Cyber attacks, an issue that has plagued businesses for years, became a mortal threat in 2020. Because most U.S. businesses shifted to remote work due to the COVID-19 pandemic, this opened the floodgates of serious cyber incidents, which will likely continue during the years ahead.
According to Gartner, Inc., an IT research and consulting firm, 88% of organizations either encouraged or required their employees to work from home regardless of whether they exhibited virus symptoms. Gartner says 97% of companies also canceled job-related travel. The shift to virtual work made firms more vulnerable to cyber attacks for three reasons.
First, the rapid move to remote locations was so unprecedented that many companies’ cybersecurity plans had trouble responding. Second, remote work led to more employees working via mobile devices which greatly expanded attack vectors. And third, the pandemic led to an explosion of social-engineering attacks from perpetrators seeking to exploit workers’ pandemic anxieties.
As a result, 2020 saw a dramatic increase in data breaches, with almost two-thirds of firms experiencing a moderate to dramatic rise in cyber incidents during the second and third quarters of the year. It’s easy to see how companies fell prey to cybercrime during the pandemic. When CEOs sent employees to work from home, security officials were under pressure to give them access to corporate networks, applications and data. If they didn’t, productivity would likely have plummeted. This may have resulted in weaker security, making companies more vulnerable to cyber attacks. According to security consultant Arceo, security officers believe security practices for remote workers were more porous than those for office staff.
Bad actors were quick to capitalize. According to a 2020 INTERPOL report, criminals intensified their attacks on major corporations, governments and key infrastructure. In one four-month period, an INTERPOL partner logged 907,000 spam messages, 737 malware incidents and 48,000 malicious URLs, all relating to the pandemic. COVID-19-themed attacks spanned the gamut of possibilities, including:
- Online scams and phishing. Criminals took advantage of the public’s COVID anxiety to unleash a torrent of viral-themed phishing emails. They often impersonated government and health authorities offering essential information in return for giving up personal data or downloading malicious content.
- Disruptive malware. Hackers were quick to target institutions and companies essential to public health with ransomware and distributed denial-of-service attacks. Entities that could not afford to be offline during the pandemic were more likely to pay costly hacker ransoms.
- Data harvesting malware. Criminals used data harvesting malware such as Remote Access Trojan, info stealers, spyware and banking Trojans to penetrate computer networks, steal data and money and create botnets.
- Malicious domains. Playing to the public’s hunger for COVID-19 information and supplies, hackers greatly increased their use of malicious website registrations to inflict malware and phishing on corporate employees. An INTERPOL security partner reported a 569% increase in malicious registrations from February to March 2020.
- Misinformation. A waterfall of false pandemic information washed over the Internet, contributing to public anxiety and laying the groundwork for cyber attacks. One country in an INTERPOL survey reported 290 postings with fraudulent COVID-19 information and concealed malware. Some common themes were phony COVID cures and offers of free food, special government benefits or supermarket discounts.
Do small businesses need cyber insurance? Yes, compounding the work-at-home issues mentioned earlier, small-to-medium-sized companies (SMBs) tended to have the same or worse response times to cyber attacks in 2020 compared with 2019 (74% of firms). Plus, only 30% of SMBs said their IT security would fully mitigate risks, with the majority (77%) saying lack of security staff was their biggest problem.
Cyber Threats Ahead
Here are some major threats your cybersecurity plan must address in the coming year:
- Virtual meeting social-engineering attacks. The shift to remote work spawned an explosion of web conferencing. However, security issues quickly arose as malicious actors began bombing Zoom, Webex and other platforms with inappropriate messages and images. In fact, according to John Farley, managing director of Gallagher’s Cyber Liability practice, hackers planned formal phishing campaigns targeting users of web conferencing applications. One study revealed that 1,700 domains related to a major conferencing application had been newly registered, with 4% appearing to be suspicious. What to do? Watch for emails to virtual meeting participants that use the same naming conventions the application providers use. Warn employees of this, as well as the importance of not clicking URLs in such messages or downloading attached documents.
- Cybercrime-as-a-Service (CAAS). With cybercrime expected to cost the world economy about $6 trillion, it’s no wonder an ecosystem of service providers has developed around what has become the world’s third largest economy. CAAS entrepreneurs develop attack codes and services that help less skilled cybercriminals ply their trade. Some install malware onto computers and then sell access to them. Others offer subscriptions to malware and ransomware toolkits in return for a cut of the attack proceeds. "Mule" services arm scammers with phony debit cards to make ATM cash withdrawals before banks shut them down. Some providers even sell so-called bulletproof hosting services. This means they’ll look the other way when hackers use their sites to launch malware attacks. The emergence of CAAS means it will become even harder for law enforcement to catch and prosecute cybercriminals, making well designed and tested cybersecurity plans more important than ever.
