Since the start of the COVID-19 pandemic, organizations around the globe hustled to provide the infrastructure to support the sudden and immediate need of working remotely. There were three main categories of organizations when it came to providing remote workforce the means to continuing business: large enterprises that were already well-positioned due to the connected nature of their business; organizations that had access to the required infrastructure but needed large-scale changes to make remote working possible; and those that had not planned for remote working and needed ad-hoc planning and preparation of infrastructure.
Many mid-market organizations fall under the third category; requiring IT teams to work around the clock to architect solutions, acquire tools, and mobilize teams to support the continuity of the business. Unfortunately, cybersecurity and protection of the newly architected networks, and remote-working solutions were overlooked due to time and budget limitations. As reported by Tanium Survey, 7 out of 10 organizations report facing new security challenges as a result of the pandemic, but only a third of them consider cybersecurity a top priority for 2021. Therefore, many of the planned security-related projects were concluded. This opened an opportunity for the malicious actors to capitalize on this gap and intensify their attacks.
What is going on in the wild?
Cyber-attacks have proliferated during the pandemic. Less secure remote working environments and insufficient awareness amongst the general users have contributed to this issue since the beginning of the pandemic. Statistics below highlight the magnitude of the risks organizations face:
- 99% of analyzed cybersecurity claims, for a total of $537M, originated from Small-to-Medium Enterprises (with less than $2 billion in revenue), according to NetDiligence Cyber Claims Study 2021 Report;
- According to a Sophos State of Ransomware Report 2021, 37% of respondents were hit by ransomware in the last year;
- According to the same report, the average ransom amount paid by mid-size organizations was $170,404; Accordingly, organizations have faced an upward trend in cyber-attacks specific to the nature of the pandemic.
Advancement in ransomware
Ransomware attacks have changed in the past couple of years, specifically during the pandemic, and that change in the attackers’ mindset and strategy is here to stay. Specifically, attackers are:
- Showing less interest in casting a wide net and blindly spreading their malware in the wild. They rather conduct reconnaissance against their target, sometimes maintain a presence in the environment to exfiltrate valuable information such as information about the executives and details of financial and bank statements, and lastly unleash sophisticated and targeted ransomware;
- Developing their own security probing tools as opposed to leveraging existing “hacking tools”;
- Increasingly exfiltrating large volumes of data, hoping to threaten the target organization to publish or sell their data;
- Actively deleting or encrypting backups to prevent the victim from using that to recover from the attack and not pay the ransom.
Furthermore, Ransomware as a Service (RaaS) is becoming a booming business for high-end criminals who provide the purchasers with malware, training, and customer service!
The risk of ransomware attacks is so high, and the impacts are so deep that the US administration is seeking an alliance with 30 other countries to combat the increasing risk of ransomware attacks and illegal use of cryptocurrency.
These attacks do not have any new technical aspects in their nature, but the phishing emails have now focused on exploiting the nature of the pandemic, and by leveraging human’s sense of urgency, they have been more successful. Examples include phishing emails that pretend to originate from:
- Public health officials such as World Health Organization (WHO), US Centers for Disease Control and Prevention (CDC), or other local government health officials around the world;
- Company representatives such as Human Resources (HR) department, employee insurance coordinators, or executives with messages around emergency announcements or request for donations; or
- Law enforcement with messages around curfews, lockdowns, protests, etc.
Attacks targeting new or adjusted processes that have been put in place due to the pandemic are another method that adversaries are targeting organizations around the globe.
Attackers realize that many corporate communications and processes are under rapid alteration to accommodate remote work and may lack communications. For example, an attacker may ask an administrator within the target company to approve an illegitimate invoice by claiming that the original approver is not available due to an illness (e.g., COVID-19).
Alternatively, attackers may focus on processes that have been forced into manual mode because platforms, people, or processes are now unavailable. For example, banks may be overloaded with phone calls and slow to respond to requests, so attackers pressure employees to bypass controls to directly move payments.
How to address the risks
In order to address the cyber risks associated with the pandemic, the same security principles and good practices should be followed. More emphasis should be placed on remote working capabilities, remote connectivity, endpoint and user device security, identity and access management, security logging and monitoring, and security of cloud services. Based on what we have seen during most of the recent attacks, below are outlined the key steps to take to prepare your organization and address the risks:
- Address the basics of security hygiene; patch your systems for the recent vulnerabilities, and prepare segregated backups;
- Define a strong password policy and implement it across all your platforms and systems;
- Implement an appropriate level of network segmentation to enable timely containment of incidents and breaches;
- Develop a mobile security policy that includes a “Bring Your Own Device” (BYOD) scenario to limit the exposure of organizational data through employees’ mobile devices;
- Provide continuous security awareness training to employees and executives according to the most recent trends (e.g., those mentioned earlier in this article);
- Implement a multi-factor authentication tool (MFA)
- Leverage advanced tools such as Endpoint Detection and Response (EDR) tools to enhance your detection and response capabilities;
- Maintain a robust security monitoring and detection program to identify threats well in advance;
- Conduct technical security testing as a means to identify vulnerabilities that can be exploited by attackers;
- Develop, improve, and rehearse a cybersecurity incident response plan; know who to contact and what steps to take during a cybersecurity incident;
- Develop and test your disaster recovery plan (DRP), and ensure the recovery objectives can be met;
- Ensure you have a communication plan, specifically with your stakeholders, customers, legal counsel, and third-party service providers;
- Develop a third-party risk management program and ensure that appropriate clauses are documented in your third-party contracts, demanding your service provides and vendors to keep you informed about possible incidents involving your data;
- If you have outsourced it or security services to a managed service provider, test their capabilities;
- Understand what you can afford and what is the threshold in case you decide to pay a ransom, and decide on the contingency funds;
- Decide on your cyber insurance policy, review it and ensure it covers what is important for you;
- Leverage cyber threat intelligence (CTI) to determine if credentials from your organization have been breached in any previous cybersecurity incident;
- Have access to skilled cyber response service providers who can assist contain the incidents and recovery on time;
- Know your compliance requirements in case you need to report breaches to regulators and other bodies.
In addition to the tactical steps above, organizations should develop a comprehensive cybersecurity program aligned with good security practices and common standards. Such a program will establish a framework for implementing controls around protecting the organization and its crown jewels and help prioritize the initiatives with a larger impact.
Large initiatives such as implementing a zero-trust security model, cloud-centric computing environment, and decentralized identity take longer but will prove to be hugely beneficial for large enterprises that can afford to invest in the future.
Post pandemic and privacy
With vaccines provided to many individuals around the globe, organizations in different jurisdictions are mandating proof of vaccination, vaccine passports, or negative test results for employees and customers.
This poses new privacy and security challenges as organizations need to safeguard these sensitive documents – that in many cases may contain Protected Health Information (PHI).
Organizations that never dealt with PHI or other personal sensitive information are suddenly in possession of such information.
If your organization is collecting these vaccine passports, test results, etc., you need to ensure you have a plan for storing and safeguarding such information according to the applicable laws and regulations.