Pandemic Security: What Have We Learned?

Early in the pandemic, Google reported 18 million daily hoax emails related to COVID-19 scams. Since then, phishing attacks have become more targeted, impersonating remote working tools like Zoom and Microsoft Teams, playing on the availability of masks and testing; even masquerading as company CEOs to dupe users into giving up their passwords and other personal information. They can be so sophisticated that just 5% of Brits can spot scam emails according to a study by Computer Disposals Limited.

Phishing is just one of many ways hackers are taking advantage of the pandemic. Literally billions of credentials are floating on the internet, stolen from various data breaches over the years, and many people reuse their passwords. This has given rise to credential stuffing attacks, which try stolen credentials against a large number of websites in an attempt to take over accounts. Retail and media subscriptions (like Disney+) are likely targets because hackers can resell them on the dark web.

These attacks aren’t new. COVID-19 has simply created more opportunity. And opportunity has elevated the conversation about security from the depths of the data center to our boardrooms and kitchen tables. The pandemic has forced us, as individuals and companies, to think more about security. So, what have we learned?

Security Awareness Training is Here to Stay

Cornell University research suggests that remote workers may feel more socially isolated than their in-office colleagues. If you’re a hacker, this is prime real estate for social engineering attacks that rely on people being in a state of anxiety. Companies are anxious too. Having moved their workforces and services online to survive the pandemic, they’re now faced with new cyber-threats. Protecting themselves, their livelihoods and their customers is essential, but not all know how to do it.

Security awareness training promotes vigilance and treating all employees as members of the crisis response team, but not every company has a chief security officer to orchestrate this training. This year, we’ve seen governments and the security community fill that gap: the UK’s  National Cyber Security Centre (NCSC) launched a campaign with advice on staying secure during coronavirus, and experts formed the COVID-19 Cyber Threat Coalition, which releases weekly threat advisories.

COVID-19 has created a kind of social contract that says we’re all stronger when we get the basics right. Add into that companies’ statutory duty to protect personal data and security awareness training is here to stay. Regulators understand people make mistakes. Enforcement is not an automatic consequence of every incident, but becomes more likely when businesses fail to give their people the tools and training to minimize the impact.

Technology Can Make Security Simpler

If you’ve ever used your face or fingerprint to unlock your phone, you know there can be a world without passwords. This means no lists of stolen credentials floating on the internet and no password for your fake phone company to steal. Biometrics are one of the many technologies being worked on to simplify security. Others are context-based technologies that only ask you to prove your identity when something looks amiss. You might be working from a different country than normal, but in the event that you log in from London one minute and Tokyo the next, an identity check will be triggered. These technologies are often invisible, waiting to protect us from threats during the pandemic and beyond.

Security is No Longer a Perimeter

The mentality for years in the security community was ‘secure the perimeter.’ The goal was to keep people out and build the walls of corporate networks so high and thick that no intruder could possibly penetrate them. If you wanted access, you received a company laptop and a bunch of internal applications. You entered through the gate.

Today, you can access any app, with any device, from anywhere in the world. So can people pretending to be you. Landmark changes in privacy law like the GDPR have already fundamentally altered the ways we share information with companies. The scale and complexity of security issues in a COVID-19 world means that those same companies must now re-evaluate policies, processes, and technical measures that were rebooted as recently as 2018. Do these controls work when so much of the corporate structure is outside that traditional perimeter? People – and walls – don’t work like they used to.

Early 2020 brought a switch to fully remote working for many businesses. For some, this was no more than an acceleration of existing plans; for others, the pandemic brought about in weeks a digital transformation that might otherwise have taken years of planning. Having key staff – or all staff – working from home brings many challenges, from the mundane (how do we educate all of our employees to change the default password on their home router?) to the fundamental (does our business continuity policy work when we're effectively running in continuity mode already?)

The pandemic has catapulted security into the public consciousness. Not only has it presented threat actors with new surfaces to attack, but every single employee is now a little more responsible than they were for their organization's cybersecurity. If we didn’t already know someone who had been hacked or been hacked ourselves, it’s likely we do now. If companies weren't already online and aware of how cyber-threats could impact the bottom line, they’re paying close attention now. We’ve seen COVID-19 threats like phishing and credential stuffing before but our relationship with security will never be the same.

What’s Hot on Infosecurity Magazine?