CBR Image - Blog Inset 16:9 (White) - Cybersecurity Attacks in 2020- How Bad Did It Get?.jpg

23-November | Written by Jean Loup P. G. Le Roux

There has been a spike in cybercrime in 2020, and at least some of it can be directly linked to the pandemic and the lockdown. I wanted to unpack this from the perspective of a cyber expert to see what type of threats have been most prevalent this year, as well as what CISOs and workers should be doing about it before they too become another statistic.

A Look Back at the Year 2020 in Cybersecurity

Earlier this year, the FBI announced that its Internet Crime Complaint Center (IC3) had seen a major spike in cybercrime reports since the start of the COVID-19 pandemic. The increase went from 1000 reports per day to around 3000 - 4000 per day. They cite the massive migration to telework as one of the main reasons for this increase, as it opens up plenty of vulnerabilities for attackers to exploit.

A new Cisco report revealed that 3 in 4 organizations in India experienced a 25%-plus increase in cyber threats during the shift to remote work due to the pandemic. Meanwhile, Microsoft reported that there had been a 35% increase in IoT attacks during the first half of 2020, compared to the second half of 2019, which might also have something to do with the fact that everyone’s at home, thus shifting attackers’ efforts to those areas.

Clearly, 2020 has been a stellar year for cybercriminals.

Threats on the Rise: Is Just Covid to Blame?

It’s hard to not blame the current pandemic for a lot of the dreadful things that are happening in 2020, but has it really been the only cause of a spike in cybersecurity incidents this past year?

Covid has had a discernible influence on many types of cyber threats, including web application attacks, social engineering, and network security attacks. There’s no doubt about that. Scams increased by 400% during the month of March, and Google announced that they had blocked 18 million phishing emails related to the Coronavirus during the month of April.

Yet, the pandemic isn’t the only thing affecting cybercriminals’ targeting decisions this year. For instance, during the US elections concerns were voiced around an uptick of ransomware that could interfere with the US election. So, while it’s certainly had an incredibly powerful impact (in a very negative way, of course) on the cybersecurity front, the pandemic is only one symptom of a much larger cyber threat disease.

Social Engineering Takes Advantage

There’s no denying that people, regardless of their demographics or educational background, have always been susceptible to social engineering. The pandemic didn’t suddenly bring that on. What it did manage to do, however, was to provide a globally-relevant event that attackers could capitalize on.

It’s not uncommon for cybercriminals to take advantage of major events like that. For instance, there was a well-known surge in World Cup-themed phishing scams during the 2018 FIFA World Cup. As was the case with almost every FIFA, Olympics, and other World Cup event.

Unfortunately, with the amount of covid-related misinformation that almost instantly started making the rounds online, it wasn’t exactly hard for scammers to find a way to take advantage of people, especially via email - which accounted for the majority of phishing attempts.

A World Unprepared for Mass Remote Workers

Having employees work from home doesn’t undermine a company’s security systems - being unprepared for a sudden increase in WFH employees does. It isn’t just cybersecurity experts like myself that pick up on this either, but workers have started voicing their concerns over how their companies are handling security during this pandemic.

The "Consumer Privacy" and the "Global Future of Secure Remote Work" reports have responses from a combined number of 5600 professionals across the world, and both reveal that the majority of respondents were concerned about the protections built into the tools they use and felt that the information they were sharing was not being protected properly while they were busy working and learning remotely.

Sadly, this isn’t too hard to believe because many businesses were heavily unprepared for the switch to remote work. I can even say with some certainty that a sizeable collection of them didn’t have proper cybersecurity protections in place before the pandemic either.

Why Awareness Continues to be Crucial

October was Cybersecurity Awareness Month, but truly, this has been more like a Cybersecurity Awareness Year- to me, at least. The theme of this year’s Cybersecurity Awareness Month was “Do Your Part. #BeCyberSmart” and it’s more applicable now than ever, seeing as every remote worker is a potentially vulnerable - and harder to control - endpoint.

Obviously, I’m of the belief that cybersecurity has always been vital to a company’s continued existence - at least in the digital age. But this fact has never been more evident than today, where companies have to make changes to their systems if they want to retain their employees, want to continue to function normally (at least, according to the new normal), and renew customer trust.

With all of the new attack angles that have appeared this year and continue to appear every day, being negligent or uninformed about current threats just aren’t valid excuses anymore - not that they ever really were, to begin with. Customers are now more aware of the value of their data and their privacy, and they will shift their support to companies that they feel can be trusted with their data.

