As the pandemic slowly made its way all around the world, most businesses and organizations had to send their workers home. Due to this, a lot of infrastructures and systems have been at risk of major cyberattacks and phishing. Armed with new technologies and techniques, the lockdown gave cybercriminals the perfect opportunity to target these vulnerable structures and networks.
As the sanitary crisis persists, it is very likely that cyber-attacks will increase throughout 2021. Thus, it is essential now more than ever for businesses and security experts to be prepared.
In order to shed light on the new challenges this lockdown entailed and how to tackle them, I have talked to experts in the industry.
An increase in cyber-attacks…
It is true that since the lockdown began, around March 2020, there is a notable rise in cybercrimes and cyber incidents. With most people working from home, many systems are left unprotected, making them the ideal target.
Indeed, Melanie Molina Sandoval, Senior Security Engineer at GoCardless, points out these attacks are rising due to the pandemic, most employees were either sent home or made redundant, giving hackers the opportunities to carry out their attacks. Moreover, the crisis put a lot of people in difficult financial positions, hence making it more likely for them to exploit the company’s vulnerabilities to make ends meets. Or even, as she adds, some people who have lost their jobs might seek grievance through corporate espionage or selling Intelligence.
Furthermore, Melanie highlights that many organizations, especially those not tech-driven, had to quickly adapt in order to survive and thus, made a lot of mistakes along the way, making their systems vulnerable. ‘Many companies have had issues adapting to a more latency is driven traffic, pushing them to open service desk/helpdesk or other endpoints in a short period of time due to pressure, increasing the attack surface.’
Sonya Moisset, Lead Security Engineer at PhotoBox, underlines the fact that these threat actors are exploiting the fear and uncertainty caused by the pandemic. Reinforcing Melanie’s point, she says that during the process of quickly deploying their networks and systems for a work-from-home basis, ‘companies sometimes had to bypass existing security good practices or take shortcuts in their process that needs to be reviewed now.’ Hence, this has allowed cybercriminals to take advantage of these vulnerabilities.
For instance, she says, ‘they have crafted COVID-themes attacks based on legitimate content to encourage users to download malicious attachments or click on links or used video conferencing software to take advantage of users who are unfamiliar with remote working.’
Saravanasundar Mohan, Senior program manager, notes that ‘in recent weeks there has been a rise in the number of public high-profile cybersecurity incidents, the majority being ransomware attacks involving ex-filtrated data being leaked.’ This, as he says, is adding a new challenge on top of the COVID-19 crisis, as well as shifting our focus to the connectivity and potential conflict between investigative findings (i.e., the potential absence of evidence of data exfiltration) and the possibility of regulatory action (i.e., following ex-filtrated data being leaked).
The pandemic then represents the biggest cybersecurity threat and an opportunity for cyber actors to target defenseless companies.
As technology and systems keep on evolving, it is inevitable that cyber-attackers will enhance their techniques too.
Sonya points out that one of the most common cyberattacks since COVID-19 has been ‘phishing emails that impersonate governments or health authorities to collect personal data or downloading malicious content’. For instance, it could be emails coming from national or global health authorities such as NHS or COVID-19 tracking apps.
Another major threat is Ransomware. Sonya highlights that these types of attacks usually target critical infrastructures or healthcare institutions. Indeed, as most threat groups are interested in harvesting data and financial benefits, the use of spyware, malware, and Remote Access Trojans are very popular. With it, they can infiltrate systems and compromise networks, and steal data. She adds that ‘another common attack would cover malicious domains where we have seen an increase in domain name registration containing keywords such as ‘COVID’ or ‘coronavirus’.’ This kind of threat would support malware deployment or phishing attacks.
These threats are even more dangerous as, during this period of uncertainty, many companies are experiencing staff reductions, hence leading to financial and security challenges.
Saravanasundar also emphasizes that ‘malware is the most dangerous form of software to be installed on any computer system, and the worst part about it is that it’s done without your consent’.
