COVID-19: tackling cyber security challenges

COVID-19 RESOURCE HUB  |  Financier Worldwide

CYBER SECURITY & DATA PRIVACY

COVID-19 tackling cyber security challenges.jpg

Malicious actors have become more sophisticated, better equipped and bolder in their actions, making cyber security an ever-present concern in corporate boardrooms. As the number of successful breaches has increased in recent years, board members and C-suite executives have realised the scale of the threat. However, for many organisations the outbreak of COVID-19 has changed the paradigm further.

As the virus spread during the early part of the year, the number of cyber attacks against organisations grew exponentially, reaching a peak in April, according to Microsoft. In the UK, for example, the National Cyber Security Centre (NCSC) detected more UK government-branded scams relating to COVID-19 than any other subject since the outbreak began in March.

The legacy of COVID-19 is likely to leave organisations exposed to higher risks of cyber attacks for months if not years to come.

To date, business leaders have, understandably, been focused on overcoming the various operational and financial challenges that the pandemic has created. But as some economies have begun to reopen, companies are evaluating the new reality of cyber security in the COVID-19 landscape.

Attack vectors

In addition to a rise in the frequency of attacks, the attack vectors employed by cyber criminals are also changing. According the World Economic Forum (WEF), hacking and phishing attacks are set to become the new norm, even as the COVID-19 infection rate recedes.

Cyber criminals will also look to exploit new working conditions created by the need to protect employees from the virus. According to the WEF’s ‘COVID-19 Risks Outlook: A Preliminary Mapping and its Implications’ report, the sudden surge in remote working caused by lockdown orders, social distancing guidelines and travel restrictions, broadens the scope for cyber attacks and data fraud.

Remote workers may be using virtual private networks (VPNs) that lack adequate safeguards, for example, which increases the attack surface for hackers. There has also been a marked uptick in the number of phishing email attacks, malicious keylogger attacks and the distribution of password-stealing software. Indeed, 91 percent of respondents to a joint survey from VMWare and Carbon Black reported seeing an increase in overall cyber attacks as a result of employees working from home.

Additional vulnerabilities

For cyber security professionals, the pandemic has created challenges beyond their usual concerns. For example, the emotional impact of the pandemic has in some cases led to distraction and disorientation, making individuals more susceptible to attacks which would otherwise be repelled.

There are also cultural issues at play. In a normal office setting it is easier to establish and reinforce a strong culture of cyber security. Replicating that culture away from the office, however, is less straightforward. For example, employees who work remotely may take unnecessary risks that go undetected.

Companies have also struggled to maintained their standard processes in counteracting criminality. According to the VMWare/Carbon Black report, many companies have been unable to institute multi-factor authentication processes. Twenty-nine percent of respondent firms said this was the biggest threat they have faced during the pandemic to date.

Threat actors

Not only have individuals and criminal organisations been active, allegations of state-sponsored cyber attacks have become more prominent. In the US, the FBI and the White House accused China of using digital espionage to steal research on a COVID-19 vaccine, while Australia accused China of being involved in widespread cyber attacks.

Threat actors – whether hackers, organised criminals or nation states – are exploiting companies’ reliance on digital technology, and the vulnerabilities that surround these systems. Though companies can use cloud computing, DDOS protection, malware detection and antivirus software, among others, to enhance their cyber security, they may need to go further to fill gaps. But upgrading technology could be challenging at a time when many companies are tightening their belts to weather a deep, damaging recession.

Insider threats – both malicious and accidental – also present a problem. According to Code42, there has been a significant spike in exfiltrated data during the pandemic due to the sheer number of employees being laid off. Though employees taking data and other materials with them when leaving a company is far from a new phenomenon, there are several factors in play which may be contributing to an increase during the pandemic.

Code42 found that more than two thirds of information security workers and a similar share of business decision makers believed that they own their work product and are within their rights to take it with them when leaving an organisation. This mindset, combined with a lack of oversight due to so many employees working remotely, and the anger or frustration of being laid off, means many organisations will struggle to keep hold of their data. Companies need to make employees aware that all their work belongs to the company and that IT monitors data flows and transfers.

Outlook

Tackling the impact of COVID-19 on cyber security is complex and may require legislative intervention. In the US, members of the House Financial Services’ Subcommittee on National Security, International Development and Monetary Policy have introduced a number of bills to counter cyber criminality.

These bills include steps to cut down business email compromise (BEC) scams, which involve tricking a user into disclosing sensitive information, such as financial information. Such measures would require depository institutions, such as banks and credit unions, to develop guidance to educate customers about how to avoid financial scams. Another proposal would provide states with funds to help protect senior citizens from malicious hackers, a group often seen as an easy target. The final bill would establish a restitution fund to help victims of coronavirus-related fraud. Similar measures are being considered elsewhere.

But on a business level, while cost-cutting measures will be required in many areas, prudent companies may increase their IT spend in the months and years to come. Improved cyber security, better-integrated communications, automation and enhanced IT management are areas in which companies should consider making additional investments.

© Financier Worldwide

BY

Richard Summerfield

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.