The current outbreak of the novel coronavirus (COVID-19) has introduced new cybersecurity risks both at NIH and across the globe. As targeted phishing attacks prey on our desire to access trustworthy information and many of us make a shift toward remote work, we all need to be vigilant and take accountability for cyber safety.
Be Vigilant – Protect Against Phishing Attacks
Phishing attacks related to COVID-19 are on the rise. Over the past few weeks, several federal agencies and international organizations, including the World Health Organization, have issued cybersecurity alerts about criminal groups who are exploiting the pandemic for their own gain. INTERPOL also issued a targeted warning to hospitals and healthcare institutions at the forefront of the COVID-19 response about ransomware attacks that, “are designed to lock them out of their critical systems in an attempt to extort payments.”
In order to mitigate the risk of these attacks, we all need to know how to recognize and report phishing messages, which can serve as a gateway for malicious actors to enter our systems. Here are a few tips:
- Know how to report phishing messages in your inbox. Phishing emails are real and can show up in our inboxes at any time. That’s why we all have to feel comfortable identifying and reporting them using the “Report Phishing” button in Outlook (or the equivalent feature in another email system) if a message seems suspicious.
- Get your information only from trusted sources. When looking for updates on COVID-19, refer to websites of trusted organizations such as the Centers for Disease Control and Prevention (CDC). Remember that a public health organization will never send you an email asking for log-in credentials, a Social Security number, or payment details in exchange for access to information.
- Think before you click. Make it a habit to carefully inspect all emails to verify their validity before you download any attachments or click on embedded links. Be especially watchful for invasive and aggressive advertising, which may be a ploy to frighten you into acting quickly without thinking. Always verify that the sender’s full email address, including the domain after the “@” symbol, is correct.
Be Secure – Protect Your Home Office
Just as we can take steps to reduce our risk of contracting or spreading COVID-19, there are also steps that each of us can take to reduce the risk of a cybersecurity breach while working remote. To protect yourself and your organization, pay special attention to the following remote work cyber-safety precautions:
- Protect your network. Enable the stronger WPA2 type of encryption on your home router by using the router’s IP address to access its configuration page. If you have not already done so, you should also change your router’s default password to one that satisfies strong password guidelines.
- Secure your equipment. Never let friends or family use your work laptop, phone, or other equipment. Select a designated area within your home from which to work so that you can limit access to your files and computer. Make sure that you are using a screen lock with a strong password whenever you leave your computer unattended, and don’t leave your computer or phone anywhere where they could be visible from outside your house.
- Don’t do work from unsecured personal devices. Any personal devices used to access work files or perform work activities should be protected with your organization’s mobile device management solution. Never use a cable to connect your unsecured personal phone to your work laptop, even just to charge it or move pictures between devices.
- Connect securely. Avoid connecting to free public Wi-Fi. If you do not have access to secure Wi-Fi while working outside your home, use your phone’s mobile hotspot to connect, tethering your laptop as needed. Use VPN to access your organization’s network while working remotely.
- Safeguard sensitive information. Lock confidential paper documents in a secure cabinet inside your home office. When you are ready to dispose of paper documents containing sensitive information, keep them safe until you can bring them to your office to shred them securely. Remember to enable encryption when sending sensitive information by email.
- Don’t share log-in credentials. One of the most important ways we can safeguard our research is by never sharing log-in credentials or passwords. Sharing credentials puts NIH and your organization’s security at risk by potentially exposing sensitive information to unauthorized individuals. If an individual needs access to a specific system, they must go through the proper channels to be authorized and receive their own unique credentials.
- Use your organization’s approved tools to conduct secure virtual meetings. Check with your IT staff to verify which virtual tools are cleared for use by your organization. When using virtual meeting tools, be sure to identify yourself when you sign in and before speaking so that others know who you are. For more information on conducting secure virtual meetings, please see the National Institute of Standards and Technology’s (NIST) helpful guidance on securing virtual meetings.
Be Responsible – Report Any Concerns
If you are involved in a cybersecurity incident of any kind, such as clicking a potentially malicious link in an email, losing your work laptop, or receiving an unencrypted email containing sensitive information, you must immediately report the incident to your organization’s IT security authority.
Be Prepared – Learn More About Cyber Safety
Cybersecurity is constantly evolving in the face of increasingly aggressive and sophisticated threats. To continue protecting ourselves, our organizations, and our research; we should all be continuously learning about these emerging cybersecurity threats. To learn more now, please see the resources below which provide additional guidance from various federal agencies on cybersecurity risks related to COVID-19:
- CDC – COVID-19-Related Phone Scams
and Phishing Attacks
- For NIH internal users, we invite you to access the NIH Cyber Safety Awareness Campaign website, a great place to find easy-to-understand resources on how to stay cyber safe.
The bottom line is that cyber risks are closer to us than we might expect. We may feel that cyber safety protocols are about compliance for the sake of compliance, but the reality is that cyber safety is about protecting our people and our science. Now more than ever, we all have a responsibility to safeguard ourselves, our organizations, and our research by making cyber safety a priority in our daily work.