Click and despair: remote workers come under cyber-attack

Cyber Liability

Click and despair: remote workers come under cyber-attack

– to help protect against these threats, businesses must first understand their remote working risks using tools such as Aon’s CyQu assessment

14 September 2021

Opinion by Zamani Ngidi, Cyber Solutions Client Manager at Aon South Africa

The COVID-19 induced shift to remote working has provided a golden opportunity for cybercriminals to target one of a business’ biggest cyber vulnerabilities – the workforce. According to a recent Mimecast report, ‘100 Days of Coronavirus (Covid-19)’ there has been a 35.16% increase in malware detections, in addition to a dramatic increase in spam (26.3%), impersonations (30.3%) and unsafe URL clicks (55.8%).

Businesses no longer have the luxury of traditional defensive and office-based security models, and with such a drastic transformation in how workers operate remotely, the cyber risks have increased significantly. In order to manage this risk, it is imperative to first understand it.

Fertile soil for growing a new scam
Since the onset of COVID-19 hackers have been working to use the situation to their benefit. In the same way that the offline world has seen telephone scams from people selling anything from fake virus tests,  through to impersonating police officers and threatening fines for not following social distancing measures, the online world has been just as creative. Advance Persistent Threat (APT) groups and other cybercriminals have continuously targeted individuals, businesses and charities alike with COVID-19 related scams and phishing emails.

Typical examples include phishing emails tailored around news announcements from governmental or health organisations like the case study of the World Health Organisation which attempt to lure users to a malicious website to provide confidential details. The UK’s National Cyber Security Centre recently warned of email distributed malware which purports to be from Dr Tedros Adhanom Ghebreyesus, Director-General of the World Health Organisation (WHO) but is, in reality, the Agent Tesla keylogger malware.

The test and trace regime in place in many countries is also likely to see a wave of phishing attempts with hackers disguising their emails under the banner of the government’s push to contact all those who have been in contact with someone infected with the coronavirus. It’s not just emails that are vulnerable either, criminals are also targeting voice calls (vishing) or SMS (smishing) to get hold of an individual’s credentials or other sensitive information.

The attacks can be highly targeted, leveraging social media and public information to make their attack techniques as realistic as possible. Specifically, they can utilise the public information shared by companies about their remote working response to the pandemic and use this as ammunition in attempting to attack the workforce.

Held to ransom
If a remote worker falls victim to a phishing email and clicks on a link, the consequences for the business can be significant, with malware – and in some cases, a form of ransomware – downloaded into an organisation’s IT systems and possibly causing major IT downtime and business disruption loss of data or critical information. Ransomware cost businesses globally over GB£5 billion in ransom demands alone in 2019 and COVID-19 is likely to inflate that figure further in 2020. It is easy to see how such an attack can unfold in the fictionalised scenario below…

The remote worker – held to ransom
Friday – initial compromise

  • 16:27 Ryan is working remotely, as per his company’s COVID-19 guidance.  
  • 17:28 Ryan receives an email appearing to be from the corporate travel agency detailing urgent actions required to cancel upcoming trips due to the pandemic.
  • 17:39 He clicks on the website link in the email to cancel upcoming travel for a conference which has been postponed. Not realising the link is malicious, Ryan has just unknowingly allowed highly-skilled ransomware attackers to gain a foothold in the company network.
  • The entire weekend passes, the criminals begin their work and the attack has not been identified.


Monday – the attack remains undetected

  • 09:33 Ryan realises that he cannot access some files on his laptop. He emails the IT team and carries on with his work thinking this could be a simple connection problem.
  • He does not suspect anything unordinary as IT issues have been common following the shift to remote work. Over the weekend the ransomware has been spreading over the company network.
  • 17:17 Ryan finishes his work for the day and logs off. Meanwhile, the attackers have built on the initial compromise to move across the company network and access an increasing amount of company data.
  • 17:29 IT personnel review Ryan’s IT ticket; they have been very busy maintaining systems deployed to cope with large-scale remote work.
  • 17:35 The IT team sends Ryan instructions to re-configure his network connections and to call in the morning if the problem persists.
  • The IT team has recently dealt with a number of connectivity issues where people could not access a file stored and this problem does not appear to be different. Without physical access to his laptop, the team assumes the recent network updates will resolve the issue.

