Even before COVID-19, cyber-security was a major global issue.
The reaction to the cyber threat was mixed. Some companies saw the urgency of the situation and bit the bullet spending significant capital on cyber resilience, other companies questioned the urgency of the situation adopting a wait-and-see approach as to whether the threat will impact them, some companies ignored the treat altogether hoping that it will eventually disappear.
The companies that were not fully invested in the severity of the threat eventually came around and addressed their cyber security weak points. Then COVID-19 came around and introduced a whole new threat landscape which is causing major issues in the industry.
A new enemy
I recently read an article on forbes.com which pointed out that there is a new enemy that companies need to go to battle against.
The article points out that as cyber criminals and hackers ramp up their attacks on businesses amid coronavirus-related disruption, companies are also facing another equally grave security threat: their own employees.
Firms are increasingly turning to Big Brother-style surveillance tools to stop staff from leaking or stealing sensitive data, as millions work away from the watchful eyes of their bosses and waves of job cuts leave some workers disgruntled.
A brisk market has sprung up for cyber security groups that wield machine learning and analytics to crunch data on employees’ activity and proactively flag worrying behaviours.
“We’re seeing people say, ‘I need better visibility into what my employees are doing with all of our data at home’,” Joe Payne, Chief Executive of cloud security group Code42, told Forbes. Code42 examines factors including when an employee typically works, what files they access and how much data they download.
“Employers can ask, if we have 10,000 employees, can you tell us who the most high-risk people are?” Payne told Forbes, adding that his company was handling a rise in cases of data theft among clients.
Insider threats
The Forbes article points out that, according to Mordor Intelligence, the $1.2bn data loss prevention market is set to balloon to $3.8bn by 2025 as many businesses migrate their data to the cloud.
So-called insider threats encompass employees unintentionally sharing private data outside of workplace networks, but also the deliberate stealing of data, typically motivated by financial opportunity or a grudge against an employer. Rarer, but a growing issue, is intellectual property theft and espionage on behalf of foreign governments.
The article adds that already more than a third of all data breaches involve internal actors, according to a 2019 Verizon analysis of more than 40,000 incidents. At an exclusive meeting of top corporate cyber security heads at RSA, one of the largest cyber security conferences earlier this year, delegates labelled insider threats as their number one concern, according to one person in attendance — above nation state activity and threats from cyber criminals.
Traditionally, groups such as McAfee have offered tools that detect and block the exfiltration of sensitive data automatically. But there are also newer groups that seek to proactively alert employers to anomalous activity through behavioural analysis of data — which can involve screenshots and keystroke logging — and then place the onus on those employers to act in a way they see fit.
Falling under this category, Code42, Teramind, Behavox and InterGuard all told the Financial Times that they were seeing a rise in interest from potential clients under lockdown.
“There is an increase in people trying to steal intellectual property — reports or valuable HR data, client lists,” Erkin Adylov, Chief Executive of artificial intelligence group Behavox told Forbes.
Its software analyses 150 data types to produce insights about employees’ behaviour, including using natural language processing of email and workplace chats to assess “employee sentiment”, he said. “Maybe there is uncertainty about the people are going to their job,” Adylov added.
“The market is moving very fast. I would say it is probably growing at a clip of 100 per cent a year. The demand is outstripping supply,” he said.
State adversaries
The article points out that the risk of nation states opportunistically grooming employees for cyber espionage purposes is also a growing threat, several experts said. The issue was thrust into the spotlight recently when US officials last year charged two Twitter employees with mining data from the company’s internal systems to send to Saudi Arabia.
“If I were a nation state actor . . . certainly, this is an opportunity to exploit some realities that exist. This is a heightened environment,” Homayun Yaqub, a Senior Security Strategist at cyber group Forcepoint told Forbes.
The article adds that executives at Strider Technologies, which wields proprietary data sets and human intelligence to help companies combat economic espionage, said it was seeing more recruitment of foreign spies, particularly by China, take place online under lockdown, rather than at events and conferences. “We’re providing with the capability to respond to that adversary tactic,” said chief executive Greg Levesque.
Nevertheless, critics argue that the technology is still nascent and further investment is needed to develop a more accurate understanding of what risky patterns of behaviour look like.
The article points out that, while employers have long been able to legally monitor emails and web activity for signs of external cyber security threats, for some there is a discomfort about the privacy and trust implications of using such tools on staff.
“It’s intrusive, it’s not very culturally palatable,” former US Army Intelligence Sergeant and former Palantir Executive Greg Barbaccia told Forbes. “To me, the insider threat is a cultural human problem. If someone wants to be malicious. . . you need to solve the human problem.”
