header image

Cyber Security During the COVID-19 Pandemic: Three Priorities

Tom Prince 31 March 2020
31 March 2020    Tom Prince

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download the report

Focusing on the Essentials:

With the ongoing spread of COVID-19, when both time and available resources are often limited, leaders should focus on essentials. Organisations are now implementing, in many cases on very short notice, business practices involving more remote workers than ever before. IT and management teams across the globe have been hard at work on the organisation and infrastructure needed to facilitate this. However, in the rush to keep businesses working, there is a significant risk that cyber security will not be properly integrated into operational planning and deployment.

“In the rush to keep businesses working, there is a significant risk that cyber security will not be properly integrated into operational planning and deployment”

In this article, we have identified the three areas where COVID-19 and the new remote working environment could have significant effects on your cyber security. However, by answering the key questions we have laid out below, you can focus your efforts where they will have the greatest impact.

 

COVID-19 Pandemic

 

1. Evolving cyber security threats

As with previous major world events, cyber attackers have seized upon the opportunity COVID-19 provides them to carry out their activities more effectively. S-RM and other industry participants have noticed a significant and growing trend of social engineering attacks with COVID-19 themes. Social engineering attacks rely on persuading the target to follow a link, open a file, or allow an application to run. During the current crisis, people are naturally seeking information regarding the spread of the disease and the most effective preventative measures. As a result, when presented with what appears to be a useful source of information, or a way to help, many people abandon the natural caution which is a key part of effective cyber security.

“We have noticed a significant and growing trend of social engineering attacks with COVID-19 themes”

Cyber attackers are taking advantage of this in numerous ways – examples to date include a malicious app that locks Android phones when activated, SMS messages  containing malicious links, and an illegitimate copy of the John Hopkin’s University COVID-19 mapping website that downloads malware to visitors’ devices, ransomware targeting key healthcare-related firms, and numberless virus-themed phishing emails.

Whilst technology can help, the only truly effective response to these attacks is informing and educating employees, to remind them to continue to be just as cautious, if not more so, around COVID-19 related material as with anything else in the digital world.

Has your organisation considered the following?
  • Is your security team monitoring the evolving threats around COVID-19 related social engineering attacks?

The information we have provided here is likely to change, at least in detail, as new threats emerge and trends form, and it is important that organisations are aware of any issues that might require additional protection or response steps. The extent of monitoring you can implement will depend on your organisation’s size and cyber maturity. At its simplest, this could include some basic, regular open source checks for news articles or official announcements. For those with greater capacity, it may be possible to implement significant, well-supported threat monitoring across the clear and dark web filtered to identify evolving risks and threats to your business.

  • Have your employees been made aware of the risk from COVID-19 related communications and links?

As discussed above, the key threat from COVID-19 is the social engineering leverage it provides attackers, as employees are much more likely to click on a link or document about COVID-19. Providing clear education and guidance to employees is the main means of mitigating this evolving threat. Doing so will encourage employees to resume or adopt the appropriate levels of caution required to help prevent an incident.

  • Do you have any systems in place to monitor or block employees accessing malicious links or files?

Many companies will have technical measures in place to help prevent phishing and other social engineering attacks, for example by quarantining suspicious emails or blocking access attempts to potentially malicious websites.

However, you should consider whether these measures could become less effective in the current environment, either because they are not applied to employees working remotely, or because they are easily circumvented by employees using their personal devices and infrastructure. You may be able to take appropriate steps to address this issue, either through technical fixes, through restrictions on how employees should access business communications and data, or through greater reliance on employee education as described above.

2. Cyber security for remote workers

Changing to a remote pattern of work will also have significant effects on the cyber security of an organisation. The ‘attack surface’ of your network, the area where it might be targeted by a cyber attacker, will likely have grown substantially as a result of remote working practices. Your employees will be working in multiple new locations, largely outside your control, and may also be using personal devices, which provide further targets that can be hard to defend. All of these employees will also need some form of digital connection to your central network so that they can continue their work.