- Insider errors. Large criminal hacks get most of the publicity. But malicious insiders and poorly trained or stressed employees can also spark costly cyber breaches. Stressed employees will continue to be an issue until the U.S. achieves herd immunity. In fact, burned out workers are responsible for at least 40 percent of data breaches, according to a report from security firm Egress. The study found that 93% of businesses experienced a surge in outbound emails due to at-home work. This increased the “surface area” for an outbound e-mail data breach, the company said. “Many employees are experiencing heightened stress due to the pandemic and the uncertainty it’s created,” said Egress CEO Tony Pepper. “They’re also trying to get through their working day, while dealing with various distractions, from keeping the kids entertained or focused on schoolwork, to answering the door for deliveries.” This increases the odds that frustrated, tired employees will forget basic rules of cyber hygiene, subjecting their firms to greater risk exposures.
- Edge computing. The pandemic has accelerated the development of so-called edge computing, with many observers predicting it will hit an inflection point in 2021. Edge computing is a form of distributed processing that moves data computation and storage closer to users in order to improve response times. Due to refinement of this technology, data center marketplaces may become a new edge-hosting possibility. Private 5G networks, along with edge technology, will help to facilitate business infrastructure such as manufacturing robots and factory machines powered by the Internet of Things. Despite such gains, edge computing will increase cyberrisks by giving hackers additional entry points into a company’s IT system and greater ability to cause damage or steal customer data or intellectual property.
- Digital transformations. The shift to remote work has increased the pace of digital transformation for most companies and industries. This is a good thing. But there’s a downside to digitizing antiquated workflows. It can increase cyberrisks if information security isn’t taken into account. According to a Ponemon Institute report, 82% of companies reported having a data breach while engaging in digital transformation. As with edge computing, digital workflows can give hackers more attack points, reinforcing the need to integrate security features from the ground up.
- Social-engineering attacks. Efforts to deceive employees into violating standard security protocols will continue throughout 2021. According to Microsoft, social-engineering attacks peaked in March of last year, leveling off to between 20,000 and 30,000 per day today. This activity level will likely become the new normal for months, if not years, to come.
- Human-operated ransomware. Hackers that ransom a firm’s computers and then sell a “key” to unlock resources will become even more sophisticated in the years to come. They will also concentrate their efforts on larger and more rewarding targets, devoting months or years to learn about an organization and its defenses and to plot their attacks. Kaspersky Labs predicts that 30% of cyber attacks this year will use enterprise ransomware. Healthcare institutions will also remain at high risk because of the pandemic. In March 2020, a U.S. COVID-19 testing lab was attacked. A month later, a Colorado hospital was unable to access patient records after a ransomware assault. Because hackers know healthcare institutions will be desperate to access patient files during a public-health emergency, INTERPOL believes these entities will continue to face growing ransomware attacks this year.
Risk Prevention Measures
How should you respond to the current threat climate? According to a Gallagher U.S. Cyber Practice white paper, companies should focus on four key risk-mitigation strategies:
- Address internal vulnerabilities
- Reduce vendor risks
- Assure data compliance
- Deploy cybersecurity tools, testing and best practices
The Gallagher white paper discusses each of these in detail. But in this article we’ll focus on internal vulnerabilities, which the pandemic has brought to the forefront. According to Gallagher cybersecurity experts, companies tend to underplay internal cyber threats and overplay external attacks. In reality, employees represent one of the most serious cyber vulnerabilities to businesses today, especially with the advent of almost universal remote work.
How should companies reduce their internal cyberrisks? Gallagher recommends taking eight key steps:
- Lock down home offices. Make sure your employees are scanning their home networks for botnet and command/control traffic, using unique SSID names and robust passwords to protect home Wi-Fi networks and securing or patching their routers.
- Properly configure and secure remote desktop protocols for employees using them from home. It goes without saying that security staff should install all software patches as soon as possible.
- Install antivirus software on all employee devices. This includes laptops, phones, tablets, USB drives and more.
- Deploy dual-factor authentication to prevent theft of valuable company and customer information. Authentication should be based on user names and passwords (something employees know), phone and security codes (something they have) or their biometric data (something they are).
- Deal with credential stuffing. Start by understanding your employees’ email risks on the deep/dark web, the threats of credential-stuffing attacks, the use of encrypted password safes and privileged access management.
- Advise employees to shrink their privacy footprints. They should cut back on how much they share on social networks and delete risky social-media applications.
- Consider employee family members as a part of the cybersecurity puzzle. View anyone connected to an employee’s home network as someone in need of cybersecurity training and security applications.
At the end of the day, addressing internal vulnerabilities will require company leaders to further raise their cybersecurity games. For example, they’ll need to work harder to determine whether their employees and/or executives are working on secure home networks. Why? Because a 2020 Gallagher survey found that 90 percent of business leaders couldn’t answer that question. Continuing to not know may have dire consequences.