The Covid-19 pandemic has accelerated the need for cyber security but also changed the very nature of the beast.
With nearly a quarter of the world’s working population working from home, as well as conducting the majority of their social and commercial needs online, the impact of potential security breaches has grown as much as public demand for hand sanitizer. According to the World Economic Forum, the average cost of a security breach to a financial institution is $5.3 million. To a media company that average is $4.3 million. There were an average of 145 such security breaches per FTSE 250 company in 2018 alone.
However one thing that hasn’t changed, lockdown or no lockdown, is that the biggest vulnerability for any organisation isn’t the technology but the people. And while some of the most common causes of security breach remain – such as losing a mobile device or inappropriate conversations in public spaces – other factors have come into play.
As people are forced to work from home organisations are vulnerable to the risks associated with unsecured wifi, shared living arrangements, using personal devices for corporate activities and the lack of all the usual physical barriers to a security breach – CCTV, identity passes, door staff etc.
But even as lockdown eases, it seems unlikely that we will return to pre-Covid-19 work patterns. The combined effect of cost savings of office premises, plus the improved work/life balance of cancelling out the commute, mean that it seems unlikely there will be a mass return to city central office locations. Couple this with the acceleration of trends towards increasing volumes of activity both commercial, private and governmental being conducted in the cloud, we need to adjust our cyber security to reflect the new normal.
So what are the risks and how can we mitigate against them?
One of the reasons human beings represent one of the greatest weaknesses to the cyber security of our systems is their vulnerability to psychological manipulation or social engineering, thus enabling a cyber threat actor to easily gain access to secure systems. While powerful malware and advanced hacking skills significantly bolster any cyber actor’s capabilities, it is ultimately emotional humans that offer an unpatchable weakness.
The FBI reported that in 2017 alone, private individuals in the United States lost more than $30 million as a result of phishing schemes, with more than twenty-five thousand victims – and that’s the just the ones they know about.
Governments are equally vulnerable to malignant human attack, as the 2016 US Presidential campaign illustrated. It’s clear we all really need to improve our ability to mitigate the risks associated with people.
Home is where the heart is
Home-working policies need to be clear and include easy-to-follow steps that enable employees to make their home-working environment secure. Front and centre of this should be how to reach internal security teams to report an issue, and a no blame culture that rewards flagging mistakes (opening that phishing email, losing your laptop) rather than punishes them.
Cyber training should be made relevant to their non-work life as well to enhance its effectiveness. Awareness and education campaigns to alert people to the most pertintent threats of the day (e.g. phishing, ransomware, fake domains) should become prevalent; and organisations should think about how this information is shared.
Knowledge is everything
We need to focus on working with security teams to identify and mitigate for likely attacks and prioritize the protection of our most sensitive information and business-critical applications. Many organisations will have loosened controls in a well intentioned way to keep their businesses running and services delivering; but do Boards now understand the level of risk their business is exposed to and what they are prepared to accept in the ‘new-normal’?
Invest in the right kit
In times of tightened finances it’s still imperative that we invest in providing effective security capabilities, to ensure that we extend the same network security to ’own’ devices and to all remote environments.
Capabilities like endpoint protection on all laptops and mobile devices, including VPN tools with encryption and an ability to enforce multi-factor authentication (MFA) are no longer ‘nice to haves’. They’re mission critical. So are automated threat intelligence systems and the capability to thwart common phishing attacks.
Organisations and employers also need to redirect some of the savings from reducing their physical office space into making people’s homes good safe, secure workplaces – investing in the technology, the training, and possibly even supporting staff with arranging their own private physical space. One of the challenges at the moment will be the temptation for organisations to reduce security budgets as part of wider cost-cutting measures; this needs to be properly considered by assessing risks as described above.
Leaving on good terms!
Sadly many people are going to be made redundant as a result of the pandemic. People leaving in such circumstances create a security risk and HR/IT teams need to make sure that access to systems is removed at the earliest possible moment. There was a recent court case in the UK where a disgruntled employee - whose access to IT systems had not been revoked properly - took it upon herself to delete various applications and databases as a way of getting back at her former employer.
Hardware not just software
In addition to training and appropriate technology support, sometimes the best solution is to make a physical change -such as the US government’s decision to disable all USB ports on government computers after a breach with a planted USB stick, or the application of Data Loss Prevention (DLP) scanners to ensure confidential information isn’t sent to attackers.
In the end crisis points are always opportunities. Opportunities for the ’bad people’ to try and take advantage of the chaos and lack of attention that comes from so much change and disruption around us. Cyber attacks are simply sophisticated looters – taking advantage of the high levels of distraction and disarray caused by an air-raid.
Mark Roberts
Capita Consulting, Partner – Defence and Cyber
Mark is a Partner in Capita’s Consulting business. He joined in January 2020 with specific responsibility for developing business for Capita Consulting in the Defence and Cyber Security markets.