Cybersecurity in the Time of COVID-19
As with any crisis, there are always opportunists and the COVID-19 pandemic has been no exception.
There have been widely-reported scams ranging from bogus Red-Cross impersonators offering COVID-19 tests door-to-door, fake goodwill payments from the UK Government, to SMS messages about COVID-19 symptoms and even free ‘isolation’ Netflix subscriptions. In one particularly nasty incident, a hospital in the Czech Republic was hit with a cyber attack in the midst of a COVID-19 outbreak that resulted in urgent surgical interventions being postponed.
We spoke to global cybersecurity expert Tony Vizza from (ISC)², the worlds largest association of certified cybersecurity professionals, about cybersecurity in light of the COVID-19 crisis.
Cybersecurity is probably quite low on most people’s list of priorities right now, why do we need to be more vigilant than ever?
“Right now, people are certainly giving more thought into sanitising groceries, entertaining children, paying the rent and putting food on the table than they are to cybersecurity. Given the heightened state of alert, critical thinking skills are likely to be impaired and people are distracted. Cyber criminals know this, and they also know that anything related to COVID-19, such as an email or a text message, is going to grab a person’s attention. And with the state of the world today, there is a strong likelihood that the person will react quickly without considering it could be a scam. In a working from home scenario, an employee making a poor decision could endanger the security of the entire company network.”
And with swathes of employees now working remotely, that poses a risk too…
“Home networks are notoriously vulnerable because people often don’t make the effort (or don’t know how) to secure them. It’s well known that people usually don’t change the default WIFI or router admin passwords, or if they do change that password, it’s changed once and once only.”
“One of the biggest challenges for organisations is how to safely implement widespread remote-working practices. Historically, companies would have had capability for a handful of workers to allow them to remotely work, which would have been heavily secured. The danger now, is that companies have had to move to remote-working en masse in a very short period of time. They may not have had the capability, resources or the time to ensure their employees’ machines and networks are adequately secured.”
“In the event that an employee’s machine is compromised, which could take place virtually (through ransomware for example) or even physically (for example, if a notebook is stolen) a malicious actor could potentially gain access to the company network. This is particularly risky for more senior employees who may not have worked remotely before because, if their machine is not adequately protected, they tend to have much greater access to the company network and hold sensitive company confidential data. This could expose organisations to data breaches or ransomware.”
What should organisation’s be doing to ensure their cybersecurity is up to scratch?
“It is important to consider that many organisations have had to very rapidly shoehorn themselves into a remote work operating environment. This has likely left holes in its cybersecurity protections. Back in 2018, mandatory data breach notification laws drove many organisations to develop a cybersecurity strategy to ensure that they complied with the law. However, 2018 is now ancient history in light of Covid-19 and as such, organisations should be taking a very close look at their cyber security strategy as it currently stands and determining whether that strategy is appropriate for the new operating environment.
Organisations should start by reviewing their information security management strategy, their disaster recovery strategy, their business continuity strategy and their incident response strategies. Are these strategies reflective of the new operating environment where almost all workers are remote? If they are not, they need to be updated. These reviews should involve senior leadership and should be driven by a certified cybersecurity professional, either internal to the organisation or hired as an external contractor. In addition, an organisations risk register should be updated to reflect new and evolving organisations risks related to today’s operating environment.
The use of teleconferencing apps has skyrocketed over the last few weeks as teams move to remote working, what cybersecurity risks does this pose to organisations?
“Conferencing apps have been compromised in the past and almost certainly could be again in the future. There have been numerous instances in recent days of conferences that have been accessed by unknown miscreants.
“Employees should know that the camera on their laptop could be commandeered and remotely accessed and be instructed to cover the camera with a sticky note or tape when not in use. They should also mindful of where they sitting to ensure no family photos or personal effects are in in the background. These could provide cybercriminals with valuable information that they could use to socially engineer your employees or your organisation.”
What about other integrated systems that organisations may have left running? For instance, connected smart devices and IoT technology.
“A lot of systems using smart technology or IoT edge devices were set up to provide a functional solution. They are often set and forget with software and firmware that may not have been updated in a long time. If that software or firmware has vulnerabilities in it, it leaves those systems open to malicious attacks. It is likely possible that some systems, for example IP based CCTV cameras, will have been left running without any maintenance oversight. POS systems in retail stores that have been shuttered would be another example. There have been numerous instances in the past of POS terminals where malware has been installed on them. Once these stores reopen, data including credit card details or personally identifiable information could be exfiltrated by a malicious actor. ”
What can an organisations security team do to mitigate these risks?
“Once the organisation reviews and updates its cybersecurity strategies, it is important to identify a list of actions that need to be taken. It goes without saying that these actions should be prioritised in terms of the risk mitigation that they offer the organisation as a whole. In terms of managing risks related to remote work, these include but are not limited to: educating employees on cybersecurity considerations that are important in relation to remotely working; ensuring that ‘least privilege’ and ‘need to know’ access is granted for resources remotely; ensuring that endpoints are protected and that they can connect to applications and services in a secure manner; ensuring strong email security is in place; deploying two-factor authentication where possible; ensuring remote workstations have full disk encryption, back up to a centralised point in the corporate IT environment and have a remote wipe facility; continuous vulnerability scanning on endpoints and that endpoints are regularly patched and updated.”
Any final thoughts?
“Australia has changed considerably in 2020. The bushfire crisis led many organisations to consider risk mitigation strategies relating to physical disasters. Now, Covid-19 has driven organisations to transform themselves practically overnight. With all major change, there is a period of uncertainly and adjustment, and with this comes risk. It is vitally important for organisations to begin with the implicit assumption that nothing is secure and manage cybersecurity risks on that basis. This will ensure that organisations deploy the necessary security controls in order to achieve a safer and more secure operating environment.”
Tony Vizza is the Director of Cyber Security Advocacy APAC for (ISC)2. (ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. (ISC)² is best known for the acclaimed CISSP®. You can find out more on their website.