While a vaccine for COVID-19 has been rolled out over the past several weeks, distribution has gone very slow. After being stuck at home for almost a year, people have lockdown fatigue and need faster solutions and a sense of hope.
Hackers will view this fatigue as yet another major opportunity to strike. As vaccines are made available, the security industry expects a wide number of phishing scams to surface that lure people into buying “early releases” of vaccines from Pfizer and Moderna. I fully expect the emails to include very realistic logos for those firms, a special discount if the victim buys immediately, and a link to register and pay online that requires not only credit card info, but also some very sensitive protected health information.
Similarly, as President Biden tries to roll out COVID-19 relief, we expect to see scams around any new programs the new administration enacts. Expect bad threat actors to spread ransomware and other threats that will encrypt or destroy data on machines.
On top of that, the threat landscape has kept expanding with new strains of ransomware discovered late last year and the devastating Solar Winds supply chain hack. Throughout the COVID-19 period, security professionals have noticed a huge increase in cyberattacks on companies, governments, and individuals on four key fronts: operations, technology, data, and legal aspects of security. Here’s some advice on how best to manage these trends:
- Operations: Many companies had no choice but to ask their staff to work from home. Some already had some staff travelling or working from home and could just extend the policies, procedures, and training for secure telecommuting to a wider population. Others were completely unprepared and just asked their staff to work from home devices to access company systems and data, simply because they did not have any plan. Either way, on a global basis, the overall attack surface available to hackers and criminals just increased exponentially, nearly overnight overnight.
- Technology: As companies started to realize the risk was real and started addressing it with technical solutions, policies, and training for secure WFH, the bad guys were already at work spreading malware, phishing and attacks on extended networks, data storage, and remote access to systems.
- Data: Organizations are urged to investigate data usage – specifically, which applications and what data should be made available and to whom? Is there a data classification and associated systems access policy, ideally including multi-factor requirements? Is the organization offering clear guidance on how to manage the crossover between private and personal life on private and corporate devices?
- Legal: Legal and compliance challenges have not stopped because of the pandemic. In fact, data privacy regulations like GDPR and other international mandates and standards are gaining traction. The pandemic is no reason not to protect data, especially when the attack surface and threat levels keep increasing. Increasing.
The best defense
We have seen a huge increase in demand for security awareness training around phishing and ransomware this year — not just from enterprise companies, but also from mid-size firms as they struggle to address the growing problem. The stresses of working from home and the general impact of living in lockdown are not helping staff focus on data security or privacy. From one day to the next, we are now working at home, often with no designated work area versus relaxation or living area, and often surrounded by other family members. In fact, since children may or may not be allowed to attend school, they too need to study remotely and often end up using company devices or systems they would otherwise not have used. This all contributes to additional opportunities for mistakes. Data and device security are not top of mind for most people during the pandemic.
As such, security teams need to ensure that all staff members, from the board to senior executives to all employees, are trained. Security is a journey. Companies need to keep at it because the attackers never stop, especially in a pandemic. To get buy-in from boards and senior managers, security professionals need to speak their business language. All board members and senior executives can understand the importance of what we call the five pillars of security, which are physical security, people security, data security, infrastructure security and crisis management. Finally, implement good cyber hygiene. Remember, it’s a continuous journey, not a destination.
Mathieu Gorge, chief executive officer, VigiTrust