A Crisis in a Crisis: Managing Cyber Attacks During COVID-19
10 June 2020
FEW BUSINESSES are prepared for multiple and concurrent crises. Most can survive a single disruption, but dealing with a second while already in a weakened state increases the impact exponentially. When the COVID-19 crisis began and the lockdown was implemented, the first action businesses should have taken (after actioning remote working) was to reassess their risks. Peter Groucutt explains why.
If we think in terms of a business’ key assets (ie people, premises, resources and suppliers), having a remote workforce is actually a net positive for continuity as it disperses much of the potential risk. It’s more likely that a single city centre office will be disrupted than 500 homes. Individual homes don’t have the reliable communications and power that an office does, but cumulatively they’re much less likely to all be disrupted at the same time.
End users are not the whole story, though. If IT systems are still hosted from your headquarters, that risk is the same. In fact, the situation is worse because the lack of staff on site will hinder the organisation’s ability to come back online following an outage.
IT has proven to be the critical business service in lockdown as it has allowed firms to continue working. However, there are physical risks to IT such as power and Internet outages or hardware failure, but also the growing cyber threat. From a cyber perspective, a dispersed workforce increases the available attack surface.
That’s not to say your cyber risk just grew by a multiple of 500 (or however many staff you have). Cyber teams have been dealing with the challenge of securing mobile devices and cloud computing for at least the last decade. However, a remote team is a much better target for social engineering and phishing. Unlike the office, theres no-one to turn towards and quickly ask: “Does this e-mail look legitimate?” or: “Why is our CFO pushing me to change this payment?”
The combination of upheaval and changes in daily processes mean that members of staff may not follow normal procedures which increases the probability of a breach. This provides opportunities for cyber criminals in the following areas:
*New phone systems and a breakdown in transferring processes means that it’s possible to reach targets more easily
*An increase in new collaboration software heightens the chance of people being fooled by phishing e-mails demanding ‘security updates and patching’ due to a lack of familiarity
*Reduced teams through furlough and redundancy means new responsibilities are taken on by the remaining members of staff
*There’s a desire to ‘get things done’ in order to remain productive and serve customers.
Is now a good time to attack?
Even if we are now more susceptible to attacks and breaches, is it a good time to target businesses? That depends on the type of attack. If you are looking to hijack super-computers to mine cryptocurrency, now is a good time to do it. If you’re seeking ransom payments, perhaps not. Coronavirus has hit the tourism, hospitality and bricks and mortar retail sectors particularly hard, with many businesses struggling to maintain continuity.
Ransomware attacks have been successful against manufacturing companies because they paralyse production, in turn threatening massive losses. This makes paying the ransom the easier option. Norsk Hydro, for example, chose not to pay the ransom demanded of it and instead decided to recover its systems. This was the more difficult option, with the cost to the business estimated at up to $75 million.
In some cases, the increased stress of dealing with the current crisis will make the easier option of paying a ransom even more attractive. For others, they may not have the available funds to make such payments.
Some of the leading cyber gangs publicly announced they would not target healthcare organisations during the COVID-19 crisis, but not all cyber criminals are acting so honourably. The World Health Organisation has seen an increase in attacks, while Interpol has reported a significant increase in attacks perpetrated against hospitals. Sadly, the critical aspect of the healthcare sector makes it an excellent target for those prepared to put the lives of others at risk.
Reassess the risks
First, if you’ve not reassessed your risk as a business as yet, do that now and then start taking necessary actions. If there were any jobs that were rushed to have staff working remotely, re-think them properly now and secure everyone. Are there any jobs that had been put off in favour of other, higher priority needs? Do them now. In particular, think about Citrix, VPN vulnerabilities or unsecured endpoints.
During the first month of lockdown, it would have been difficult to do everything correctly, but we’ve reached a degree of stability now and these risks need to be prioritised. The lockdown is not expected to end tomorrow. Already, it is far longer than the duration of any incident for which most organisations have typically prepared. The longer any security vulnerabilities exist, the higher the likelihood they’ll be exploited.
Ensure that all system users ‘stay alert and vigilant’ to the phishing threat. If you’ve had to change any processes such as how you deal with physical documents like contracts and invoices, make sure everyone is clear about what they should and shouldn’t do.
Finally, the methods for protecting yourself against ransomware haven’t changed:
*Use anti-spam and anti-virus to stop the bulk of phishing e-mails from reaching your users
*Educate all users on how to identify the phishing e-mails that do manage to pass through
*Have a reliable back-up in place to restore systems quickly in the event of an infection
Beyond IT, think about incidents that could affect all of your members of staff at the same time. Although staff are not all in exactly the same place, most will usually be clustered close to the office.
We are fortunate in the UK that we don’t have to deal with the types of natural disaster affecting large areas as much as other parts of the world, but they do happen. Look at Storms Ciara and Dennis. They caused significant disruption just before the lockdown, so compare how you would fare had those incidents happened during lockdown.
The response to the recent cyclone in India and Bangladesh has shown how difficult a process emergency management can be when balancing evacuation from immediate danger with the increased chance of infection from COVID-19. Think about what physical actions need to be taken, such as re-setting fuses and powering on hardware, and consider how you will communicate with the crisis management team and the wider business.
Whether the second crisis is flooding or a cyber attack, your response plans need to be adapted to work for a remote team (or teams) as well as taking into account the lockdown restrictions.
Peter Groucutt is Managing Director at Databarracks