Covid-19 has brought about a period of major transition and companies are having to adapt to weather the storm. Many have furloughed staff and partially closed doors, while others have remained operational but with all-new working processes. They may have adopted enterprise-wide remote working or implemented new digital avenues to market, both of which likely required the rapid adoption of technology and a much greater reliance on existing or new digital infrastructure.
Whatever the case, companies are now more vulnerable, with a greater possible cyberattack surface area, and the speed with which these changes have taken place has made it even more difficult for security teams. For a lot of organisations, a well-protected, centralised corporate network has suddenly been stretched nation-wide, if not further, with many employees relying on personal devices and potentially unsecure Wi-Fi networks whilst sharing sensitive data. For security teams who are working from home too, managing this new, expanded ecosystem is challenging.
Taking advantage of the nation’s apprehension
Cybercriminals are doing their best to play on emotions. While the lockdown has been slightly eased, the air is still full of uncertainty with people unsure when they can see families again without needing to adhere to social distancing or if their jobs are in danger, for example. As such, there is a desperate want for more informative information and there has been an increase in the rate of phishing attempts using Covid-19 advice as their ‘hook’. In some cases, genuine advice from the World Health Organisation or government departments is being copied to increase the facade and lure worried victims into clicking on links that can result in malware downloads. Financial information surrounding tax returns and furloughing advice gives another vector to target businesses.
The frequency of attacks is also rising due to the lower barriers to entry. Phishing attack kits which include templates to imitate legitimate, trusted brands, out-of-the-box malware, access to DDoS (distributed denial-of-service) boosters and other bulk attack capabilities are now easily available, and they’re increasing in simplicity all the time. You no longer have to be a tech wizard to be a cybercriminal, being tech literate is sufficient to launch attacks against potentially hundreds of targets at once. Similarly, there are ‘attackers-for-hire’ that can help even the most tech-puzzled to target unsuspecting victims.
The challenges stemming from the ease of accessibility is being compounded further by the number of people who are stuck indoors and bored or in need of quick cash because of the lockdown. The saying goes that ‘the devil makes work for idle hands’ and, as such, alongside the big criminal organisations you now have the threat of increased numbers of minor criminality.
Benefiting from using more technical attacks
Connection outages will happen. While companies have contingency plans, downtime – such as the one Virgin Media suffered at the end of April – can impact millions of people, which in turn affects the businesses they work for. While outages aren’t necessarily linked to networks exceeding bandwidth, in the current climate of high internet usage it’s perhaps less of a surprise when that is the case. It’s this acceptance that it could happen which provides cybercriminals with an opportunity. If hackers were to flood a network and take it offline using a DDoS attack, users may simply assume it’s just an internet issue and not report it, giving the actors more time to carry out their motives or plant sleepers for future strikes.
Recently converted full-digital supply chains also pose a risk. Some companies have found that their entire supply chain has moved rapidly online in response to Covid, and this has increased the likelihood of ‘island hopping’ attacks, where actors move against smaller third-party targets which could then provide access into larger corporate networks in their supply chains. Target’s huge data breach back in 2013 is the go-to example of how successful targeting a supplier can be meaning in the current situation; companies don’t simply need to be concerned about their own Covid security setups, but also that of their entire ecosystem.
What companies should be doing to mitigate risk
With a dispersed workforce working on a range of corporate and personal devices, organisations should make sure endpoint security features are up-to-date and able to handle the increase in the number of devices connecting remotely to the network. For full insight, this should be combined with tools that can monitor high-traffic workloads, allowing complete visibility over core networks and functions.
Multi-factor authentication should also be applied to all business applications and, where possible, devices should be set to automatically download antivirus software patches and run daily scans to ensure devices are clean. If using personal devices, employees must be encouraged to do the same or given the licences to download corporate software.
However, centralised cybersecurity can only offer so much protection to a remote workforce; the human firewall remains an essential aspect of an organisation’s security posture. Businesses have to teach and consistently reinforce good cyber-hygiene. Explain the red flags of a phishing attempt and the importance of getting employees to check-in with colleagues if they’re not quite sure if the boss’ request to urgently pay that supplier is legitimate, for instance.
Companies can also be more open in how they communicate internally. With so much apprehension businesses can look to alleviate some of it by ensuring employees are kept up-to-date with the health of the firm and their plans for exiting lockdown. There’s also the issue of message fatigue. Suddenly, employees are being contacted across several channels: phone, email, video calls and WhatsApp, and it’s easy to not provide the level of scrutiny they should to every message. So, companies should try to limit which channels they use so that employees can focus and better understand when something might be a phishing attempt.
Ultimately, as we slowly move out of lockdown, all organisations are simply another potential target for malicious actors. During this period of transition, businesses should use the opportunity to strengthen security postures. Life is unlikely to spring back to how it was pre-Covid and companies must prepare for a world where remote working and a much greater reliance on digital processes are the norm.
Martin Rudd, CTO, Telesoft