Understanding the Cybersecurity Landscape in 2021
More than a year after the onset of COVID-19, organizations must shift from temporary stopgap measures to more robust cybersecurity strategies and technologies. Here’s how to keep your company safe.
You may have heard the saying, “Never let a crisis go to waste.” Unfortunately, hackers have taken that notion to heart during COVID-19. The number of cyberattacks soared as hackers repeatedly exploited vulnerable back doors into corporate systems amid the distraction caused by the pandemic. Targets included healthcare, financial services, and public sector institutions like the World Health Organization. Attacks against the financial sector increased 238% globally between February and April 2020.
According to Alissa Abdullah, Deputy Chief Security Officer at Mastercard and former Deputy CIO at the White House under President Barack Obama, COVID-19 and the resulting shift to virtual work “has changed the adversary’s opportunities, and shifted their focus on some of the other tools that we’re using.”
Hackers also attacked collaboration platforms. In April 2020, hackers got ahold of more than 500,000 Zoom account usernames and passwords, and sold them in dark-web crime forums for as little as a penny per account; some information was simply given away. Cyberattacks involving the COVID-19 vaccine also emerged; in December 2020, the European Medicines Agency reported that some data on the Pfizer/BioNTech COVID-19 vaccine was stolen during a cyberattack. Around the same time, IBM sounded the alarm over hackers targeting companies central to COVID-19 vaccine distribution.
Expect More Cyberattacks to Happen More Swiftly
Cyberattacks and their associated costs are only going to continue accelerating. Consider the following: Cybersecurity Ventures predicts that cyberattacks will occur every 11 seconds in 2021, nearly twice the 2019 rate (every 19 seconds) and four times the 2016 rate (every 40 seconds). It’s estimated that cybercrime now costs the world $6 trillion annually, double 2015’s total of $3 trillion. By 2025, cybercrime is projected to cost the world $10.5 trillion each year.
The price tag of cybercrimes includes the theft of intellectual property and personal and financial data, as well as actual money—plus the cost of post-attack disruptions to business, lost productivity, and reputational harm, among other things, explains Steve Morgan, Founder of Cybersecurity Ventures. In addition to these direct consequences, cybercrime’s hidden costs also include increased insurance premiums, lower credit ratings, and legal fees due to customers initiating litigation.
A 2020 IBM Security report that surveyed 524 breached organizations in 17 countries across 17 industries indicated that the average cost of a data breach was a whopping $3.86 million and took an average of 280 days to contain. The consequences may continue for years following the incident.
In the UK in 2019, 90% of data breaches were due to human error. During the pandemic, employees have been preoccupied with amplified personal and financial stress, rendering them more vulnerable to spear phishing—a type of phishing that targets specific people or groups in an organization—and “social engineering” attacks designed to psychologically manipulate individuals into revealing sensitive information.
More specifically, social engineering attacks aim to deceive employees into doing something that seems legitimate but is not. Although companies typically train employees to identify fraudulent requests, amid the pandemic’s abnormal circumstances it has become harder for employees to differentiate scams from legitimate requests.
“Everyone knows you can’t pick up a USB in a parking lot [and put it into your computer], but training sophisticated employees on fake emails from bosses is still a real problem,” says Thomas Ruland, a finance expert in the Toptal network and Head of Finance and Operations at Decentriq, a company that specializes in secure data sharing and collaboration. “When you’re not in the same office, accidental data sharing may happen more often. When people are working in the same physical office, you can just ask, ‘Hey did you really send this?’ but it’s harder to parse through when working from home.”
The issue of “vishing”—voice phishing—has also been exacerbated by the pandemic, with attackers using calls to obtain VPN credentials or other sensitive information from employees. Vishing scams often attempt to seem legitimate by providing prospective victims with an accurate piece of personal information, such as an individual’s Social Security number or bank account number. A surprising amount of other personal information is publicly available for attackers, who need only scour social media platforms or other associated websites to access such details.
Exploiting Weak Spots in Cloud Security
COVID-19 spurred the hasty adoption of new technologies as organizations instituted new digital processes amid the disruption to in-office work. In the earlier stages of the pandemic, many companies had no choice but to accept new risks, including reduced control standards, to maintain operations.
One of the major outcomes of such rapid and dramatic changes was widespread cloud adoption. In its 2021 State of the Cloud Report, Flexera found that remote work demands pushed more than half of the surveyed group to increase their cloud usage beyond what had been planned. Other respondents indicated that their organizations might accelerate migration given difficulties in accessing traditional data centers and delays in their supply chains. While 20% percent of enterprises revealed their annual cloud spend exceeded $12 million, an increase of 7% from the previous year, 74% reported that their costs exceeded $1.2 million, up from 50% the previous year.
Unfortunately, actions taken under extreme time and operational pressures have inevitably led to gaps in cybersecurity. And 75% of respondents in Cybersecurity Insiders’ 2020 Cloud Security Report indicated that they were either “very concerned” or “extremely concerned” about public cloud security. Cloud security concerns are further exacerbated when organizations use two or more public cloud providers, as 68% of respondents do.
Security experts and employers are primarily concerned about three cloud security challenges. First, cloud and container misconfiguration, when an administrator inadvertently deploys settings for a cloud system that conflict with the organization’s security policies. Another is limited network visibility, in which an organization is unsure of what hardware and software are connected to the network and what network events are transpiring. And the third major concern are unprotected cloud runtime environments, which provide opportunities for attackers to prey upon an organization.
COVID-19 and the shift to virtual work prompted widespread adoption of bring-your-own-devices programs. Especially in the early stages of the pandemic, many workers had no choice but to use personal devices, public Wi-Fi, or home networks to work remotely. Such circumstances provide an opening for hackers to access organizational resources; when personal devices are compromised, they can serve as launchpads into the corporate network.
“One of the biggest cybersecurity risks is the personal device,” Trina Glass, an attorney with Stark & Stark told the Society for Human Resource Management. “Whether smartphone or laptop, there are serious problems posed by using personal technology in a work setting involving sensitive information. Employees might save documents to their desktops or send document drafts to their personal email. They may not have up-to-date antivirus software, or they may use outdated personal password protection.”
Supply Chain Attacks and Third-party Risks
In December 2020, news broke that SolarWinds, a major IT management firm, suffered from a cyberattack that went undetected for months. Earlier that year, foreign hackers had broken into SolarWinds’ systems and inserted malicious code. Subsequently, when SolarWinds sent out software updates to its 33,000 customers, the attackers’ code went with it and created a back door to customers’ IT systems. The hackers used these back doors to install additional spy malware. Ultimately, around 18,000 of SolarWinds’ customers installed these updates, including US agencies such as the Departments of Homeland Security and the Treasury, and private companies such as Intel, Microsoft, and Cisco.
Hackers often target and attack insecure elements of the software or hardware supply chain. Accenture found that 40% of cybersecurity attacks originate from the extended supply chain. Attackers typically seek the weakest links such as small vendors with few cybersecurity controls or open-source components. More often than not, after identifying their target, hackers add back doors to legitimate and certified software or compromise systems used by third-party providers. Thus, supply chain attacks expose the truth that an organization’s cybersecurity controls are only as strong as the chain’s weakest link.
To continue 'What Can You Do to Improve Your Company’s Cybersecurity?' in tomorrow's news feed.