Richard Hudson is a Senior Manager with Treliant. He has over 25 years of experience in information security, compliance, risk management, business continuity and information technology. He has worked on staff and as a consultant for companies in the financial services, insurance, healthcare, information technology, and asset management sectors. Prior…
- Source: us-cert.gov
The Cybersecurity and Infrastructure Security Agency (CISA) continues to emphasize that individuals need to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19).
Treliant helps firms to prepare for phishing and social engineering scams, which are also regulatory guidance and expectations. There has been a significant increase in ransomware attacks, which are commonly delivered via phishing emails – where the malware will encrypt the victim’s data and the attacker demands a ransom to restore the access to the data upon payment.
Our professionals include, but are not limited to, former Chief Information Security Officers (CISO) and Internal Auditors. We understand how to make these programs work and to prepare for regulatory exams which may include these areas of focus.
Emails with malicious attachments or links to fraudulent websites to trick victims into revealing their personal or sensitive information are already in circulation. Everyone should exercise caution in handling any email with a COVID-19-related or similar related subject line, attachment, or hyperlink, and be wary of social engineering ploys such as media pleas, texts, or calls related to COVID-19.
CISA encourages individuals to remain vigilant and take the following precautions:
- Avoid clicking on links in unsolicited emails and be wary of email attachments.
- Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
- Do not reveal personal or financial information in email and do not respond to email solicitations for this information.
- Verify a charity’s authenticity before making donations.
CISOs and their teams need to be ready to implement their incident response plans in the event their firms become victims of a phishing/ransomware attack. If this occurs, there are regulatory requirements to report within certain timeframes. Firms will need to demonstrate compliance and be ready for a thorough look at the underlying processes by the regulators.