The Covid-19 pandemic and the ‘new normal’ of working from home have given cyber criminals new opportunities to prey on unsuspecting employees.

This is according to Patrick Grillo, Senior Director, Solutions Marketing at Fortinet, who was participating in a CNBC Africa Summit on The Future of Work this week.

In a panel discussion on the cyber risks facing the remote workforce, cyber security experts said email and social engineering remained the easiest way to access corporate networks and data, and that home-based workers could be particularly vulnerable.

Grillo said: “Cyber criminals are opportunistic – a few years ago the big piece was ransomware, then it was cryptojacking, now it’s exploiting the pandemic. There are some true hackers out there who are finding the unknowns and taking advantage, but criminals don’t need technical knowledge to carry out cyber-based attacks anymore. Hacking is available as a service now, priced by day of week or time of day. There are SLAs in place for hacking services. It is a business and it’s only going to continue in this cat and mouse game we play. Hackers, working collaboratively, are constantly looking for new ways to push the envelope.”

Algirde Pipikaite, Project Lead, Industry Solutions at the World Economic Forum Centre for Cybersecurity, noted that up to 75% of employers were considering maintaining the remote work model even after the Covid-19 pandemic, as they have noticed that around 40% of employees were being much more productive in the working from home arrangement. But this presents further opportunities for cyber criminals to prey on unsuspecting employees, panellists said.

Pipikaite said: “Email is one of the main points of entry – around 80% of attacks go via email. On top of that, over 90% of attacks are based on social engineering tactics. Cyber criminals will study your social media accounts to understand your interests and vulnerabilities. They don’t need high level technical skills to find a human vulnerability, especially in times of stress. The main challenge now is ensuring the protection of employees working from home and third parties (connected to an organisation) with the same layers of security as they enjoy when working at the office.”

Grillo said that to protect themselves, organisations had to start by raising awareness among their staff. “People remain the weakest link in the chain. The majority of employees have access to the network, but the number of them who are aware of the consequences of the technology they use is normally quite small.”

He cautioned that no one technology could block all attacks: “Organisations must understand that there have to be multiple layers to security – you want to prevent or block attacks, so your systems should be aware of what’s happened in past and prevent a repeat of these; then you also need detection technology for any malware that has been able to get in; and thirdly, you need response and automation – to respond as quickly as possible to minimise the damage. There is no single silver bullet to prevent cyber crime.”

Eric McGee, associate director: Risk Advisory Southern Africa at Deloitte, said that while most organisations were aware of the risks, they were challenged in mitigating it due to a siloed approach to cyber crime. “You need to break down silos and look at how you detect risk across the business; and you need to have an integrated view and approach to protecting organisations. It is also important to utilise threat intelligence to prepare the organisation, as well as to have a solid incident response plan. How you deal with an incident is very important – have you simulated a breach, and do you understand the impact it will have across the organisation – from PR through to regulatory?”