Cybersecurity in This New Reality

There are quite a number of things CISOs and decision-makers can do to ensure their teams are staying aligned with best security practices. Working from home might complicate things a bit more than usual, but putting safeguards in place while working remotely isn’t an impossible task. Security isn’t just a responsibility that management or the IT department is accountable for either. Every employee needs to be informed and understand the role they play in protecting company and customer data. Employers need to provide their staff with the right tools to do so.

Continued vigilance and efforts from everyone in the company is crucial, contrary to what Cloudflare’s COO recently said with regards to cybersecurity being a thing of the past in the next decade. Cloud-based cybersecurity systems aren’t going to evolve to the point where they can automatically route out all threats or make up for human error. You will always have to put additional measures in place and make sure people are trained to be aware of and act against the cybersecurity threats they’re likely to encounter or even (accidentally) cause.

CISOs Needs to Clean Their Own House First

CISOs should have a handle on when the company and customer data is being shared, as well as where it goes - at all times. Solid cloud policies should be adopted and enforced as things change and existing policies (such as teleworking) should be reviewed and adapted as well.

Starting with the basics:

  1. The efficiency of awareness training fades out after 6 months, so naturally, CISOs need to renew awareness efforts in the organization regularly to keep policies front of mind.

  2. Do you have a solid (and tested) incident management process in place? Do your employees know how to report suspicious events or behaviours they witness? It’s a good idea to stress test your organization, preferably with random tests and not carefully planned simulations.

    Then diving deeper:

  3. Consider vendor management. Do you deal with third parties (think cloud storage, suppliers, etc.)? How do THEY protect YOUR data? How do you control the distribution of your internal data, or client data, in a cascade of subcontractors? Think about the Managed Security Provider (MSSP) of that hot new SaaS marketing tool your people are using, for instance. The MSSP may now be storing some of your data, captured in logs, even though you don’t have a direct contract with them.

  4. New privacy regulations are emerging; local laws, but also global “universal” control frameworks that help organizations structure themselves and better address the GDPR, CCPA, and Loi 64 here in Quebec, for instance. Have you started to evaluate your legal obligations in that space? Use these new laws and regulations to support your argument for better controls, better structure, and convince your board to raise the bar.

Securing Your WFH Environment

In layman’s terms, keep the 80/20 rule in mind, which states that 80% of threats come from around 20% of causes. In a remote employee’s case, that would be network threats, unsecure accounts and devices, and human error. So, it would make sense that efforts should be focused on minimizing these basic vulnerabilities first.

Workers can take the following basic steps to minimize their attack surface:

  • Always apply security updates for computers, browsers, and phones to ensure that attackers cannot take advantage of newly discovered security bugs on devices and software.

  • Windows users shouldn’t bother spending their money on the latest antivirus software - the integrated antivirus does a great job already. Assuming you install the updates, of course.

  • Multi-factor authentication (ideally application-based like Google Authenticator, and not SMS-based) has to be used for bank, email, government, and social accounts. This means you need a second piece of information, like a code, to access your account and it ensures these accounts stay safe even if your passwords are stolen or guessed.

  • Password management is essential if you want to keep from resorting to using easy to crack passwords or reusing them, which is a huge cybersecurity faux pas. Personally, I would recommend BitWarden since it’s open source and independently audited

  • Be careful when using VPNs, as most are not as safe as they claim (they scan your data or inject malicious code while you are browsing). If you want to use a VPN, check out a service like ProtonVPN. They are very open about how they work and have a free option too.

  • If you are worried about the privacy/protection of your data stored in the “cloud”, use end-to-end encrypted storage so that the hosting company will have no technical access to your data (unlike Google Drive). TresorIt is a solid option.

  • Wi-Fi security at home: use WPA2-AES with a long passphrase on your router and change the default password that comes with the router to reduce your attack surface.

  • Finally, social engineering is one of the biggest issues for workers today as phishing attempts become harder to spot. But vigilance is still your best hope for self-preservation here, so stick to best practices: avoiding emails from unknown senders - especially if they contain external links or file downloads.

I don’t have to tell you that it’s been a bad year, and companies all over the world have faced massive challenges. Not just on the cybersecurity front either. If this year has taught us anything, however, it’s that we must have all our basics well covered. People are still a company’s first line of defence against cybersecurity threats and will continue to be for a long time, but they can also be its greatest vulnerability if they aren’t prepared.

Previous
Previous

When cloud software providers claim their solution is secure, watch for these 9 red flags

Next
Next

Quantum Computing, Cryptography, and Information Security: Where Are We Headed?