Omer Tene, vice-president of the International Association of Privacy Professionals, said: “Data breaches have been a huge issue. It is understandable why businesses would want to protect against that. I would not be alarmist.
“But you need to be aware as a business and a technology of the creepy line,” he added. “Are you doing anything. . . unexpected that will trigger backlash?”
The first 100 days
It seems as if we have lived through a lifetime of risk since the beginning of COVID-19. A well written Forbes article pointed out what happened during the first 100 days of the crisis.
The article points out that, with cybercrime accelerating as COVID-19 spreads, manufacturing and retail organisations are seeing the most attacks.
In a report to be released today that was exclusively provided to the author, security firm Mimecast examines the first 100 days of the crisis and the pattern of scams that has unfolded.
Opportunistic detections
The article adds that between January and March, says the firm, spam and opportunistic detections increased by 26.3%, while impersonation was up 30.3%, malware by 35.16% and the blocking of URL clicks by 55.8%. Overall, detections were up by a third.
Criminals have been matching their scams to the news, with detections rocketing, for example, during the week that saw the first reports of COVID-19 infections in the UK, Italy, and Spain.
The article points out that, in the week from 24 March, when the UK and Australia locked down, a spoofed WHO 'Safety COVID-19 Awareness' email did the rounds, appearing far more professional, says the team, than previous efforts.
Impersonation on the increase
The article pints out that impersonation has been steadily increasing for some time, says Mimecast, and has accelerated since the outbreak.
"Some of the increase undoubtedly reflects the increased opportunity presented by current circumstances, with isolated employees and the potential lack of suitably robust verification processes, which threat actors will hope to heavily exploit under the present lockdown measures in many countries," Carl Wearn, Head of e-crime at Mimecast told Forbes.
"Some will reflect that additional move of more traditional crime to be partly or wholly carried out online, adding additional volume."
In terms of targets, worryingly, prominent charities related to the current crisis have been subject to domain/website spoofing in recent weeks. However, there has also been significant activity targeting certain industries.
"By volume, it’s primarily the retail and manufacturing sectors that are being hit most, almost certainly as they are the key verticals still in full swing or even taking on more employees at this time, and of course key to every nation’s response and subsequent recovery at present," says Wearn.
"Other sectors of the economy have significantly reduced their workforces or furloughed employees, reducing the available attack surface for threat actors to exploit across other verticals."
Homework
The article points out that much of the activity mirrors the waves of people starting to work from home.
"Many companies had to rush to implement a work from home process with staff that had never had any cyber security awareness training, which obviously had a negative impact," says Wearn.
"Later increases are more concerning, as they may well indicate that awareness and adherence to good cyber-hygiene practices wanes over time, if not delivered regularly and maintained."
Over the coming weeks, warns Mimecast, targets are likely to change again, as the economic landscape changes.
"It is important to be vigilant when communicating with third parties and suppliers, as there may well be an increase in the range of businesses folding in the coming months, and criminals may seek to exploit a company’s previous clients or customers," says Wearn.
"It is therefore all the more important that organisations train their employees in the best possible way and make them aware of the dangers of phishing."
Focus areas
While the threat is very real, there are a few actions that companies can take to decrease their risk of dealing with a major cyber issue.
- Ensure that the organisation’s incident response protocols reflect the altered operating conditions and are tested early. Given that most of the security and risk team is now operating in completely different environments and mindsets, incident response plans and protocols might become obsolete or need to be adjusted. Even incidents that would normally be well-managed risks can become bigger issues if the team cannot respond effectively. Begin by reviewing the response team. Ensure that primary, secondary, and alternate roles are filled and that everyone has access to the equipment they need to be effective. This is also a good time to reach out to suppliers to see what hardware they have and whether you can get it to the right people if needed. Review all documentation and conduct a walk-through with a careful watch for any problem areas. If the organisation does not already have a cybersecurity incident response capability, consider using the services of a managed security service provider instead of trying to stand up a new system;
- Ensure that all remote access capabilities are tested and secure and endpoints used by workers are patched. Given how quickly most organisations found themselves moving to remote work, it makes sense that security teams would not have had time to perform basic endpoint hygiene and connectivity performance checks on corporate machines. Further complicating the matter are employees who are working on personal devices. Ensure that corporate laptops have the minimum viable endpoint protection configurations for off-LAN activity. Security and risk teams should also be cautious with access to corporate applications that store mission-critical or personal information from personally owned devices. Where possible, they should confirm whether personal devices have adequate anti-malware capabilities installed and enabled. If not, they should work with the employee and their corporate endpoint protection platform vendor to ensure the device is protected as soon as possible. Other mechanisms such as software-token based multi-factor authentication will also be useful to ensure only authorised personnel have access to corporate applications and information remotely. On a strategic level, make sure someone from the security team is part of the crisis management working group to provide guidance on security concerns and business-risk-appropriate advice; and
- Reinforce the need for remote workers to remain vigilant to socially engineered attacks. The reality is that employees will have more distractions than usual, whether it is having kids at home, worrying about family or concerns about their own health. They are also operating in a different environment and might not be as vigilant about security during a time where cybercriminals will exploit the chaos. Make sure you reach out to senior leaders with examples of target phishing attacks, and alert employees to the escalating cyberthreat environment. Remind them that they must remain focused and hyper-vigilant to suspicious activities. If appropriate, send out reminders every two weeks and remind them of the location of pertinent documents such as remote and mobile working policies, as well as where they can access security awareness training material if they want a refresher. Further, clearly communicate who to contact and what to do if employees suspect a cyberattack.
