Skip to main content Skip to main navigation
Skip to access and inclusion page Skip to search input

Being cyber safe in WFH world

12:04pm August 14 2020

COVID-themed email scams increased as the pandemic intensified. (Getty)

For many companies, few changes from COVID-19 happened so fast and may be as enduring as the rise of distributed workforces.   

Overnight, millions of employees around the world lucky enough to have kept their job – and be able to do it out of an office – suddenly did so from home. If they continue to, which seems likely, this will have accelerated a shift that would have otherwise taken years. 

But despite all the benefits, the rise of the #WFH era has prompted questions around cyber security risks, resilience and investment. Of course, more people connected online more often mean scammers, hackers and other malicious cyber “bad guys” have a larger footprint to go after. 

And they did just that.

COVID-themed email scams increased as the pandemic intensified earlier this year, often trying to exploit people’s uncertainty about the virus to get them to click on a link or attachment. When these types of scams succeed, ransomware (a particularly unpleasant flavour of malware) might then encrypt the files on a victim’s personal or work device, before demanding a ransom payment for their return – often denominated in Bitcoin, because it moves outside traditional payment systems. 

While the volume of these scams has since dropped off and the threat of cybercriminals capitalising on COVID-19 remains moderate, cyber threats overall are often not minor. Ahead of Scams Awareness Week, it’s worth remembering that these scams can be harmful for both consumers and businesses in various ways, as several recent high-profile attacks on major corporations highlight. 

In May, local logistics giant Toll was subject to ransom demands after an attack involving ransomware known as “Nefilim”, that also allegedly stole data. Then just last month, Twitter fell victim to a suspected “social engineering” attack on employees – where an attacker fraudulently obtains the trust of an insider and then exploits that trust to gain unauthorised access – that resulted in hackers briefly hijacking the accounts of some well-known individuals, to attempt to scam users of the social network into sending them money. 

As this again shows, key vulnerabilities for companies are often not just technology but also human, tricking employees to surrender access to attackers. While we reduce these risks through technology controls like email filtering, ongoing education is important. One of our sayings here at Westpac is: “think before you click.” 

To be clear, I’m not suggesting that the shift to distributed workforces is to blame for recent attacks or that scammers suddenly have a notable leg-up in the battle. In fact, WFH’s success overall has been quite remarkable – and a clear endorsement of the cyber security systems and controls many organisations had in place or were able to quickly bolster. 

But as we enter Scams Awareness Week, these developments do reinforce why cyber security is one of the major, omnipresent and ongoing threats of our time – now more so than ever. 

Indeed, just last week we got the details of the federal government’s $1.67 billion Cyber Security Strategy 2020 – its biggest ever investment – as nations around the world increasingly deal with the rising threats from cybercriminals and others. There’s a lot of positives in the Strategy, including increasing minimum baseline cyber security standards for all corporations, more government support for small businesses and individuals, and more educational awareness campaigns and initiatives. In addition, we are fully supportive of larger organisations like ours working with government to provide guidance and help for the community. 

At Westpac, one security control we’ve viewed as critical for some time has been multi-factor authentication (MFA). While MFA can be used in various ways, in terms of remote working it involves employees logging in with two or more of something they know, something they have or something they are (i.e. biometrics). What that really means is that you need more than just a password to log in – you also need a phone, or a token, or a fingerprint.

It’s not foolproof, of course. But it’s really powerful in reducing your risk from compromised or reused passwords, which are otherwise a material challenge for many organisations. 

Fortunately, prior to the onset of COVID-19 we’d already been investing significantly in upgrading our remote access technology and simplifying the network, to make it easier for employees to connect remotely. That included a move two years ago to an enterprise-wide cloud-based solution for controlling and monitoring access to the web. 

As such, when we suddenly went from around 5000 employees using VPNs to connect and work remotely to more than 20,000, our security controls and counter measures were already in place. They mean that we can protect devices and block threats like malware, no matter where an employee is working from. These capabilities were critical to ensuring we had the scalable, capable technology and security in place, to support the dramatic increase in remote working. 

Since then, the bank has also taken additional steps to protect customers, this month announcing the roll out of new scam-detection technology across our branches that will send branch employees real-time alerts as payments are being processed, so that suspicious transactions can be identified and investigated on-the-spot.

Sadly, scammers and cyber criminals aren’t going away, and continue to become more sophisticated.

Staying alert and having robust controls in place has never been more important to staying a few steps ahead of them. 

Westpac's Group Chief Information Security Officer, Richard Johnson joined the bank in 2000. In this role, and his previous position as Head of Technical Security Services for the Group, he has led the information security strategy, delivery and governance. Prior to joining the Westpac Group, Richard held roles as Head of Technology Audit at Woolworths Limited, Technology Audit Manager at BT Financial Group, and in Computer Risk Management at Arthur Andersen. In addition to his academic credentials, Richard has a number of professional security qualifications including CISA, CISM, CISSP, CRISC, SCF, and ACP.

Browse topics