With millions of employees now working remotely, security and IT teams subject to new and heightened demands, supply-to-demand volatility, and escalating psychological stress, cybercriminals have begun to actively exploit this crisis.
In recent days and weeks, we have witnessed a significant uptick in email scams and malicious website domains using the pandemic as the lure, as well as attacks with targets as high-profile as the computer system at the US Health and Human Services Department.
Fortunately, there are strategies and practical steps businesses, management, and workers can take to help reduce the impact of heightened cyber-risk to their organization.
The Most Valuable Targets
Several factors are contributing to the current crisis. Businesses and employees are stressed by the human and financial implications of the pandemic. Entire companies, school districts, and government agencies have shifted in just days to remote working, often overwhelming existing infrastructure and associated support systems. Even the most prepared companies who have advanced security, communications, and control capabilities will never have encountered this array of crisis-level challenges before. Cybercriminals are exploiting companies that already are under tremendous stress, proliferating malware inside coronavirus news and desperately-needed information packs, and extorting organizations to pay ransomware to ensure business continuity through the pandemic crisis.
Some of the most vulnerable targets include critical infrastructure providers, such as those in healthcare, energy, and financial services. Businesses that provide critical, highly sought-after services who are experiencing far greater demand than normal such as utility companies, government agencies, and online streaming platforms are feeling significant strain. And, given the interconnected nature of supply chains and increasingly seamless digital commercial ecosystems, one or more types of business, even the very small, could be the weakest links in the chain. Those smaller and medium-sized enterprises, who often lack sophisticated capabilities, are particularly vulnerable as they pause business-as-usual activities due to government dictation or quickly find means to migrate employees to remote working.
While business continuity, and even survival, has become the key priority, companies and employees are now exposing themselves to significantly increased cyber-risk. Under high-stress scenarios we are more likely to observe exceptions to security standards, such as the use of personal devices and public Wi-Fi networks, each with a significantly lower level of security protection relative to typical corporate infrastructure.
Even conscientious workers may unintentionally add risk by moving data, for pragmatic purposes, onto unsecured computers and personal devices. Potential exposure of sensitive information heightens legal and reputational risks with the exploitation of certain information going undetected where computers are not appropriately secured and monitored.
Where cyber incidents do occur, companies face difficulties communicating and executing quick and coordinated responses. Remote working will potentially challenge security teams in their ability to comprehensively identify threats and to isolate, protect, and, where needed, restore services and good data following an attack. Additionally, with an expectation that up to 60 percent of the adult population could become infected with the coronavirus, the health and wellbeing of the security workforce must be considered, and backup plans established and tested. Even redundancies may be challenged, especially if there is limited geographic diversification of facilities or if multiple locations are simultaneously impacted.
As the crisis lingers – and based on our own analysis, scenarios of over six months of major disruption are plausible – many corporations will look to reduce their workforce and, with that, the likelihood of disgruntled employees increases. Combine this with challenged security controls when working remotely, and insider risk will increase. The time for heightened diligence in this regard is now.
An organization is only as strong as its weakest link, and third parties have typically been a key area of vulnerability. Third-party suppliers and vendors will face the same challenges raised above. In some instances, these will be even amplified by disrupted cash flows, lower level of preparedness to address the heightened risks, and/or high pressure in meeting evolving customer needs amid supply chain challenges. It will be important for an organization to communicate and have visibility into its third-party vendors’ security status to understand their increased security risk.
There are a potentially bewildering number of things an organization should and must do. We consider that there are at least five areas which should take priority.
Review business continuity plans and develop playbooks to account for the new challenges. These efforts should include, but not be limited to, preparing for the temporary or permanent loss of key staff and leadership, the evacuation of a Security Operations Center, or a serious attack where only a portion of staff are able to work.
Increase awareness among the workforce regarding the risks of handling confidential or sensitive information when working remotely, being proactive in communicating and coaching teams on organizational policies and the best “dos and don’ts.”
No organization or business is an island. Engage with peers and relevant industry groups to ensure insight on threat intelligence and best practices.
React quickly to this “new normal” by re-assessing risks and ensuring that detection, response, and mitigation efforts are aligned accordingly. Review the security status of the most critical third-party suppliers and vendors and be prepared to strengthen oversight. Tighten security controls across the highest risk areas and apply tactical controls to mitigate increased insider threats by rogue or naïve employees.
Rapidly test the readiness of management, security, and the organization more broadly for this “new normal” way of operating and being sufficiently well prepared, running drills for the main cyber-risks that recognize new constraints, practices, and procedures (e.g. working remotely) and with potentially fewer resources and less expertise available.
The weight given to these actions will vary depending on the criticality of the organization to the citizens and security of a nation, the operating model, distribution, technology, and culture of this organization plus several other idiosyncratic factors, weaknesses, and exposures.
Overall, a stark reality remains: Organizations must combat the present coronavirus crisis on multiple fronts. And, in doing so, management needs to also take all necessary steps to ensure business continuity through the pandemic, with the organization being fully prepared to deal with the heightened cyber-risk associated with this unprecedented global event.