Finally, Melanie states further that any attacks focusing on breaching data privacy are very dangerous. Indeed, depending on the company’s structure, a phishing attack could be extremely damaging such as a complex payload or a very sophisticated code injection. With most companies being online and offering subscription or online services, there are a lot more PII and credentials at risk of being exposed. Hence, impersonating a website could affect badly a company’s reputation as well as lead to the leaking of credentials and sensitive data.
Cybercriminals are mostly focused on damaging a company’s reputation, leaking information, and taking advantage of improperly configured endpoints, websites, or newly offered services, making them extremely dangerous.
Healthcare at risk?
It is quite noticeable that healthcare has been one of the most targeted industries during lockdown. Indeed, as Sonya highlights the World Health Organization’s (WHO) credentials were leaked online, putting their systems at risk but also impacted an old extranet system, used by current and retired staff. Due to this, WHO had to migrate the system to a more secure authentication system. Moreover, there have been scammers impersonating WHO in emails targeting the general public. It was revealed that WHO has suffered more than five times the number of attacks in the same period last year.
‘In the UK, according to the NCSC (National Cyber Security Centre), more than one in four cyberattacks were related to COVID-19, NHS has become a target for threat groups and the UK vaccine research has evolved as a new espionage risk’. She also adds that, In San Francisco, a university laboratory suffered a ransomware attack where the hackers froze their systems because they were supporting the search for a COVID-19 cure.
When trying to determine which kind of industry is the most vulnerable to these attacks, Melanie pointed out that any company that doesn’t have a mature tech posture and tried to adapt during the pandemic are the ones more at risk.
This transition has to be made quickly so as they don’t lose profits, but they might then make mistakes along the way. Besides, making the change is not an easy thing. It requires training and implementing a culture that usually takes years to build. Employees might have a hard time adapting thus making errors and leading to unintentional internal threats and slow down the transition. By making this transition quickly, organizations can also make mistakes such as leaving open endpoints, having bad access management, flawed architecture designs, etc. This then can lead to bad customer experiences and damage the company’s reputation.
Then, what can be done to prevent cyberattacks?
For this, Saravanasundar offers the following strategy:
- Limit access to your most valuable data.
- Third-party vendors must comply.
- Conduct employee security awareness training.
- Update software regularly.
- Develop a cyber breach response plan.
- Difficult to decipher passwords
If companies follow it, the risk of threats should be reduced. This could help protect businesses in the long run.
Moreover, Melanie proposes for companies to have proper off-boarding. Thus, every organization that had to make employees redundant needs to make sure that programmatic keys, passwords, or any mechanism that bounded the employee to the company’s data in any way have been rotated so they can no longer access it. She also emphasizes that companies should have appropriate security training for employees. Businesses need to start introducing standard security practices, such as learning how to use security vaults, protect their passwords, have measures like 2FA enabled, among others. ‘Investing in training’, she says, ‘will definitely benefit in the long run.’
Melanie also highlights that there is a need to enforce proper access management, meaning only giving access to people who need to, as well as revise and harden security policies to adapt to a fully remote culture. Investing in tools such as security vaults and secret management services will help remove the pressure and stress of data leaks and shared credentials. She points out that, with everything being online now, it is crucial to have secured channels.
Furthermore, she underlines the need to invest in automation, especially in the online culture, as well as implementing proper logging so that the company can protect its resources better.
In order to avoid cyberattacks, organizations should start by identifying the threats their business is facing, as Sonya stresses. Indeed, it is much easier to configure networks or systems, review permission controls, and remote access setups than fixing human errors. This is why companies should absolutely monitor for any suspicious activities and have ‘playbooks and incident response strategies that can help them respond quickly and efficiently’.