“The ‘attack surface’ of your network, the area where it might be targeted by a cyber attacker, will likely have grown substantially as a result of remote working practices”

These additional elements will need to be appropriately secured, to protect the integrity of your network and data. Employees will also need to be educated around the correct use of their new digital environment, to ensure that they don’t compromise or bypass the security measures you are putting in place. Finally, cyber security teams will need to adjust to their new working environment. Additional constraints may have been placed on their ability to monitor and investigate potential threats, and plans or technology may require adjustment to compensate for this.

Ideally, cyber security considerations would be built into an organisation’s remote working arrangements from the start. However, the pace of change brought on by the COVID-19 pandemic means that in many cases this will not be possible. In many cases remote working will already have begun before cyber security measures can be properly implemented.

Where you are forced to act reactively, concentrate on your key areas of outstanding vulnerability, plan effective solutions which can replace current working practices, and then implement changes which are tested, clearly communicated to employees beforehand, and monitored to ensure successful deployment.

Has your organisation considered the following?
  • Do your employees have secure connections they can use to access company applications and data?

There are multiple different methods for employees to access your network when working remotely. It is important that you ensure that the infrastructure you use is as secure as possible. This relates to both the employee’s current place of work (where they might be utilising public or insecure WiFi connections or personal devices), and across the connection to your system (which could be protected by a Virtual Private Network or other solution which encrypts the data transmitted across the public internet, or through the use of a secure cloud computing solution). It is important that you consider all the different ways your employees might need to connect to your network. Employees accessing emails on their mobiles, or dialling in remotely to operational factory equipment, for example, will need secure, reliable channels for these types of connection.

  • Are all your connections and services protected by strong authentication requirements?

Once secure channels are established, the next key step in securing your new, expanded environment is to make sure that these channels can only be accessed by your legitimate employees. All services should have strong password requirements in place, and multi-factor authentication should be applied where practicable. Other types of authentication, such as device-based authentication, may be appropriate.

Consider also whether the new work environment means that more specific adjustments are required. For example, if you normally rely on your trusted office location as a form of additional authentication, or restrict access to your network from certain countries, you may have to develop an altered security strategy that still allows your employees the access they need. If systems don’t allow employees to perform their roles legitimately, they will likely find even less secure ways to work outside of the system.

  • Are employees accessing your network from or storing your data on personal devices?

Different organisations have different approaches to the use of personal devices by employees, but many are now being forced to make practical adjustments in order to facilitate remote working. It is important to consider the security implications of these devices, which will be at least partially outside your network. Do you have tools in place to help ensure that they are at least partially secure? If you have rules about storing company data on personal devices, are you able to monitor and enforce these rules? And are you able to restrict the level of access employees using personal devices have to your network – both technically and in terms of the effect on employees’ work?

  • Have you clearly communicated to employees how to remain secure whilst working remotely?

One of the most important aspects of establishing an effective and secure plan for remote working is how it is communicated to employees. To a larger extent than normal, cyber security in a remote working environment is dependent upon the employees themselves. Unless they are given a clear explanation of the methods they should use to access services and data securely, and unless these methods allow them to continue to work efficiently, employees will either make mistakes or find their own unsanctioned work-arounds, both of which can significantly increase security risks.

Clear communication regarding cyber security, delivered as an integrated part of communication around remote working methods generally and supported by the authority of senior management, will help ensure that your employees are supporting rather than undermining your cyber security strategy.

  • Are your IT or security teams able to monitor access to your network and your data?

Remote working involves moving significant parts of your IT infrastructure away from its original central location. Whilst all security solutions may need to be adjusted accordingly, one area which is sometimes neglected is the effective monitoring of your digital environment. New working arrangements may completely prevent some forms of monitoring. For example, employee connections to the internet, which may previously have been monitored for suspicious activity, may no longer be visible to cyber security teams. Other monitoring may be degraded in other ways. For example, a highly centralised business may have previously investigated any access to their network from outside the office location, but would now be unable to discriminate between legitimate employees and suspicious outsiders. Business data, previously centrally held and strictly controlled, may now be more widely available or even stored locally by employees.

