Follow Robert Facebook
Email Robert Email
Aug 15, 2020

Cybersecurity In A COVID-19 World

Sponsored Content provided by Robert Burrus - Dean , Cameron School of Business - UNC-Wilmington

Contributed by Dr. Geoffrey Stoker, Assistant Professor of Management Information Systems and Dr. Uklu Clark, Professor of Management Information Systems at the UNCW Congdon School of Supply Chain, Business Analytics, and Information Systems.
There is a clever meme floating around the internet that goes something like this:
“Who led your company’s digital transformation?”
C.  COVID-19
Before the SARS-CoV-2 virus, which causes the COVID-19 disease, arrived in the US, polls indicated that about 4% of US workers worked from home half-time or more. That number appears to have jumped to over 60% recently with 82% of US office workers saying they want to continue regular remote working post pandemic.
From a cybersecurity perspective, this 10 to 15-fold increase in remote workers has created many challenges, some of which include:

  • increased worker isolation from workplace situational awareness;
  • far more personal devices being connected to business networks and used for work;
  • greater use of virtual private network (VPN) software and devices.
All three of these challenges presage a coming uptick in cybersecurity incidents related to insider threats. Whether simply negligent or deliberately malicious, insiders cause a lot of damage with an average cost of $450,000+ per incident according to the Ponemon Institute. With 62% of insider threat incidents related to negligence, having new remote workers is going to exacerbate this problem.
The first challenge above will play into the devious innovations in business email compromise (BEC) and email account compromise (EAC) attacks since COVID-19. The most recent FBI annual Internet Crime Report indicates that BEC/EAC continue to be major attack vectors against all businesses – small, medium, and large. Worldwide losses due to BEC/EAC totaled $26 billion from June 2016 – July 2019. Common attacks are the transfer of funds scam and payroll diversion.
With transfer of funds scams, malicious actors spoof an email of someone in authority and direct an employee to wire funds to an illegitimate account. Payroll diversion involves malicious actors, posing as legit employees, emailing human resources or the payroll department with requests to update direct deposit information.
Frequently, legitimate information is used as part of the ruse. For example, a Texas school district was building a new elementary school and an employee received an email with wire transfer instructions and a request for payment for the construction project. Unfortunately, the email was from a scammer posing as the construction company and the school lost nearly $2 million.
The current pandemic environment has resulted in “improvements” on these classic attacks.  Scammers cite the COVID-19 disruption as a believable reason for a sudden need for urgency and/or last-minute changes that targets are more likely to believe and less likely to double-check. Other reasons proffered include changes justified as precautions and/or requirements following quarantine processes or changing bank information because of audits triggered due to large numbers of COVID-19 sicknesses and/or deaths.
With employees isolated at home, it is harder to get someone on the phone to verify the changes and they cannot simply walk down the hallway to confirm the payment action. Staying on guard should include being skeptical of changes to any financial-related information; verifying any change via an email or phone number from a directory rather than what was provided; and being alert to subtle spelling differences in domain names or email addresses.
The second challenge reflects the fact that many employees will be using devices not managed by an IT team and very likely to be unpatched and/or not upgraded with the latest software versions. They will also be sharing a home LAN with other devices in the same state (or worse), including desktops, laptops, tablets, gaming consoles, phones, networked printers, and home routers. In addition, other household members will be using these devices for personal needs.  Without formal information security training it is highly likely that they will visit malicious sites or click links that install malicious software.
It is hard enough for most companies to run an effective vulnerability management program when only devices physically present at the company location are involved. It is a colossal challenge to get a handle on a company’s new attack surface when home-based employees are using (or sharing a LAN with) devices that are poorly maintained and only as well-secured as the individual using them knows how to (or cares to) secure them.
To get a sense of the problem scope, consider a year ago it was reported that 32% of businesses still had Windows XP machines and 79% had Windows 7 machines somewhere in their infrastructure. The situation at homes is likely worse than most businesses. Statcounter indicates that today 20% of machines worldwide are running Windows 7. That means one in five Windows computers is using an unsupported operating system – one no longer receiving updates or patches from the vendor. 
Confronting this challenge should include reviewing policies regarding what devices are permitted for use with business data; ramping up education of employees regarding potential threats to personal devices and how to mitigate them; and developing/implementing disaster recovery plans for when (not if) an employee’s device/account is compromised.
This brings us to the final challenge. When more people are remotely connecting to a company network there is, by default, less confidence in endpoint security. And, with more remote endpoints, more sensitive data is going to migrate outside of a company’s IT purview making it more readily available to be stolen.
If company devices are required, are they being connected frequently and long enough to receive critical patches and new security policies? If personal devices are permitted, there are many questions including: do they require a strong password for local account access; is there a local firewall and up-to-date anti-virus/malware protection; are “convenience” apps installed that are not part of the normal company software suite but that workers are using to process company data; are strong wireless protocols used to connect to the home network; and are they already compromised? Enumerating these questions is meant to highlight the security concerns of any data that resides on remote endpoints.
COVID-19 really did cause a disruptive digital transformation, and we all need to up our cybersecurity “game” to protect our businesses.
Robert T. Burrus, Jr., Ph.D., is the dean of the Cameron School of Business at the University of North Carolina Wilmington, named in June 2015. Burrus joined the UNCW faculty in 1998. Prior to his current position, Burrus was interim dean, associate dean of undergraduate studies and the chair of the department of economics and finance. Burrus earned a Ph.D. and a master’s degree in economics from the University of Virginia and a bachelor’s degree in mathematical economics from Wake Forest University. The Cameron School of Business has approximately 90 full-time faculty members and 30 administrative and staff members. The AACSB-accredited business school currently enrolls approximately 2,600 undergraduate students in three degree programs and 750 graduate students in four degree programs. The school also houses the prestigious Cameron Executive Network, a group of more than 200 retired and practicing executives that provide one-on-one mentoring for Cameron students. To learn more about the Cameron School of Business, please visit Questions and comments can be sent to [email protected].

Other Posts from Robert Burrus

Uncwgradprogram 300x250
Ico insights


Jordain 422430214

How to Solve Impossible Problems

Jordan Cain - APPROVE

Paving the Way to Better City Streets

Tony Caudle - City of Wilmington
Cfss headshots parker robert webversion 21422121214

Duke Energy Will Pay You Up to $9,000 to Go Solar with a Battery

Robert Parker - Cape Fear Solar Systems

Trending News

Lower Cape Fear LifeCare Welcomes New Board Members

Staff Reports - May 28, 2024

Novant To Sell, Leaseback Four Wilmington-area Properties In Statewide Effort

Emma Dill - May 28, 2024

CVB Announces Tourism Award Winners

Staff Reports - May 28, 2024

United Bank To Acquire The Piedmont Bank

Audrey Elsberry - May 28, 2024

UNCW Honors Faculty Awards Recipients

Staff Reports - May 28, 2024

In The Current Issue

Half Marathon Takes Whole Race State Title

The top half marathon in each state was crowned based on nearly 20,000 votes from runners across the country....

Vantaca’s Balancing Act

“We want to swing big, and we have a vision of building a really massive company that is the industry standard for software in our space."...

As Hurricane Season Heats Up, How Do Builders, Laws Prep Homes For Storms?

The damage caused by Hurricane Florence in 2018 throughout the region put a bigger spotlight on the need for the construction industry to fa...

Book On Business

The 2024 WilmingtonBiz: Book on Business is an annual publication showcasing the Wilmington region as a center of business.

Order Your Copy Today!



2024 Power Breakfast: The Next Season