In simpler times, some businesses would literally hang a sign on their door each summer saying “Gone Fishin’” and close for two weeks. In today’s world, hackers might as well hang a sign on their door in summer that says “Going Phishing.”
Summer brings out the child in everyone – including businesses – conjuring up images ice cream cones, sunscreen, and firing up the grill. But the same laid-back approach to summer can create an atmosphere where hackers can thrive. Throw in a pandemic and it’s the potential for open season.
“And summer is sort of a one-two punch, because we see a more ‘relaxed’ attitude at enterprises during the summer, but MSPs, if they aren’t careful, can also get lulled into this summer mindset too,” says Ken Cohen, a cybersecurity analyst in Newport News, Virginia and a former MSP owner.
Studies have shown the cybersecurity dangers of summer. In fact, a survey conducted last year by security firm Lastline showed that 58 of enterprises report seeing more threats in summer than other times of year. Of the threats, phishing and spear-phishing are cited as the biggest, grabbing almost 73 percent of the concern. Malware and ransomware were also flagged as concerns.
In previous years hackers hit pay dirt during summer with enticing email offers centered around seasonal travel, concert tickets or cruises. The pandemic has shifted the topics, but not the tactics, Cohen states. Now, the phishing attempts will more likely revolve around contact-tracing, COVID-19 testing, or lockdown lifting. In today’s challenging environment, an email from a contact-tracer could be tough for someone to ignore. Other emails that dangle a deal could also be enticing right now.
“Phishing emails like these can be brutally effective right now because people are tired after four months of lockdowns. This summer offers the promise of better days ahead and people may think those better days are just a click away. Hackers know that, and are taking advantage of that,” Cohen adds.
The problem, Cohen says, is that “MSPs are comprised of people and many of them are mentally drained and exhausted after months of monitoring remote workers. But MSPs need to recognize the dangers of summer and making sure enterprise employees are staying alert. Remember, all of your great security tools can be rendered useless by one careless employee,” Cohen advises.
Despite the turmoil in the labor market, there are still plenty of summer interns. Glassdoor estimates that internships in travel and hospitality related verticals plunged a jaw-dropping 92 percent this summer, but other businesses, like legal and accounting, haven’t been as hard hit. Those businesses have “only” pared back their internship hiring by 22 percent. And, many interns are working, not surprisingly, remotely this summer.
“Internships are invaluable for students, companies and also hackers,” Cohen says. “Unfortunately, many companies, assuming the hire is temporary and with compressed summer schedules, bring them onboard without the typical training in cybersecurity best practices.”
Internships can be dangerous from a cybersecurity standpoint, and Cohen advises that kids will often emblazon their new summer digs across social media with catchy hashtags and posts, making them troves of potential information for hackers to mine.
“The CISO’s team or the MSP are often not even put in the loop about an intern’s presence and that especially is especially true in this remote environment,” Cohen states. “MSPs need to be monitoring the addition of interns or other temporary summer help and not assume the pandemic has put an end to those hires.”
In other years, summer posed a danger to organizations because employees would decamp to the beach or a cruise, they’d take their personal devices with them, check their email as they soaked in sun by the pool and it doing so, place the whole organization at risk.
“This year the danger is different. Summer vacations are still happening, but many workers are unplugging completely or using the unsecured internet at the secluded lake cottage,” Cohen says.
“Many workers – even ones that should realize it – are taking unnecessary security risks that can put their whole company in danger. Just because you are taking a vacation to a remote peak in the Catskills doesn’t mean the unprotected internet in the cottage poses any less danger,” Cohen says.
He also advises that any unprotected network, whether it is in O’Hare Airport or a secluded cottage, can pose a threat and that MSPs need to make employees aware of that.
MSPs and summer
MSPs are like any other business. Technicians are on vacation and front office people are also taking time off. “And this is a good thing, because MSPs – especially this year – are under a lot of pressure and people need time to unplug,” Cohen says. But this can mean that technicians are stretched thin and perhaps handling accounts that they typically wouldn’t. This unfamiliarity can breed sloppiness.
“Don’t let the value of employee vacations be undermined by not having seamless cybersecurity in place during you technician’s absence,” Cohen says.
Remember all of these tips and hopefully while you are fishing hackers will be unsuccessful phishing.
Photo: Alex Stemmer / Shutterstock