Consider whether monitoring solutions in place need to be adjusted accordingly to maintain security and, if relevant, regulatory compliance. Consider also whether the increased risks to employees no longer protected by a centralised, secure network may require additional monitoring, for example of device security, which you had not yet put in place.

3. Adapting your CYBER incident response planning

Organisations must also consider how new working patterns will affect them if an incident does occur. Most organisations will have some form of planning in place in case a cyber incident takes place. This could include an incident response plan to address the issue itself, a broader crisis management plan covering coordination and response at management level, and perhaps other elements such as business continuity or disaster recovery planning.

“All your cyber incident response procedures are likely to be affected to some extent by changed working patterns, and it is important to update them accordingly”

However, all of these procedures are likely to be affected to some extent by changed working patterns, and it is important to update them accordingly. Consider where your responders and their resources are now positioned – are they still able to carry out the actions required, and will they be able to connect to systems and each other, even if an attacker has damaged your network? The environment you want to protect will also have changed, and responders will now be required to investigate and protect a more dispersed network, secure sensitive data which may now be stored in new locations, and communicate with employees who are no longer sitting in the same building. By reviewing, updating, communicating and rehearsing new plans, you can ensure that you remain as ready as possible to manage an incident if one does occur.

Has your organisation considered the following?

This is both a technical and organisational question. The sections above have already addressed difficulties that may arise with regard to monitoring. Perhaps even more importantly, there is a risk with any incident response strategy that no one will make the decision to actually activate and implement the strategy when a potential incident is detected. Any response plan should be clear on the triggers which should cause the plan to be activated and followed. These triggers should be reviewed in the light of any significant organisational change, such as the shift to remote working, and adjusted if necessary.

  • Are your incident response and crisis management teams still able to carry out their roles?

Once an incident has been detected, responders will need to effectively investigate, contain, rectify and manage the situation, as appropriate. Some of the tools and types of access which they relied on for this activity, such as physical access to servers, may no longer be available to them. All response plans should be reviewed, and where appropriate adjusted to account for the new situation. Where possible, you may need to acquire additional resources to help keep risk at an acceptable level.

  • Will incident responders be able to communicate effectively if your network goes down?

With most workers scattered at remote locations, there is a significant risk that responders at all levels, from IT staff to senior management, may not be able to communicate in a crisis. Remote working is currently reliant to a large extent on technology, but a successful cyber attack could remove that capability at the moment it is most needed.

Wherever possible, alternative means of communication isolated from your corporate network and suitable for the required tasks should be organised in advance, ready for any potential incident. Where there is a residual risk that communication might break down, it is important to plan for this as far as possible and ensure that all parties know what steps to take in this eventuality.

  • Have your updated plans been communicated to responders and tested or rehearsed?

Whilst reviewing and adjusting plans and resources is important, these steps will be irrelevant if the employees involved in the response process, at all levels, are not made aware of the changes. The plans will only be effective if properly communicated. Wherever possible, plans should be tested through exercises or rehearsals, to identify where they are unrealistic or do not properly address potential issues. It is also important that the plans are available to responders in the moment of the crisis even if your organisation’s network goes down – this could be as simple as asking relevant employees to retain a paper copy of the plan in a secure location.

CONCLUSION

By structuring their plans around the questions posed above, organisations can prioritise and implement key cyber security measures at a time when it is unrealistic to try to completely redesign security plans, IT infrastructure and working patterns to cope with new realities.

Your response to the new situation should always begin with a clear evaluation of your position and current vulnerabilities, followed by planning (and testing if appropriate), then clear communication to all relevant or affected employees, and then finally implementation and monitoring.

We hope that this article will assist you in driving through this process in the changing environment created by the onset of COVID-19.

To discuss this article or other industry developments, please reach out to one of our consultants.

Tom Prince
Tom Prince Associate, Cyber Security Email Tom
Oliver Price
Oliver Price Associate Director, Cyber Security Email Oliver

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download the report