The COVID-19 pandemic has accelerated several emerging tech trends but none more immediately disruptive than the proliferation of cybersecurity threats. The sudden uptick in both reliance on digital and widespread uncertainties has ripened the landscape for cybercriminals, resulting in a 600% increase in attacks, according to the UN. The total volume of coronavirus-related lures and threats marked the largest collection of attack types exploiting a single theme in decades — and possibly ever — according to other analyses.
From phishing ploys on remote workers to sophisticated targeting of healthcare infrastructure, pandemic-related cyberattacks mark a major threat to people and organizations across the globe. Infosec professionals, however, are finding themselves on the frontlines of a different battle, one in which urgent questions are demanding answers. Here are three such questions CISOs and their teams must consider, as well as recommendations to addressing them securely and safely.
1. How can we support our end users and clients?
Cybercriminals capitalize on heightened emotional states and vulnerabilities to execute attacks. This act of social engineering powers the majority of cyberattacks — some say as many as 98%. Thus, the mental health effects of the coronavirus pandemic have greater implications for enterprise security than one might think.
Consider the following convergence of factors:
- There are widespread fears, concern for loved ones and desire for answers and hope.
- Expanded demographics are now working remotely, relying on digital platforms not only to work, but to find information and communicate.
- Many workers are new to remote working and its cybersecurity implications. Whether a company has new employees or workers taking on new roles, research found new hires are more susceptible to socially engineered attacks.
- There has been a 600% increase in cyberthreats across enterprise and consumer exploits, including phishing, malware, remote user credential theft, weaponized email attacks, fraudulent actors posing as trusted sources, and data and network penetration.
Key takeaway: Focus on improving cyber hygiene across the enterprise.
The pandemic doesn’t just call for shifts in social behavior and physical hygiene practices; it demands cybersecurity professionals engage in dedicated campaigns to safeguard online behavior and cyber hygiene as well. Too many organizations take a piecemeal approach to cybersecurity training, education and support. Because people are the common exploit to penetrate systemic defenses, security teams should focus on employees, executives, contractors, partners and any other human endpoint accessing their networks. Communicate clearly about general best practices, existing enterprise programs and protocols, VPN policies, explanations for security mandates, how to verify trusted information sources from the enterprise, and how to identify and report suspicious interactions.
2. What is and is not part of our asset inventory?
As a result of shelter-in-place and workplace risks, businesses have had to either rapidly shift to enable remote working or scale mobile environments — many without the experience or security infrastructure in place to do so. In addition to existing operational technology and IT assets and traditional BYOD security, infosec pros have been faced with extending security to households, variable networks and shadow devices shared by multiple users and often used for other purposes. Many security teams already struggle to keep up with their asset inventories, either because they are only available at an approximate view or are incomplete. With millions of employees working from home, the surface area of potential entry points into enterprise networks has expanded dramatically.
Key takeaway: You can’t manage what you can’t measure.
A detailed and up-to-date asset inventory is crucial to an enterprise security strategy and to the context for specific risk mitigation tactics. Security professionals must prioritize asset inventories, including specifications across hardware and software, updates, patches and associated traffic patterns. Analyzing typical network traffic is particularly important to develop a baseline for what is normal, as this is a critical input for AI and software-based threat detection and anomaly identification. Asset inventory also marks an upstream cost-savings exercise given the potentially costly effects of downstream cyberattacks on already resource-strapped organizations weathering a recession. In addition, such inventories are crucial inputs for lifecycle management of assets, a dynamic of growing importance in IoT contexts with multiple tenants, environments and interactions.
3. How can security principles be translated into practice?
Asking strategic questions of principle during a crisis may seem a luxury, but crises have a way of accelerating changes otherwise slow to materialize. To date, cybersecurity has suffered a gap between principles versus practice — i.e., every organization professes to care about security, yet security teams often operate disconnected from other teams. Recent trends in security, such as the relative insecurity of software applications and the higher costs of reactive versus proactive security, have reinforced the need to address security systemically and by design. The pandemic only further reinforces these trends and gaps, particularly because more sophisticated attackers may penetrate now, amid the upheaval, but abstain from attack or payout, using the time to collect more data or analyze trade secrets or other information of financial or political value.
Key takeaway: Reorganize and reinvest for the long term.
While, in practice, most organizations leave it to security professionals, cybersecurity is everyone’s responsibility — from end user to C-level. Consider, for example, the technical shift-left approach that refers to incorporating security as early and upstream as possible in the software development lifecycle. As enterprise cybersecurity is elevated among top-tier business priorities during this pandemic, now is the time to not only cement this concept into software development, but to shift a culture of security into enterprise policy, investments, incentives, workflows, designs and partnerships for the long term. Such shifts will bear fruit in the near term too, as they affect an organization’s agility to react in the event of an attack, to incorporate broader data and analytics into automated tools, and to extend cybersecurity to physical security.
Just as a public health crisis challenges us to address questions and accelerate answers, so too may the current cybersecurity crisis so we’ll all be more resilient in the long run.