Ravi Dhungel

The COVID crisis is an opportunity for bad actors to commit cyber fraud. The bad actors can be nation actors, criminals, or rogue employees. COVID-19 introduces unique challenges to the public health and cyber security crises in modern times because of ubiquitous computing, increase in penetration of the internet across the globe and the challenges brought by social distancing and quarantine measures.
This makes it a global pandemic and a global cyber security threat. COVID-19 continues to become the most widely used and searched term on the internet and social media. Across the globe, fraudsters are using the context of COVID-19 to send fake messages and text messages.
Organisations should address and mitigate the challenges of cyber security.
Telecommuting: As enterprise relaxes telecommuting and work from home programs, the organization should make sure that devices are managed. A virtual private network (VPN) and two-factor authentication (2FA) are technical controls for remote access. Beside that the cyber hygiene of the devices should be maintained that includes patching of the operating system, antivirus and anti-malware systems.
Use of personal computers, mobile devices, and managed systems: All the devices should be managed at the enterprise level. The hard drives should be encrypted and mobile device management (MDM) should be implemented to protect the data of the computer.
Phishing: Enterprise should invest in email security. Phishing continues to be the key threat vectors. With COVID-19, the amount of phishing email generated is unprecedented and every organization should secure their emails from phishing. The general advice is to think twice before clicking the link, verify the sender, and make sure that the link appears to be valid.
Refrain from using free software without legal contracts in place: Especially for video conferences, the organisation should be sensitive to the management of the data. Proper contractual and legal agreements should be done with the vendor before using applications. The organisation risks losing the intellectual property if proper controls are not placed on the video and audio data.
Training and awareness: Enterprise should periodically provide the training to the employees on the best practices of cyber security, data security and the regulations pertaining to the telecommuting. More specifically, training and awareness should be provided on phishing emails and the importance of Virtual Private Network (VPN) and 2FA (2 Factor Authentication).
Fraudsters appear to be redoubling their efforts to steal information or money from unsuspecting users, sending fake emails and text messages as bait often called phishing. Phishing continues to be one of the biggest threat vectors of cyber security and COVID-19 public health crisis.
Video conference calls on platforms like Zoom are being hijacked and used to broadcast pornographic images or threaten the people. Video conferences are being used to teach school classes and hold sensitive meetings but are being attacked by unknown people.
Organisations and individuals should refrain sharing the video conferencing URL in public and invites should be sent to the attendees emails. The phenomenon is called “Zoom Bombing”.
In Nepal, the availability of COVID-19 applications by different government agencies shows the importance of technology services in the race against time.
We should praise the government of Nepal for this initiative. However, asking the public to use the application without security review and vetting is the fallacy of a public health and cyber security, with potential of impacting the national security of the country.
Using mobile applications directly without security review from Apple and Google Play is poor cyber security practice. The integrity of application cannot be preserved without digital certificates.
What happens if millions of Nepalis download the malicious software from the phishing email? It may clog the national telecommunication infrastructure and enable data leakage and exfiltration from mobile phones, resulting in a national security crisis and a public health crisis.
Cyber security is the biggest national security threat and should be addressed immediately to strengthen national security.

(Dhungel is a cyber security practitioner based in USA. He is the Chief Information Security Officer at www.esrtech.io. ravi@esrtech.io)