Cybersecurity in a Time of Pandemic
By David Opderbeck
The Covid-19 crisis is placing unprecedented strain on every part of the U.S. health care sector. In the heat of the emergency, it’s easy to forget about persistent threats to data security and privacy. This post, which discusses social engineering attacks, is the first in a series on navigating data security and privacy challenges during the pandemic.
Social engineering attacks are one of the primary pathways for the delivery of malware. Social engineering exploits the networks of accountability and trust we need to function in our jobs and personal lives. For example, if your supervisor at work asks you provide her with some confidential information, such as a network access password, you might comply without much question – after all, she’s the boss. If the request comes by email, in ordinary times, you might walk down the hall or pick up the phone to confirm that the email was legitimate before hitting send with your reply. But these, of course, are not ordinary times. In the stress of this moment, with so many other fires to put out, it’s tempting to set aside our carefully cultivated habits of cyber-vigilance.
Unfortunately, cyber thieves know that the real-world Covid-19 crisis has also weakened our cybersecurity immune systems. As Carrie Parikh, Chief Privacy Officer of Horizon Blue Cross Blue Shield of New Jersey, notes “in the past several weeks we have seen a significant rise in social engineering campaigns. Email and social media-based phishing scams referencing COVID are attempting to capitalize on people’s fears.” The problem has become particularly acute, Parikh suggests, as many of us navigate the challenges of working full-time from home while also juggling responsibilities to family members who are likewise under stay-at-home orders.
Parikh offers some common-sense reminders for those working remotely:
- Do not open emails unless you are 100% sure you know who the sender is.
- Do not click on any links or attachments in emails, text messages or on social media unless you can be certain that they are links from and to re
- Do not give out your personal information over the phone to anyone whose identity you cannot verify.
In addition to these suggestions for individuals, Parikh offers some suggestions for companies, including using multi-factor authentication, limiting administrative rights, and maintaining a robust vulnerability scanning and patching program.
It can be easy to compromise basic cyber-hygiene such as that suggested by Parikh while we are all adjusting to the new normal of the Covid-19 crisis. Although compromise in some areas at this time might be healthy – maybe it’s good that, for now, we can conduct business meetings over video chat in sweatpants instead of business wear – regarding cybersecurity, we need to keep vigilant. In our next post, we’ll discuss how the Covid-19 crisis has amplified the risks of ransomware, particularly in the health care sector.
David Opderbeck is a Professor of Law at Seton Hall University School of Law and specializes in intellectual property, cybersecurity and technology law and policy. He also currently serves as the Co-Director of the Gibbons Institute of Law, Science & Technology. Professor Opderbeck's biography and publications are available online.