Our Physical Security Awareness Campaign

The CV19 volunteers’ mission is to protect the people who protect our health. The group was formed by three cyber security professionals, who were quickly joined by thousands of other volunteers, offering pro bono support to healthcare during the COVID-19 pandemic. I felt privileged to be approached to lead the awareness project and the Cygenta team quickly and enthusiastically joined me, especially Madeline Howard. We designed and delivered the first awareness campaign, with a focus on phishing and were delighted to see it receive such a positive response. We’re proud to contribute our efforts to CV19 and to publish our second awareness campaign now. 

Why are the cyber volunteers launching a physical security campaign?

While hospitals have been busy responding to the COVID-19 crisis, they are also being targeted by criminals. At CV19, we have received reports of many physical security attacks that are taking advantage of the crisis including thefts of PPE, hand sanitiser and healthcare workers’ identity badges. This is a widespread issue which has been flagged to us by healthcare providers across the UK and Europe. 

Some reports suggest that these physical security issues are becoming more pressing, with hospitals becoming more open as many countries emerge from lockdown.

Physical security is always an issue in hospitals, partly because so many areas of a hospital are open to the public. But as we continue to deal with the COVID-19 pandemic, protecting these hospitals and healthcare staff is more important than ever.

You can see all of the campaign resources and download them here.

Video for the CV19 physical security awareness campaign

Why did you pick this issue for this awareness campaign?

We picked physical security for the awareness campaign based on our experience and  consultations with the healthcare organisations that CV19  has been supporting. 

At Cygenta, we work with many healthcare institutions and so we understand their security pain-points. In a recent social engineering assessment of a hospital (before the pandemic), we were able to access unlocked computers and get our hands on identity badges and scrubs. In a social engineering assessment, we are testing the security of an organisation or building by attempting to compromise it in much the same way that criminals would. The difference is that we don’t break the law, we have a contract to do it and we provide a report of recommendations to improve security.

On a social engineering assessment of a hospital, we (Cygenta) were able to get hold of important resources

Through the CV19 group, we have heard of reports that hospitals have been targeted for their PPE, hand sanitiser, medicine and even loo roll during the pandemic. We have also been informed of cases where healthcare workers have had their identity badges stolen, presumably either to access restricted areas of a hospital or to fraudulently exploit goodwill offers made available to healthcare workers in recognition of their incredible efforts in the face of COVID-19. 

What do healthcare providers do about these issues and how can the cyber volunteers help?

It is important to be aware of the issues, first and foremost, and then to act on that awareness. We have highlighted three fundamental behaviours for healthcare workers to focus on when it comes to physical security:

  1. Protect your PPE

Thieves are targeting this precious resource

  1. Wear your ID badges inside, never out

Your colleagues need to know who you are but criminals don’t

  1. Log off your computers

Don’t leave your devices open to anyone else

We have produced this campaign to raise awareness of physical security in healthcare. We would like you to share the campaign, download the resources and use them to spread the word!

You can see all of the resources and download them here.

Poster for the CV19 physical security awareness campaign

About CV19

The cyber volunteers 19 group was founded to provide pro bono advice, guidance and assistance to healthcare providers across Europe during the pandemic. We can help hospitals with threat intelligence, free awareness materials for staff, advice on the current threats and vulnerabilities and help you identify risks and vulnerabilities to your specific organisation. If you would like any help or advice please visit our website for more information and get in touch.

Our Vulnerability Disclosure Process

Vulnerability Disclosure

Friends, Romans, Awesome Volunteers, lend me your ears!

We constantly get approached from you beautiful people with regard to putting you directly in touch with the contacts we have at the Health Trusts and Providers.

Whilst we do not wish to offend or dampen your volunteering efforts, we must point out that unfortunately this is not something we are able to do.

This is for several reasons, but the primary one is due to GDPR and responsibility for sharing private information.

What we can do however is share the activity or information you wish to bring to the trusts via our Threat Briefings or indeed if it warrants it, with a direct outreach to specific Trusts/Providers.

We do have direct reporting capabilities for high/critical vulnerabilities, this is handled through the intel services relevant to a specific country.

We are always willing to give volunteers who assist with a shout out or indeed attribution moving forward.

Also, we are not stopping you contacting Trusts/Providers directly, but again ask that if you do, you do it in your own capacity and make it clear to the recipients that you are not acting on our behalf or with our blessing.

Please, please, please do not take this in any other way other than the team adhering to the agreements we currently have in place.

Thank you for your continued help and support during this time.

Our Phishing Awareness Campaign

Cyber Awareness

Over the last week or so, the team at Cygenta and I have been busy pulling together the first campaign for the CV19 volunteers group, which is focused on phishing awareness. This campaign will go to frontline and back office staff in healthcare organisations in the UK, Germany, France, Spain, Italy, Portugal, Russia, Poland, Greece, Sweden, Slovakia, Finland, Norway and the Netherlands. It will also be made available for use in CV19 sister groups in Australia, Brazil, the USA and Dubai.

You can see all of the resources and download them here.

Cyber criminals are seeking to exploit the COVID-19 pandemic, with many social engineering attacks using the crisis as a theme in one way or another. The UK’s National Cyber Security Centre (NCSC) has detected more UK government branded scams relating to COVID-19 than any other subject, as they outline in this pdf joint advisory with the US Department of Homeland Security. According to Google, criminals are sending 18 million COVID-19 phishing emails a day to Gmail users, with some speculating that the pandemic is the biggest phishing topic we have ever seen.

With this in mind, my team and I knew that phishing should be the focus of the first awareness campaign that we would deliver as part of our volunteer work with the CV19 group. The healthcare workers that we know have been recipients of phishing messages both at work and on their personal devices and now, more than ever, we want to help the healthcare sector be as secure as possible. 

Posters for the CV19 phishing awareness campaign

Many phishing attacks take advantage of people’s anxieties, concerns, desire to help and the special offers and support that corporations are extending to healthcare workers. Attackers do this because when a target’s judgement is clouded by emotion, they are more likely to click a link, download an attachment or transfer money without considering the fact that the communication might not be genuine. Therefore, this campaign raises awareness of these scams and the way they target our emotional responses. The aim of this campaign is to encourage people to be vigilant of communications and to take a minute to check it’s right. 

Video for the CV19 phishing awareness campaign

We have intentionally avoided heavy use of fear-based messaging, because such messaging can often be counter-productive. We want to engage and empower people, not add more fear into a climate where there is already enough anxiety. 

For this awareness campaign, we have created three posters, three flyers and a video. These are targeted at frontline and back office healthcare workers in the UK and Europe and are freely available for all to download and use.

You can see all of the resources and download them here.