Posts

Security measures taken to combat impacts of COVID-19 on businesses will have long-term implications

The COVID-19 pandemic has unleashed an array of cyberattacks that threaten the health of our virtual systems, including but not exclusive to those in healthcare, banking and government agencies. Cyber criminals are capitalizing on widespread weaknesses with attack vectors in the form of spam, phishing scams, ransomware and malicious URLs. As the number of infected persons soars, so does the number of cyberattacks, but despite the short-term effects of combating threat actors, in the long term, the world will emerge more secure and better prepared, armed with lessons learned from strategies implemented and tested during the pandemic.

Malicious actors target victims through various tactics and ploys

Hot zones of cyber vulnerability have typically been localized or within a specific organization. While such attacks have disastrous ramifications in their own right, never before has the number of threat vectors been so far-reaching. As the COVID-19 pandemic forces the majority of the global workforce to stay home, employees have had to create makeshift ways of working while longer-term solutions are devised. The surge in the number of individuals working remotely and the strain that places on existing infrastructures is an underlying cause for a large majority of these attacks.

Many corporations and individuals are turning to user-friendly and feature-forward solutions. In particular, Zoom has seen a rampant surge in daily users, from 10 million in December to 200 million in March, as what was once meant for use by businesses is now also being used for daily work life and personal communication. Unfortunately, the company did not have the adequate levels of security infrastructure to support this surge, resulting in self-proclaimed “Zoombombers” infiltrating private corporate meetings, Alcoholics Anonymous meetings, online learning environments and more. The company was quick to issue a statement and plan to address these issues, with Zoom CEO Eric Yuan stating in a blog post, “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.” Yuan added that over the next 90 days the company will “[enact] a feature freeze … shifting all of our engineering resources to focus on our bigger trust, safety and privacy issues” and release a transparency report, similar to reports shared by tech giants such as Facebook, Google and Twitter.

In addition to hacking into and taking command of private meetings, threat actors are masquerading as legitimate organizations with the intention of collecting highly personal information, such as a COVID-19 safety portal allegedly from the World Health Organization and a fake disease prevention waitlist portal. Additionally, a Venmo-like interface was recently discovered in the form of an emergency fund to generate relief dollars for those in need, and the Better Business Bureau has received numerous reports of individuals acting as U.S. Department of Health and Human Services and other government department employees, instructing text message recipients to click on a link for a so-called mandatory online COVID-19 test.

COVID-19 preparedness: Looking back to achieve perfect vision for tomorrow

Finger-pointing from the vantage of hindsight

Last year, nearly 18 years after the 9/11 terrorist attacks, three former Department of Homeland Security secretaries urged the U.S. government to place cybersecurity at the top of the national threat list. The call to action was issued prior to any knowledge of a looming pandemic, and adherence to such a call may have prevented some of the COVID-19-related impacts we are currently seeing due to insufficient resources dedicated to cyber preparedness.

The exploitation of widespread weaknesses by threat actors is not a novel concept, and while there are many critics who argue that more could have and should have been done, quick to quip that hindsight is 20/20 in 2020, it is unlikely that a disaster of this scale could have ever been predicted.

Puerto Rico: A country at risk over the years

Natural and man-made disasters alike have left vast portions of the population open and vulnerable to cyber threats, siphoning much-needed funding, halting progress toward rebuilding and preying on society during times of crisis.

Puerto Rico is a glaring example, seemingly unable to catch a break when it comes to the vulnerabilities faced due to natural disasters. The country struggles with an unrelenting recession, and this baseline of economic disrepair coupled with an ongoing series of natural disasters has made it a target of cyber criminals. Most recently, in February the government of the U.S. island territory reported it lost more than $2.6 million after falling prey to a Business Email Compromise scam. It is unclear whether the funds that were slated for reconstruction efforts will ever be recovered.

Lessons learned from Hurricane Sandy

Hurricane Sandy, the deadliest storm in recent history to pummel the coast of the Atlantic, killed 233 people in eight countries, affected 24 U.S. states and was responsible for $64 billion in damage. One security operations team analyzed traffic for the three months directly after Hurricane Sandy, and the data showed a significant drop in network traffic access across clients located in New York City for the two weeks during and after the storm. As network activity declined significantly, the number of attacks surged. Massive power outages left the financial hub of downtown Manhattan vacant, and without the vigilance of IT security supervisors, one of the world’s largest troves of financial information was hit by attacks that crippled some operations for months.

The business continuity plans (BCPs) and disaster recovery plans (DRPs) to house data in New Jersey were fatally flawed, as weather patterns are state-agnostic, and much of the backup data housed in New Jersey was also compromised. Hurricane Sandy quickly became a litmus test, and despite the devastation, BCPs and DRPs became a top priority in major organizations’ funding strategies. As the American Bar Association Cybersecurity Handbook reads, “If a client’s disaster recovery plans cannot pass the ‘Hurricane Sandy test,’ such plans might also fail if cyber incidents caused prolonged disruptions.” While companies’ contingency plans developed post-Sandy were well thought out and undoubtedly have helped to deter many potential attacks, these plans were not designed with the ramifications of a pandemic in mind.

One can hope that lessons learned and tactics put in place today will make the COVID-19 pandemic of 2020 the last time we are left to wonder “What if?” with such regret. Post-coronavirus, each demographic variant, including geography, industry and economic subsector, will have its own chapter in the “pandemic handbook,” as permutations of situation and effect are infinite.