Tuesday – the attack is escalated and identified

  • 07:22 Attackers have now had time to lock accounts across the company network and extract critical data.
  • 08:00 The attackers have made their move, encrypted company files and posted a ransom demand ready for when employees log in.
  • 08:30 Ryan and his colleagues log in to the company network to find a message stating that their systems have been infected and owned by a notorious hacking group. To unlock files the attackers have demanded the company to make a payment of £100,000 to the attackers in untraceable currency. The entire company is brought to a sudden halt, employees have no access to IT and are unable to operate remotely – this includes operations, suppliers and customer departments. IT (and Ryan) remain unaware of the attack’s origin. IT personnel try to assess the extent of the attack.
  • 09:00:  the company executives are briefed; the IT team are asked how best to respond and decide to engage investigators. The CEO requests hourly updates and sends an email briefing to the board.  
  • 09:12 A highly-sensitive, confidential company document is posted online, accompanied by a message stating that more data will be leaked on the hour if the ransom is not paid. The attack is worse than anticipated, the document causes significant reputational harm to the company and the phones begin to ring with concerned customers and partners.
  • 09:45 Company executives join an emergency virtual meeting. They don’t know whether to pay or what the wider implications are. The executives raise the issue as a critical priority - they have already faced continuity issues due to COVID-19. They release a public statement about the breach and the CEO is inundated with calls from the media who want to know the extent of the problem.
  • 15:00 – the CFO has performed some initial analysis and believes the company will miss agreements with several suppliers costing them significantly. The sales team have received calls from key customers cancelling orders due to the press reports – a sense of panic has spread across the organisation.
  • Until the systems can be restored, the business experiences a significant loss of productivity and delay on orders for several large clients which could result in financial and legal penalties.

Next Monday - remediation

  • 12:04 Specialists investigating the attack identify the malicious email and notify company executives. They noticed high levels of activity from Ryan’s account over the weekend, outside working hours, and used this to narrow in on the malicious email. The ransomware used is linked to known, advanced attack groups.
  • 13:00 Using this information, the IT team can restore some basic services to their employees. Due to the encryption, key data is lost, and some systems remain closed – people are still unable to perform their jobs.
  • 14:00 the CIO briefs the executives with the root cause of the problem and the recommended remediation. This includes a total re-build of the company network and protective IT upgrades which were not budgeted. The CEO agrees this as a priority despite the significant unbudgeted spend.
  • 15:00 the CFO briefs the CEO and exec on the financial impact of the attack – it is material and significant. The CEO prepares a briefing to the public and receives an urgent call from the board…

New tech: new problems
No business wants to fall victim to an attack like the one described above, but the problem for many organisations is that once COVID-19 hit, they were simply unprepared to move to a majority remote workforce operating model in such a short space of time. Many companies who have invested in securing their technologies appropriately turned to new services that could be vulnerable to hackers out of necessity. This trend has been picked up by the NCSC, who mentions the use of communications platforms where “malicious cyber actors are hijacking online meetings that are not secured with passwords or that use unpatched software.” Of course, it’s important to balance cyber risk with keeping operations running – and employees in work – however appropriate safeguarding and due diligence for any major business tool is still required to protect the company.

Even where businesses are investing in a robust programme of cybersecurity and associated technologies, it is only ever as good as the people using the system. Many South Africans lack the basic cybersecurity training needed to spot a cyber-attack, meaning they are more likely to fall victim to an attack, particularly when they’re not working from their usual office environment.

Undertake a CyQu assessment
Despite the increased threats posed by the significant uptake of remote working, there are a number of steps that businesses can take to help minimise the risk. Understanding where the weaknesses are is the right place to start. Aon’s Cyber Quotient Evaluation (CyQu) is an online self- assessment which can provide insight of an organisation’s cyber maturity and the reported areas identified as posing the greatest risk in less than 90 minutes*.

To help organisations deal with the remote working threat, a ninth security domain specifically focussed on this area has been added to CyQu in addition to other critical cybersecurity domains such as network security, data security, and business resilience. By undertaking an online self- assessment, businesses are provided with a report identifying key findings and prioritised quick wins to help improve security maturity, as well as calculating a benchmark against industry peers to help an organisation to understand how it compares with others.

Changing threats demand a changing approach to security
The cybersecurity threats continue to change as businesses adopt new ways of working and new technology. Whilst the pandemic may have accelerated the pace of change for digital transformation initiatives and remote working enablement, businesses should ensure they review the relative cyber risk to their operations and understand that systems which may have been secure before, may now be vulnerable due to the change in operations.

Assessing where those risks are will help enable businesses to prepare and mitigate these emerging threats. Through understanding their cyber risk, organisations can work to prevent it and put in place additional protection such as the use of cyber insurance to help minimise the operational and financial consequences of an attack; critical at a time when a data breach or ransomware incident could significantly detract from an organisation’s ability to come through the pandemic intact.

Find out more about how Aon’s Cyber Quotient Evaluation (CyQu) online assessment tool can help your organisation counter the additional threat from remote working.

*Completion time will vary by user/industry and the complexity of your organisation.