By Conrad Prince CB, Senior Cyber Advisor to Pool Re
The full implications of the COVID-19 pandemic for cyber security will not be known for some time. What is clear though is that cyber criminals have taken full advantage of the crisis and nation states have used cyber espionage to give them an edge in the race to find a vaccine.
Meanwhile, there have been some profound changes in our ways of working that increase the cyber risk, from both a technical and a human point of view. Various sources have reported an upsurge in cyber attacks during the pandemic. Cyber insurance specialist Beazley reported a 25% increase in ransomware attacks worldwide in the first quarter of 2020 compared to the last three months of 2019. Cyber company VMWARE CARBON BLACK reported that cyber attacks on financial institutions increased by a factor of nine from February to April. And there is no question that the crisis has seen cyber criminals pivot to COVID as a theme for phishing attacks, although there are signs now of a shift to new themes, such as Black Lives Matter. Cyber criminals are nothing if not agile.
With that in mind, it is worth looking at three key areas for businesses to focus on: the technology of remote working, the people risk, and the challenges of supply chains.
The technology of remote working
The pandemic has seen some fundamental shifts in ways of working that have major implications for cyber security. Our dependency on digital has become more profound than ever. The widespread shift to remote working opened up a number of new opportunities for cyber attackers. According to cyber security firm Kaspersky, the number of brute force attacks on Remote Desktop Protocol (the key technical standard for using a desktop remotely) was up by a factor of 6-7 in March-April this year. It seems likely that, in establishing remote working at scale and pace, more than a few security corners will have been cut. While this may well have been done for sound practical reasons, balancing business need with risk, it will be essential for businesses to understand the implications of the decisions they have made and develop a sound understanding of the additional risk they are carrying.
Measures such as VPNs, two-factor authentication and strong passwords are important for the security of remote working. And it will be worth many businesses considering adopting longer-term strategic solutions to secure working at scale, with automated security management built in. Cloud services offer many advantages in this respect. But it is critical to remember that in adopting a cloud solution businesses are still ultimately responsible for their data, how they are accessed, and by whom.
The people risk
The risks from remote working are not simply about technology. The insider threat – the risk that an individual within an organisation acts in a hostile way against it – is a significant issue in a cyber context. A rogue member of staff, especially one with access to key systems, can bypass many of the security controls that protect against external cyber threats. The risk of that will have increased as pressures on staff mount during the pandemic, making them more vulnerable. They are isolated from their workplace and colleagues, and it is simply less easy to keep track of what they are doing. Moreover, many monitoring systems designed to look for unusual behaviours potentially indicating an insider threat (such as accessing the office at odd times) are not designed for the new normal. So businesses need to be particularly alert at this time. An integrated response is key. Good line management alert for possible danger signs is more important than ever, as is the effective bringing together of data from technical monitoring with HR and security information. All too often the signs of an insider risk may be there but the dots have not been joined up.
The challenges of supply chains
Even before the pandemic there was a big focus on the supply chain as a source of cyber risk. There have been growing examples of companies being damaged as a result not of a direct cyber attack but because of an attack on one of their third-party suppliers. In just one recent example, the ransomware compromise of cloud computing provider Blackbaud, the industry-leading provider of software for the non-profit sector, has impacted on dozens of universities, charities and others who used the company to manage their data.
That risk is greater than ever, yet the evidence is that, despite all the talk, many businesses are still not taking it seriously. The UK government’s annual Cyber Security Breaches Survey revealed this year that just 34% of financial services and insurance companies surveyed had reviewed the cyber risk associated with their immediate suppliers, and only 18% had reviewed the risk in their wider supply chain. This is concerning. It’s essential to review the cyber security standards applied in the supply chain and to build specific cyber requirements into the contractual agreements with third parties. Otherwise, businesses really are leaving open a soft underbelly for attack.
It seems likely that many of the fundamental changes in business practice prompted by the pandemic will be with us for some time to come, and may even become part of a permanent set of new ways of working. In many respects this is simply an acceleration of an existing digital-driven agenda. And the fundamentals of cyber security remain the same. From that perspective, perhaps the most useful thing a business can do right now is take a fundamental look at its cyber risk profile and its strategy for mitigating that. Only 35% of businesses polled in the government’s survey have conducted a cyber risk assessment. Now feels like a good time to take a strategic look at the cyber risks in the new normal.