Published: 02 April 2020
Analyst(s): Information Risk Research Team
Cybercriminals are ramping up phishing attacks masquerading as government and health agencies in light of the COVID-19 coronavirus pandemic. Security and risk management leaders need to build a culture of security awareness among employees to protect enterprise networks from these threats.
As the COVID-19 coronavirus pandemic gains momentum, hackers and scammers are using the outbreak to prey on unsuspecting and vulnerable users through fake coronavirus-themed emails. These phishing emails are designed to trick employees into opening attachments that supposedly contain health precautions for combating the virus-spread. Instead, these attachments download malicious software into end-user systems, potentially compromising entire networks. Security and risk management leaders should ensure that employees at all levels are aware of this new threat vector and containing information on the coronavirus. This is particularly true at a time when employees are working from home, with limited resources readily available to them.
Phishing attacks infamously pose as emails from the U.S. Centers for Disease Control and Prevention (CDC), the World Health Organization (WHO) or other national health agencies to exude a sense of authority. In response, the WHO and CDC have issued warnings regarding a surge in phishing attempts masquerading under their banner.
In the U.S., the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has issued tips to defend against coronavirus cyber scams. In Europe, the European Central Bank has released a letter warning financial institutions about increases in phishing and other related cybercrimes. However, these warnings often go unnoticed until it’s too late, such as the cyberattack on the U.S. Health and Human Services Department. Security and risk management leaders must invest in employee awareness and share these official updates with the workforce to drive secure behavior.
As cybercriminals, including advanced persistent threats (APTs) and nation state actors, exploit the latest global threats to sabotage organization networks, security and risk management leaders should leverage end user support to fight against this menace. The following tactics can ensure that employees support the information security function in maintaining enterprise security.
Empower Employees to Act as Controls
Instead of viewing employee actions as risks that must be mitigated, information security can benefit from . It is insufficient to just have employees stop doing things insecurely; employees must also proactively help information security detect unusual activities.
Information security should engage employees in tracking their own behaviors — they have the context to more quickly understand if something is truly suspicious. This ability should be leveraged to promote secure behavior among employees. Information security should provide clear and simple activity records for review so that employees can easily take responsibility for actions on their own accounts. Employees become more invested in the security of their actions when they are provided the tools to do so. To successfully recruit employees for such a venture, information security must build trust with employees and proactively respond to their feedback.
Build and Measure a Security Mindset Among Employees
Security and risk management leaders must create a culture of security by increasing understanding of the importance of secure behaviors and by measuring for and To achieve this, the information security function should define key secure behaviors that collectively encourage secure action and a sense of ownership in the face of known and unknown risks. Also, the information security function should find the right metrics to assess employees’ security mindset. Metrics that measure a shift in employee behavior are a good indicator of whether information security’s efforts to improve the security culture are being successful.
Awareness programs mock-phish employees to educate them to recognize, report, and resist phishing and spearphishing attacks.
: The information security lead can use this customizable presentation template to create cybersecurity awareness training on social engineering.
: Security and risk management leaders can use positive and negative motivation — rewards and consequences — to urge staff to complete training and adhere to policies.
©2022 Gartner, Inc. and/or its affiliates.
All rights reserved.
Gartner is a registered trademark of Gartner, Inc. and its affiliates.
This publication may not be reproduced or distributed in any form without Gartner’s prior written permission.
It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact.
While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such.
Your access and use of this publication are governed by Gartner’s Usage Policy.
Gartner prides itself on its reputation for independence and objectivity.
Its research is produced independently by its research organization without input or influence from any third party.
For further information, see
Guiding Principles on Independence and Objectivity.