She adds that user awareness should be required so that employees can ‘have some guidelines on what a suspicious activity could look like and what are new attacks crafted during this pandemic’. For instance, she says, ‘phishing campaigns using COVID-19 lures could target specific departments in an organization to obtain data, or finance teams can experience an increase of business email compromise attacks’.
What security measures to implement?
Every company has its own unique system, and structure as Melanie points out, thus it is essential to invest in training and a permanent workforce. Now that most companies need an online presence to survive, network and application security should be a top priority. She says that ‘investing in permanent security engineers first will ensure that they’ll assess the company’s needs and advice for the necessary services and tools’. Having security engineers in the company will help in the long run rather than having temporary consultants. A permanent solution is now vital more than ever.
For instance, she highlights ‘imagine a case scenario where you are building the security foundation from the ground up. When you analyze and design the roadmap for the next quarter and choose to get a vulnerability scanner/endpoint security solution, and you decide you need two engineers to set up the automation of the installation of an agent to scan for security vulnerabilities in your instances, and another engineer to set up the logging of this activity to you cloud solution. You could get contractors for a short-term solution; they will write the code and implementation for the onboarding of agents and will set up the logging. Then it will be up to your DevOps / software engineers to pick up the tickets.’ Hence, this is a fast but short-term solution.
Hiring contractors could then benefit in many ways, especially for short-term solutions and to offer support to engineers. However, with COVID and companies having to build a technology foundation from the ground up, it is vital to consider a team of permanent security engineers alongside contractors, which will be less expensive and more of a long-term solution.
Therefore, businesses should invest in a long-term security strategy, which means having permanent security engineers within the team.
Sonya also emphasizes the need to implement secure remote working practices within the business. Indeed, the company needs to ensure that every new system and tool have the same rigorous security controls and good practices. All systems should also be properly patched and up to date. ‘It is important to build a resilient security plan and identify and monitor most critical systems and networks’, she stresses.
Finally, Saravanasundar suggests that companies follow these seven steps:
- Step 1: Build an Information Security Team.
- Step 2: Inventory and Manage Assets.
- Step 3: Assess Risk.
- Step 4: Manage Risk.
- Step 5: Develop an Incident Management and Disaster Recovery Plan.
- Step 6: Inventory and Manage Third Parties.
- Step 7: Apply Security Controls.
Will this continue in 2021?
Sonya does believe that all these vulnerabilities related to working from home will continue to be exploited to harvest personal information and data as long as companies don’t take the necessary steps to protect themselves.
The healthcare sector will keep on being targeted as COVID-themed online scams and phishing campaigns continue to increase. There is now a spike in attacks and phishing emails related to COVID-19 vaccines she underlines, and this threat will only get bigger. Business email compromise schemes are also at risk due to the economic downturn caused by the pandemic.
Saravanasundar also underlines this point as with the new vaccine and antibody trials, new threats will arise in 2021.
Sonya then concludes by saying that ‘All these threats will definitely change companies’ cybersecurity risk landscape, making it mandatory to plan for the post-pandemic situation where threat groups will adapt their attacks.’
Melanie thinks similarly. Indeed, some companies are still hesitant to move fully to the cloud or have an online presence before, and with lockdown, they are forced to do so. Therefore, companies are still transitioning, and this can take months to accomplish. In that time, they are the most vulnerable, and cyber attackers can take advantage.
For instance, ‘Ralph Lauren now offers an app to interact with a stylist and choose your outfits, whereas in the past you would make an appointment with the stylist, at the store; and with this comes software engineers and resources to build and secure the app. In other words, more opportunities for cyberattacks for Ralph’.
If things do go back to “normal” in 2021, companies might forget about security and thus, leading to new threats, such as leaving service desks or having support websites forgotten, leading then to domain takeovers, web defacing, impersonation, etc.
Cybersecurity should then become an essential aspect of every company and business so as to protect against and prevent attacks of any kind.
Special thanks to Melanie Molina Sandoval, Sonya Moisset, and Saravanasundar Mohan for their insight on this topic!