In March 2020, the world changed almost overnight.
We woke to a complete reliance on SaaS products for communication while offices closed during lockdown. Since then, we’ve begun to understand that the ‘corporate network’ is as much about people and users as it is about VPNs.
Conditions were ripe for cyber attacks
In business as in life, continuity and disaster recovery are largely a compliance exercise until catastrophe strikes. Certain cyber threats that have existed for years and had been deemed to be commonplace by most security experts became more prominent when we started to depend entirely on technology to do business.
When the world began working exclusively from home, the information security community correctly predicted that there would be 2 dominant cyber trends:
1. A surge in social engineering attacks such as phishing.
2. A surge in malware-style issues such as ransomware, which involves a piece of software encrypting the contents of important servers, and rendering them useless until a ransom is paid.
Neither of these types of threat is unusual, but the circumstances of the target had changed. The threats crept in. And they did not discriminate.
Circumstantial threats lead to high profile attacks
In April 2020, the technology magazine Ars Technica reported that NASA was seeing an increase in spear phishing — the practice of tricking employees into downloading malware. Later the same month, the threat intelligence team at Microsoft reported that healthcare institutions were facing an increase in human-operated ransomware. The team said attackers had laid the foundations in the months leading up to the pandemic, and then waited for the right moment to strike.
Headlines were also dominated by security vulnerabilities in video conferencing software such as the now ubiquitous Zoom. Zoom’s security faced allegations such as state-actor intervention, as well as the old-fashioned reconnaissance technique of stealing session hyperlinks leading to uninvited attendees in a conference call known as ‘Zoom bombing’. The tool’s ease of use outweighed its security implications, and rather ironically, the bad publicity only served to increase the number of companies using it.
And finally, perhaps the most infamous breach of the pandemic so far was the Twitter hack: rogue employees coordinated with mercenary attackers using influential Twitter profiles as a means of generating bitcoin. No amount of traditional security controls could have prevented this style of attack, and the fallout may have been much worse if the perpetrators had been more discerning.
Pre-pandemic risk profiles need strengthening
During lockdown, we’ve realised that most traditional defences against cyber threats are ineffectual. Or to rephrase, many organisations’ risk profiles were likely not revisited, analysed and adapted to the new situation. Controls such as patching, secure development lifecycles, awareness raising training exercises, monitoring and other short-term solutions that technologists associate with good security were only useful as second-degree measures.
A strange shift in accountability
In March 2020, the consultancy McKinsey & Company published an article titled ‘Cybersecurity tactics for the coronavirus pandemic’, which is largely full of sensible and proactive advice. However, the piece stressed that employees working from home must exercise ‘good judgment’ when it comes to information security. This guidance overlooks that even NASA scientists—and those who it is very difficult to imagine exercising ‘poor judgment’—were vulnerable.
There has been a strange and misinformed trend of security professionals shifting the onus for corporate security on to employees. It is not enough just to exercise plain good judgment because we are all fallible to opportunistic attacks—especially when our attackers invest significantly in discovering our weaknesses.
How technology leaders should respond
The increase in opportunistic state actors during the pandemic has forced technology leaders to realise they must place as much importance on privacy and security for employees as they do for the end user or customer.
It’s clear now that depending on a corporate VPN is simply not enough—even the most basic actions such as signing into their email can jeopardise an employee’s privacy because if there’s a threat when they sign in, they’ll no longer be anonymous.
Most corporate VPNs also route through company data centres, which means geolocated traffic can be identified. As well as these issues, a VPN does not guarantee that the end user’s device won’t be compromised. From now on we need to consider the most likely ways to breach user privacy. If this is email, we must implement measures that mean employees open unverified links in a sandbox environment, and put email policies in place to verify senders.
It’s important to monitor cases where an attacker seeks to gain more access to an account that has already been compromised (often called ‘privilege escalation’) even when the threat affects a single individual. Multi-factor authentication is a necessity for things like social media accounts and restricted permissions should be in use when a team uses third-party software. Mobile device management is also important so that IT departments can monitor, manage, and secure employees’ devices.
In the immediate term, map entry points and secure them. But longer term, a strong security perimeter alone isn’t enough, because as we discovered mid-pandemic, what we think is sufficient one day can change suddenly.
For everyone whose role it is to look after security, it is essential that we embed privacy in all services as a matter of priority. No negotiation—this is what the longer term strategy comes down to.
In the world of information security, we used to say that humans are the weakest link in the chain. But a mid-pandemic world proved that humans are only the weakest link if the technology they use sets them up to fail. There has never been a better time to ensure that it succeeds.