In light of COVID-19, several industries adopted work from home (WFH) policies whenever possible in efforts to increase social distancing practices and curb the spread of COVID-19. Despite early indications of the virus in December 2019, many public and private entities across the world scrambled to prepare its infrastructure to respond to the new demands that the virus would impose on their operations. It is tempting to ease off the burden by saying that “no one could have predicted what has happened” but the reality is that specialists did predict it (Business Insider). Some even went further by saying that infrastructure at the time was not adequate to handle the demands caused by a global pandemic (Bill Gates, Ted Talks). And, as the pandemic unravelled, it became clear that their predictions were correct. Many societies were not ready, despite having “sufficient” time to invest in strengthening healthcare systems, developing a rapid response disease & prevention team, creating and enhancing response plans, and performing research & development in diagnostics and vaccines (as pointed out by Mr. Gates during his Ted Talks in 2015). It is difficult for leaders and policy makers to balance the multitude of priorities and hypothetical scenarios with their limited available resource, yet, some challenges such as epidemiology are worth paying closer attention to (as seen historically). In today’s day and age, there is another set of threats that need to be closely monitored, the digital kind that may wreck havoc in the systems that power the technologies we use daily.
As the world continues to fight COVID-19, many are or have transitioned to remote work. This poses a new set of challenges, with experts agreeing that threat factors have expanded, posing greater cyber risk to individuals, corporations and society. At an age where safeguarding our cyber infrastructure has never been more important, companies and individuals (not only governments) must do their part to ensure cybersecurity. In this article, we will discuss the rise of cybersecurity attacks in light of COVID-19, its risks, and necessary actions to avoid exploitation and instill a culture of cyber safety.
As opportunities close, new ones open – and that is certainly the case for individuals looking to take advantage of the recent global pandemic. In an operation that lasted only 7 days, the Europol made 121 arrests and took down 2,500 links in the fight against corona-related counterfeit pharmaceutical products (Europol). Platforms such as Zoom, whose popularity shot from 10 million to 300 million users a day, have become targets of video conference hijacking that were so frequent that prompted users to coin a specific term for such attacks: Zoom-bombing (The Guardian).
The Canadian Centre for Cyber Security has warned the public and, specially, health organizations that COVID-19 has increased the risks for attacks such as phishing and ransomware (The Canadian Centre for Cyber Security). The first being categorized by an attempt by threat actors to acquire sensitive information through the impersonation of legitimate senders such as government officials, trusted individuals or brands, among others (Government of Canada). The latter involves the infiltration and encryption of a victim’s files/ systems and the subsequent demand for ransom to restore victim’s access to such assets (CSO). Both types of attacks can have disastrous consequences, for example: in 2019, it was reported that phishing emails were responsible for scamming Facebook and Google over $71 million USD. During the same year, the city of Baltimore in the US State of Maryland had part of its infrastructure hijacked by threat actors who demanded $102,000 USD (or 13 Bitcoins) in order to unlock the seized files (The New York Times). In total, the city of Baltimore estimated that the attack, which only lasted 2 weeks, cost at least $18.2 million USD due to the direct loss and delay of the City’s revenue and the costs associated with restoring its computer systems (Baltimore Sun).
Prior to COVID-19, cyber attacks were becoming increasingly worrisome, however the current situation has further exacerbated the frequency of which said attacks happen. The recent surge in cyber attacks, as warned by the U.S. Secret Service, is a result of several factors that, together culminate on the perfect cyber security storm:
Recent remote working, learning and digital spending trends have exposed individuals and organizations to elevated cyber risks given the level of complexity and investment required to support and protect the cyber ecosystem. Unfortunately, cybersecurity is a relatively novel term in many areas, which meant that, similarly to several healthcare industries around the world, the sector was not receiving the necessary level of investment required to adequately respond to challenges such as the ones we are currently experiencing. To make matters worse, the general public is still getting educated on how to be more cybersecurity conscious – 1 in 10 Canadians have unknowingly replied to phishing scams (Public Safety Canada). Further, it is important to note that to many individuals, the transition to remote working happened fairly sudden which could pose additional risks as teams scrambled to digitize its workforce.
Again, there are several factors that may contribute to the increased pressure security teams have been under: 1) system infrastructure priorities have changed to accommodate the increased number of remote workers; 2) higher cases of cyber attacks have been reported, and; 3) key personnel may be unable to work due to COVID-19. All said factors are relevant considerations that may negatively impact the proper operation of security teams during this pandemic and increase delays in cyber-attack detection and responses. It is also important to consider that despite the increased volume of cybersecurity incidents, which adds stress to any organization’s security infrastructure, companies may not have the capacity to increase their security teams at the present moment given the fact that such professionals are highly sought after (with low supply in the market) and the current challenges associated with hiring individuals and onboarding them during the pandemic. A reasonable answer to said problem would be to explore co-sourcing said tasks (Deloitte), but, as supply-chain professionals will advise, that can pose added risks that may come back later to bite the organization. As any cybersecurity professional knows: “A chain is as strong as its weakest links”.
