecurity hazard, with over half (59%) blaming it on the fact that phishing emails look more realistic than ever.
Report findings also reveal an opportunity for more security awareness and education. Just 59% of workers believe they know what to do to keep their data safe, with nearly one-third admitting they’ve clicked on a phishing scam in the last year and 1 in 5 confirming the receipt of a phishing scam related to COVID-19.
According to Rajivan, another factor that could contribute to the general amount of overconfidence in people’s ability, or inability, to spot phishing attacks and avoid online threats might be a psychological phenomenon called the Dunning-Kruger effect. It refers to a cognitive bias in which people who are less skilled at a given task tend to be overconfident in their ability; i.e., we tend to overestimate our capabilities in areas where we are less capable. Thus, without the convenience of an in-person IT team to run to when physically in the office, employees assume that role in their own homes and overestimate their skillset to make the most secure decisions.
Ideal? No. Real? Absolutely.
“If we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize how work and personal life intertwine,” says Rajivan. The report distills that many workers feel their employers need to invest more heavily in training and education in addition to vital cybersecurity tools in order to properly prevent phishing.
This means running regular phishing simulations and making sure all employees know how and where to report suspicious messages. With remote work becoming the new normal, backing up employees’ collaboration tools is also important for ensuring access to data no matter where they are. On the leadership front, businesses must assess their different risks and from there, create a data breach response plan that includes recovery strategies; security experts to contact; and communications plans to notify customers, staff, and the public in case of a breach or attack.
While working from home does indeed keep us physically safe from COVID-19, prioritizing a culture of cyber resilience and investing in a better understanding of cybersecurity for all employees will help ensure business continuity even amid increased cyberthreats.
TYLER MOFFITT is a security analyst at Webroot who stays deeply immersed within the world of malware and anti-malware. He is focused on improving the customer experience through his work directly with malware samples, creating anti-malware intelligence, writing blogs, and testing in-house tools.