As organizations struggle to meet the challenges of the COVID–19 pandemic, they should be clear–eyed in evaluating the cyber risks facing them. In the rush to implement widespread remote working, IT teams are being stretched thin. Anxious for accurate information as the crisis unfolds, end–users—including boards and senior executives—are under stress and distracted, making them ripe targets for phishing emails. Meanwhile, the dramatic expansion of remote working creates a sprawling data footprint and opens networks to scores of poorly secured access points. This results in more opportunities for external attackers to penetrate systems and greater risk that data will be inadvertently or intentionally compromised by insiders.
Faced with increased risk, only those organizations that take a holistic view of their people, processes, and technology will have any chance of obviating that risk. The response is not exclusively the domain of IT teams, but requires enterprise–wide support and adoption by compliance, legal, and human resources professionals.
What follows are recommendations for addressing the most pressing cyber risks arising from the COVID–19 pandemic.
IT Teams: Attenuated Bandwidth
Providing remote–working resources to even a modestly sized workforce is time–consuming and challenging and is what many IT teams have been forced to do in a hurry. This strains their attention, heightening the risk that threats will go undetected and incident response time will increase. With gatekeepers overwhelmed, intruders see opportunity.
Making matters worse, pre–pandemic user risk awareness—never optimal—has been rendered moot by dramatically changed usage patterns. Even before the crisis, detecting anomalous behavior that might signal an intrusion was challenging. Now that many businesses are operating from out–of–office locations, the detection instruments employed by network defenders are out of tune. Information security teams—assuming they were on task in the first place—are wasting time responding to false indicators of malicious activity.
Attackers and scammers are seizing this opportunity: they know that exploiting trusted users is a time–tested way of bypassing an organization’s safeguards and penetrating its defenses. Malicious actors are taking advantage of workers distracted by the crisis, abusing their trust and desire to be responsive, as well as their fear of the current crisis.
Cyber thieves are crafting phishing emails tailored to COVID–19. These emails take the form of public health alerts, employment updates, file shares, appeals for support for high–risk groups, or offers of financial assistance. Lurking within are attachments loaded with malware designed to steal information. Others contain links redirecting users to websites that infect their computers with malicious code. In one notable case, a website with a map that purported to track COVID–19 infections contained information–stealing malware.
Preying on the public’s fear and desire for information, these phishing scams override normal skepticism, leaving users vulnerable to attack.
Weak Links and the Enemy Within
Increased reliance on remote access and a dispersed workforce triggers concern about both external attacks and insider threats.
With employees using their home networks for work, the security of the system is only as good as its weakest link. To a network intruder, this is a gift: an opportunity to launch attacks that exploit default or weak credentials, unpatched applications, or stale firmware. The prevalence of lightly secured home–networked devices increases the risks exponentially.
Opportunity also knocks for trusted insiders inclined to misappropriate data for personal gain. Widespread remote working results in “data sprawl” as business is conducted on more devices, over more networks, and in more physical locations. Remote working—for all its advantages—reduces the accountability and supervision present in an office environment, creating more opportunities for exfiltration or unauthorized sharing of sensitive data. Further, as the economic shock forces companies to furlough staff, reduce salaries, and defer compensation, employees may act on grievances and retaliate. Any response to a security incident or allegation will likely be hampered—if not frustrated entirely—by a lack of access, permissions, tools, or logs needed to conduct an effective forensic investigation.
To respond to the challenges described above, senior management must enact and support an effective mitigation plan across the organization.
Process and Governance
The COVID–19 pandemic has brought seismic change to the way we work, change that may outlast the crisis. Indeed, the current workplace, with its significantly increased cyber risks, may become standard. Businesses should move swiftly to adapt to this reality through thoughtful planning and disciplined employee engagement. Those that fail to do so risk becoming additional victims of the pandemic.