COVID-19 threw our lives in turmoil this year, creating a lot of chaos and confusion as people and businesses were forced to readjust very quickly to remote working environments and changing social habits. Just as quickly, cyber criminals looked to take advantage. The result shined a big spotlight on companies’ approaches to cybersecurity—both good and bad.
Now, as we wind towards 2021 and a pandemic that doesn’t seem to be going away anytime soon, what lessons have we learned? Are businesses taking cybersecurity seriously enough? And what should we expect going forward? A panel of security experts tackled these questions and more in a virtual session during CompTIA’s 2020 EMEA Member and Partner Conference.
Social Engineering Comes Front and Center
For one, COVID-19 has shed new light on the social engineering abilities of cybercriminals, who are taking advantage of the staying power of the pandemic in news cycles. Employees and consumers are still apt to click on a malicious link that purports to offer new information or insight into the coronavirus, said David Emm, principal security researcher at Kaspersky.
“Social engineering has always been one of the key attack vectors. What COVID-19 provides is a more persistent topic [than] Black Friday or the Olympics. Plus, you have a huge pool of potential victims [impacted by COVID-19], so it’s the perfect storm,” Emm said. “Criminals’ approach has pretty much been the same, but a lot of people have been forced to work from home. Here in the UK, it’s about 48%. That’s a lot of people who don’t have the protective ring of a corporate network around them.”
For example, phishers have pretended to be the World Health Organization offering information on the virus, or a delivery company with status on an order, or an agency giving out assistance to people—all of which can cause people to become curious and open malicious links.
Merium Khalid, senior cybersecurity analyst at SKOUT Cybersecurity, noted a marked increase in the number of legitimate documents and software platforms and websites that have PDFs embedded with malicious links—noting that it’s also estimated that 18 million COVID-19 phishing emails are being blocked each day.
“There’s a lot of exploitation of human emotion. People are anxious and they’re fearful of the current situation. That’s why they are clicking more on urgent request tactics,” she said.
The emotional frailty that COVID-19 has wrought has played a big role in how cybercriminals attack, said Tope Aladenusi, cyber risk services leader at Deloitte West Africa. “These guys thrive on fear, uncertainty, doubt, and greed. They capitalized on that to launch several attacks,” he said.
Criminals Get Creative, Companies Face New Challenges
Ian Thornton-Trump, CISO at Cyjax Limited, said cyberattacks have gotten more creative and more complex since March, when COVID-19 started to spread globally. Bad actors are looking to steal credentials through phishing and smishing, he said.
“We’re seeing a pivot because most large email providers are getting pretty good at quashing spam emails. One thing from COVID is automated, sometimes BOT, attacks on infrastructure that people are using. Phishing email is a threat but I’m seeing more insidious uses along the lines of exploitation of internet-exposed devices and services.”
The sudden emergence of remote workers has presented organizations with tremendous technical challenges, such as VPNs for employees at home, all of which can lead to productivity issues as well as security vulnerabilities.
“Unfortunately, a VPN can degrade performance, especially if the company wasn’t prepared to scale to hundreds of VPN points. And certainly, using some network and storage intensive operations over a home DSL is nearly impossible. There’s been a lot of hard lessons learned within the security architecture community. IT in general got a huge shakeup,” said Thornton-Trump.
It’s also probably a little too hopeful to expect that all employees actually use a VPN every day, said Aladenusi, who added that COVID-19 is forcing many companies to rapidly accelerate their IT plans, which may have included more remote usage and VPNs five or even 10 years from now.
“We are being forced to bring the future to the present and there’s not time to go through a design process. We just had to get access to people. Some used VPN, some used multi-factor authentication, but some just looked for a way to connect,” Aladenusi said. “Another issue was getting secure devices to employees. Many have been forced to use their own personal computers that likely weren’t aligned with the company’s security policies.
Many newly remote workers don't have have updated software in terms of OS and antivirus, increasing the risk and widening the corporate network that is outside the control of IT, Aladenusi said. “It became a serious issue. Accessing the system and doing the work was the priority at the time, but this exposed many organizations to security risks.”
When Productivity Trumped Protection
Many SMBs were especially vulnerable, added Emm, because those companies are less likely to have internal IT departments or skills. “Top of mind first was stay in business. If that means grabbing a laptop or a mobile device [to access the corporate network], so be it,” Emm said.
Khalid agreed, noting that productivity is most SMBs' top priority, not security. “Many didn’t have work-from-home policies. They’re essentially open to the world,” she said.
Added Thornton-Trump, SMBs are already getting pummeled because of the economic implications of COVID-19, never mind the security risks. “But that’s where you get ransomware. For every $10 million ransomware payment [by a large enterprise], there are thousands of SMBs that have paid something,” he said.
James Stanger, chief technology evangelist at CompTIA and moderator of the session, likened the situation to the “wild, wild days” of the late 1990s, when companies moved very quickly to ramp up business websites and e-commerce and didn't concern themselves about anything else. “It feels like 20 years before—we can’t worry about cybersecurity. It’s all about getting functionality online.”
Two-plus quarters later after initial stay-at-home orders, companies now are starting to plan and design long-term cyber strategies that incorporate more permanent remote work functionality, according to Khalid.
That includes XDR technologies, which allows users the ability to cross-correlate endpoint email and cloud infrastructure, giving security teams increased visibility compared to traditional endpoint security. “XDR is a new approach to threat detection and response and a key element of it is defending the organization’s infrastructure, while a normal EDR is just the endpoint itself,” she said.
Another enhancement spurred by COVID-19-related security risks are companies taking a more holistic view of their security infrastructure. Strategies are coming from HR or operations, not just IT or security, Aladenusi said.
“Most of us have staff work remotely. How do we measure performance and be sure we’re doing the right thing? Security is embedded as a key requirement for designing the remote workforce of the future. In the past, you didn’t see HR think about security,” he said.
For example, HR may want secure solutions around electronic signatures and remote contract approvals. “Companies are rethinking the way they work and their whole architecture. It appears this is the new way we’re going to live and let’s plan and start executing around that,” Aladenusi said.
Things to Watch for into 2021
Lastly, each panelist cautioned that companies can’t let up or think that a safe IT environment is a sure thing. Most immediately, that means continued education for remote staff on the dangers of clicking on the wrong link or opening the wrong attachment.
“If you don’t have that line of sight with your people, you don’t have that direct contact,” said Emm. “I’m not convinced you can train people to be secure. Instead, it’s about implementing a culture. Given most of us will be still work from home after pandemic, it’s vital that we don’t forget to keep people aware of what the dangers are and make efforts to patch human resources along with our digital ones.”
Added Aladenusi, “I fear that we will forget a fool with a tool is still a fool. At the end of the day, it’s not tools that secure us, it’s people. We need to take care of the people side. Too often, budget for security is high but the budget for people is negligible. If you have the best of tools and processes but your people are not addressed, you’ll come back to the same problem.”
Meanwhile, Khalid warned that companies and employees also can’t get lax as they return to office environments. “I think once people are around more coworkers, they’ll feel more secure and get more lenient. User awareness has to be there in the office too,” she said.
Finally, Thornton-Trump called for companies of all sizes to ensure they have a security strategy that blankets the entire organization. Otherwise, you may leave yourself open to unnecessary vulnerabilities and gaps in protection, he said.
“If you continue to operate in silos as a business, the threat vector will be in between those silos,” he said.
Don't miss any sessions from EMEA Online. Catch all the sessions or watch the replays.