A Crisis in a Crisis: Cyber attacks in COVID-19
Dealing with multiple crises
Few businesses are prepared for multiple, concurrent crises.
Most can survive a single disruption, but dealing with a second while already in a weakened state increases the impact exponentially.
When the COVID-19 crisis began and the lockdown was implemented, the first action businesses should have taken (after getting staff working remotely) was to reassess their risks. Every organisation’s risk profile changed significantly and it’s not all bad.
If we think of a business’ key assets: People, Premises, Resources, Suppliers (PPRS) – a remote workforce is actually a net-positive. It disperses a lot of risk. It is more likely that a single, city-centre office will be disrupted than 500 homes. Individual homes don’t have the reliable comms and power that an office does, but cumulatively, they are much less likely to all be disrupted at the same time.
Users aren’t the whole story though, if IT systems are still hosted from your HQ, that risk is the same. In fact, the situation is worse because the lack of staff onsite will hinder your ability to come back online following an outage.
Beyond IT, think about incidents that could affect all your staff at the same time. Although staff aren’t all in exactly the same place, most will usually be clustered close to the office. We are fortunate in the UK that we don’t deal natural hazards affecting large areas as much as other parts of the world, but they do happen. Storms Ciara and Dennis caused significant disruption, just before the lockdown. Compare how you would fare had those incidents happened during lockdown.
The response to a cyclone in India and Bangladesh this month has shown how difficult Emergency Management is balancing evacuation from immediate danger, with the increased the chance of infection.
Whether your second crisis is flooding or a cyber attack, your response plans need to be adapted to work for a remote team and with the lockdown restrictions. Think about what physical actions need to be taken like resetting fuses and powering on hardware. Think about how you will communicate with the crisis management team and the wider business.
Changing cyber risk
IT has proven to be the critical business service in lockdown. It is what has allowed businesses to continue working. There are physical risks to IT like power and internet outages or hardware failure but also the growing cyber threat.
From a cyber perspective, a dispersed workforce increases the attack-surface.
That’s not to say your cyber risk just grew by a multiple of 500 (or however many staff you have). Cyber teams have been dealing with the challenge of securing mobile devices and cloud computing for the last 10 years, at least.
A remote team is however a much better target for social engineering and phishing. Unlike in the office, there’s no-one to turn to, to quickly ask “does this email look legitimate?” or “why is our CFO pushing me to change this payment?”
The change in process and upheaval provides opportunity to cyber criminals.
- New phone systems and a breakdown in transferring processes mean it is possible to reach targets more easily.
- New collaboration software increases the chance of being fooled by phishing emails demanding ‘security updates and patching’ due to a lack of familiarity.
- Reduced teams through furlough and redundancy mean new responsibilities are taken on by remaining staff.
- There is a desire to ‘get things done’ to stay productive and serve customers.
This all combines to mean staff may not follow normal procedures, increasing the chance of breach.
Is now a good time to attack?
Even if we are now more susceptible to attack and successful breach. Is it a good time to target businesses?
That depends on the type of attack. If you are looking to hijack supercomputers to mine cryptocurrency, now is a good time to do it. If you are seeking ransom payments, perhaps not.
Coronavirus has decimated tourism, hospitality and bricks & mortar retail. Many businesses are struggling to continue as a going concern. Does this level of stress make them likely to pay a ransom demand?
Ransomware attacks have been successful against manufacturing companies because they paralyse production threatening massive losses and make paying the ransom the easier option. Norsk Hydro chose not to pay a ransom and instead to recover its systems. That was the more difficult option - estimated to cost the business up to $75m.
In some cases, the increased stress of dealing with the COVID-19 crisis will make the easier option of paying the ransom even more attractive. For others, they might not have the funds to make the payment.
What about the organisations critical to the COVID-19 response like hospitals and the wider healthcare sector? Some of the leading cyber gangs publicly announced they would not target healthcare organisations during the COVID-19 crisis. But not all cyber criminals are acting so honourably. The WHO has seen an increase in attacks and INTERPOL reported a significant increase in attacks against hospitals. Sadly, the criticality of the healthcare sector makes it an excellent target for those prepared to put lives at risk.
What can we do?
Firstly, if you’ve not reassessed your risk yet, do that now. Next, start taking actions. Those jobs that were rushed to get staff working? Do them properly now and secure everyone. The jobs that had been put-off in favour of other, higher priority needs? Do it now. In particular, think about Citrix, VPN vulnerabilities or unsecured RDP endpoints.
In the first month of lockdown, it would be hard to do it all but we’ve reached a degree of stability now and these risks need to be prioritised.
This is far longer than the duration of incident most organisations are prepared for, and the lockdown won’t end tomorrow. The longer security vulnerabilities exist, the higher the likelihood they’ll be exploited.
Make sure users ‘Stay Alert’ (yes, we know) to the phishing threat and stay vigilant. If you’ve had to change processes – for instance how you deal with physical documents like contracts and invoices, make sure everyone is clear about what they should and shouldn’t do.
Lastly, the methods to protect yourself against ransomware haven’t changed
- Use anti-spam and anti-virus to stop the bulk of phishing emails reaching your users
- Educate your users on how to identify the phishing emails that do get through
- Have a reliable backup in place to restore systems quickly in the event of an infection