What happens after COVID-19?
We have written a few articles on this. To be honest, there is no blueprint that maps out how companies can effectively deal with the cyber threat after COVID-19 is gone, and it will go away.
Because there is no blueprint, I am always interested in articles that try and provide insights into this growing issues. A recent article of interest was written by Bob Zukis who was writing for forbes.com. He spoke to Kelly Bissell, Global Senior Managing Director at Accenture Security, to get his insights on what he is seeing when it comes to this issue. Below is an extract from that interview.
What is the most important cybersecurity lesson corporate leaders are learning through COVID-19?
It is really brought into focus how critical it is for organizations to have real-time capability and adaptability of their cybersecurity defences.
Hackers looked for ways to take advantage of the COVID-19 situation immediately, as organizations had to implement work-from-home mandates in short order at a scale and scope not experienced before. CIOs and CISOs have been on the frontlines of keeping businesses safely functioning during these times.
It is highlighted both the importance of the real-time nature of effective cybersecurity, how difficult it truly is, and the strengths as well as the weaknesses of many organization’s cybersecurity practices for senior leadership.
Has there been a particular insight that sticks out that you have had or seen from a CEO or corporate board during these times?
There is a big one that is emerging. It is the connection between what is occurring with the pandemic and how leaders view cybersecurity and their entire digital business system.
Business leaders are getting a daily lesson in large scale systemic failure during the COVID-19 crisis. They see and read daily how COVID-19 quickly spread around the world and how it is impacting economic, social, political, and their business systems.
It’s a wake-up call in the complexity that exists throughout the world and a realization that CEOs and directors need to have a deeper understanding of how these complex systems work, including the digital business and the cybersecurity health of the entire organization.
Is this helping with their cybersecurity efforts?
It is helping significantly in a few ways, but there is one big issue looming.
It has been an enormous help in getting CEOs, corporate directors, and the entire C-suite a lot more engaged, focused, and informed about what is happening with cybersecurity and their digital business system. As everyone moved to work-from-home models, these issues were at the forefront. Phishing attacks using COVID and threat actors targeting remote work vulnerabilities are widespread.
I think it is also really helped business leaders understand the enormity of the job that their CIOs and CISOs face and the importance that these functions have on their business. For many organizations, their business runs off their digital capabilities — if the digital capabilities are not available, business cannot operate. These functions have never been more vital or more appreciated by leadership.
What is the big issue that is looming?
CEO’s and boards need to start to think beyond the pandemic, and some are.
But that is the issue. Business leaders are seeing how many of their systems failed and beginning to see that they need major structural reform. They do not think going back to what they had makes much sense; they see an opportunity for massive levels of change and improvement. And many are realizing this will not be their choice, it will be dictated by changes in consumer and public behaviour, regulation, competitive shifts, you name it. The external forces of change will force a massive wave of disruption.
This is an opportunity but also a big risk for them. Many of them know their digital business system is vital to helping them navigate this change.
But periods of disruption, whether driven by good or bad circumstances, present opportunities for hackers. So that cybersecurity risk gap I talked about earlier between threats and defensibility is not going to close naturally; that curve is not flattening. New cybersecurity risks are going to continue to emerge, and defensive capabilities must continue to try to stay ahead.
A common question that a lot of board members ask, is “Are we spending the right amount on cybersecurity?” That is the wrong question. The right question is, “What do we need to protect, what’s the value of what we are trying to protect, and how secure is it for what we’re spending?”
That is their challenge heading into what could be massive waves of systemic change. The business value that their digital business systems drive is only increasing, and the threats to that value are only going to go up. It is a tough curve to flatten in this situation.