As pointed out by Deloitte, as companies downsize and social isolation efforts continue, some individuals may feel pressured to secure their means of survival through criminal actions such as cyber crimes. This behaviour may also be intensified by resentment that one employee may feel when he or she is laid off. As such, companies need to be cautious of their handling of the crisis not only during the lay off period, but also prior. A positive example of such behaviour was seen by Airbnb when its CEO, Brian Chesky, announced that it was laying off 25% of its workforce – he gave detailed insight as to why it was necessary for the company to take such action, disclosed that it was no fault of its employees, and vouched to assist them in looking for another job. It is inevitable that such situation is difficult for anyone to go through, but for the most part, individuals were sympathetic to and applauded his actions (Forbes). Organizations have been known to fire and escort individuals out of the office due to security concern, as more individual move to a work-from-home environment, laying-off may pose a new set of challenges when it comes to electronics and intellectual property.
Employees with computers that enable remote working is only one piece of the cybersecurity equation. On the other end, lies the infrastructure present at the employee’s house to facilitate their work. This ranges from modem, network/ electronic configurations, and software with end-to-end encryption, or virtual private network capabilities. It may be possible that their infrastructure may have fallen pray to malicious activities given their lack of cyber hygiene with their personal assets, or their family’s and housemate’s. Further, homes in developed countries may benefit from possessing internet in their homes, however, that is not always the case for families in developing countries (Deloitte). This factor, may force employees to seek out public networks which may pose an additional set of problems and vulnerabilities associated with cyber security (Norton US). Said factors can exponentially increase the risks to cyber security for every additional member added to the network. Hence, it is important not only that employees practice cyber hygiene but also that everyone sharing the network does the same. Whenever possible, personal electronics should not use or be connected in anyway to organizational ones.
To many individuals, a cyberthreat is a distant issue where someone from HR or a distant cousin fell for it once and “they just didn’t know any better”. But the reality is that cyberattacks have managed to cause damage to even some of the most sophisticated actors, in part, due to weak cyber hygiene. Some examples range from the US Office of Personnel Management breach in 2013-14, 2017 Equifax data breach to Stuxnet. Although these are broader examples, every day someone is being attacked, leading to IP theft, data theft, operational disruption, and possibly business closure.
Many organizations, specially the ones who were not previously impacted by a cyber attack, may find cost cutting opportunities in their security teams, potentially increasing the pressure on the remaining team and increasing organizational cyber risk. It is important that leaders, despite being skeptical to said concerns, listen to their security teams to properly understand and assess their their organization’s infrastructure and cyber risk profile.
Understanding the problem is the first step to solving it and this may be the most positive aspect of the current cyber security environment: there is a solution. It involves instilling a culture of cyber hygiene and building cybersecurity by design that is supported by relevant processes and appropriate infrastructure.
As previously discussed in the article “Building a Lasting Emergency Response Task-Force in Light of COVID-19”, organizations need to be prepared for alarming situations and that may be a ransomware attack on its infrastructure. As such, it is paramount the technology professionals involved in the task-force understand the cyber environment in which the company is placed and the risks that it may face.
Cybersecurity should not be a topic in which employees can simply do a refresher course once a year and then go back to the status quo. The risks of a security breach are far too great for organizations and individuals to gamble with. Hence, leaders should work to instil a culture of cyber hygiene whereas accountability and knowledge are the main drivers of success. Yes, refresher courses are important. However, it is important that an organization maintain cybersecurity fresh in the minds of their employees through their Intranet portals and emails/ newsletters that discuss the latest developments on cybersecurity when applicable. Sometimes, even showing the latest examples on phishing emails may help, as seen in this article by the Canadian Centre for Cyber Security. Additional topics to newsletters may include the importance of applying updates and critically assessing connecting devices.
Lately, cyber professionals have urged organizations to enable multi-factor authentication in their systems as to enhance security protocols in the organization (Microsoft). Additionally, DLP (Data Leakage Prevention) rules should also be implemented on external and, sometimes, internal communications and exchanges. The proper systems monitoring is also an important additional component that can strength an individual or organization’s firewall. Further, technology professionals need to be on top of updates and patches necessary to strengthen the overall security of their infrastructure. Finally, test your systems in a controlled environment to ensure it can survive attacks and stress on its infrastructure.
As more individual move to a work-from-home setting and more of their data and their family’s data is tied to digital assets, it becomes imperative that they teach their family how to protect themselves in the cyber realm. This means that a lot of the items listed above should also be taken into account, albeit at a smaller scale, in home environments. Organizations should consider investing in providing free training modules to their employee’s families as a way to indirectly support their effort in protecting organizational IP and data. For basic tips on cybersecurity, please refer to our article on ‘Tips for Increased Cyber Security’ and ‘Email Security 101’.
Let us face it: no one is interested in nor have the time to deal with another crisis. But when your organization is scammed for millions, or its infrastructure is frozen to a point that services come to a complete halt, that is exactly what happens. Although many specialists predicted that a pandemic would happen, there is a consensus that little action was taken in order to prepare the healthcare industry to deal with such crisis. We cannot afford to double down on our economy any further by brushing off cyber security aside. As we move to a digital workforce, it is imperative that we protect our assets. Failure to do so can have majour consequences, as such, it is everyone’s responsibility to protect our cyber assets.
The opinions in this article is of the authors and do not reflect clients or other’s views.