As the COVID-19 pandemic persists and more companies are placing greater reliance on digital systems, corporate cybersecurity systems are being put under pressure like never before. Companies have shifted to remote operations, disruption and increased attacks from opportunistic threat actors are mounting, and supply chains have been impacted on a global scale. This is creating vulnerabilities and testing the effectiveness and resilience of cybersecurity programs.
To get a better sense of the current state of cybersecurity business practices, ESI’s thought leadership team sat down with members of the Driving Cybersecurity Performance advisory board to get firsthand views of how the pandemic is changing the use of digital systems and some of the implications for cybersecurity vulnerabilities, risk, and strategies going forward.
The Covid-19 pandemic is placing greater reliance on digital systems and testing the effectiveness and resilience of corporate cybersecurity programs. How are companies’ digital approaches changing to cope with the pandemic and what has been the impact on cybersecurity vulnerabilities, risks, and strategies?
Edwin Doyle, Global Security Strategist for Check Point Research, Check Point Software Technologies: The main vulnerability exists in the technology gap between enterprise corporation locations and the home office. Enterprises have had two decades to build and define a corporate cyber strategy which for the most part works quite well. But all those corporate employees are now working from home during this pandemic. Did the company have an incident response plan which would account for this? Were they able to quickly supply the effective cybersecurity technologies needed for taking the business’s valuable data to employee’s homes? I doubt it. Hackers doubt it too, and the race is on to see who can either exploit these vulnerabilities or secure them first.
Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4: Having most employees go remote is obviously straining already tight IT resources, both personnel and available remote access. Social engineers and phishers are also in a feeding frenzy, taking advantage of the Covid-19 situation, as evidenced by a huge uptick in Covid-19-themed phishing attack. Covid-19-themed phishing strategies are likely to be more successful because of the built-in stressor events and peoples lack of familiarity with these phishing themes.
How will the coronavirus likely change your clients’ companies’ global business strategy and digital transformation plans and those of your own company? How will it affect the future of work, ecommerce, supply chains, etc.? What might be the longer-term implications for cybersecurity?
Jamie Singer, Senior Vice President, Crisis & Risk Management, U.S. Data Security & Privacy, Edelman: It will be imperative for organizations to conduct deeper risk sensing on issues related to remote work capabilities, VPN capacity, and employees increasingly using insecure WiFi – all while the hacking community is salivating at opportunities to exploit these vulnerabilities. As a result, how companies approach communications readiness for the dual risk of cyber issues in the Covid-19 environment will also need to evolve – for example, how to communicate in the wake of a cyber threat that creates operational disruption for organizations supplying critical supplies for the Covid-19 relief effort, how to communicate about a ransomware attack that impacts a hospital’s ability to treat a surge in Covid-19 patients, and how to meet stakeholders’ increasing expectations for direct and transparent communications from their employers and the brands with which they interact.
Edwin Doyle, Global Security Strategist for Check Point Research, Check Point Software Technologies: I’ll place a very strong bet on the fact that most disaster recovery plans from the cyber team did not include supply chain! The role of the CISO needs to mature into a direct report to the CEO. In cooperation with the general counsel, reporting to the business would provide the cyber team with a more holistic overview of the business risks; hence, supply chain would be included in the dialogue and strategy.
One lesson already learned from the pandemic is the need for resilience in the face of Black Swan events. But our study shows most companies have made less progress in resilience—response and recovery under NIST—than in other areas of cybersecurity. What do you see as the biggest mistakes and best practices in this area?
Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4: Two issues: 1) a best practice is to actually practice alternate business continuity processes and plans, and 2) more generally, a mistake is not having a resilient TESTED data backup and recovery solution to handle a digital crisis like ransomware.
Jamie Singer, Senior Vice President, Crisis & Risk Management, U.S. Data Security & Privacy, Edelman: Resilience takes practice. This means organizations must increasingly focus on how they are proactively building “muscle memory” for preparing for and responding to cyber threats in a pandemic and post-pandemic environment. Absent extensive experience responding to significant cyber events, key to building muscle memory is an ongoing cadence of internal training, education, and simulation exercises. Considering the new challenges presented by the Covid-19 environment, companies should also consider how to conduct these trainings in a remote capacity to test incident response teams’ readiness for working remotely.
Chintan Jain, Founder and VP of Security Engineering, Security Mantra Corporation: You have to put more resources into looking into your daily security alerts. In the NIST framework, in the detect, response and recover area, because you are going to see more attacks happening there in the security incident side. Then there will be a lot of phishing attacks where bad actors will try to keep you on malicious links and try to install malware and infect your data that way. Those are areas that I would focus on right now.
Isabelle Dumont, Vice President – Market Engagement, Cowbell Cyber: The crisis we are facing is humbling and brings resiliency in general and for cyber more specifically on top of the priority list for many businesses.
Our study on cybersecurity finds that companies spend on average of 0.06% of their revenue on cybersecurity—about $9.6 million for a company with $15 billion in revenue. Are firms spending enough? What is the right way to set cybersecurity budgets? How will these budgets be affected over the next 1-2 years?
Isabelle Dumont, Vice President – Market Engagement, Cowbell Cyber: The question to ask is whether security budgets are invested in the right projects. Past years have told us that no organization is immune to cyberattacks. Every initiative contributing directly to response and recovery and therefore to resiliency will see an adoption boost. This includes employee training, cyber insurance, risk assessment, and remediation.
Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4: The biggest problem isn’t the amount, although that is a problem. It’s what it’s spent on. Cybersecurity budgets need to be set by establishing the most likely and costly risks and the cost of mitigations to offset them.
Which types of cyberattacks are causing the largest losses today and which will pose the largest risks in the future? How is the pandemic affecting your expectations? What steps are companies (including yours) taking to keep your themselves secure in these times of business disruption.
Davis Hake, Co-Founder, Arceo.ai: Our security experts and threat researchers have already seen an increase of corona-themed phishing scams. Cyber criminals are impersonating public health officials, medical experts, and senior executives to deceive users into clicking malicious links or attachments purporting to provide information on appropriate coronavirus response. Unsuspecting users who click on the links or access the attachments expose their computer systems to the bad guys, which may result in further attacks on the company’s network, theft of personal information or trade secrets, misdirection of funds, or company systems being rendered inoperative by ransomware.
Isabelle Dumont, Vice President – Market Engagement, Cowbell Cyber: This is a great time to go back to security basics: password, training, and other prevention activities focused on the human aspect of security.
Edwin Doyle, Global Security Strategist for Check Point Research, Check Point Software Technologies: The pandemic has unfortunately provided an opportunity for threat actors to exploit people at the time they are their weakest! We are simply seeing an acceleration in the number of attacks and greater success due to the victim’s already being distracted during this challenging time. We are also starting to see ransomware attacks on physical critical infrastructure, such as windfarm turbines being taken offline through a hack and a demand for ransom to turn them back on. As the Internet of Things continues its rapid growth, we’ll see more attacks on things that were previously never connected online.
Anthony Shapella, Head of Analytics, Global Cyber Insurance Team, AIG: Ransomware continues to be the most significant trend in the cyber insurance market. The number of attacks rose considerably from 2018 to 2019 and the trend continues in 2020. Ransom demands are growing—it is quite common for large institutions to face ransoms of $1m or more and some of the largest ransom demands can exceed tens of millions of dollars. The market is also seeing a trend of “dual” ransomware where attackers steal data, encrypt/lock it, demand an initial ransom for decryption keys and a second one to purge/delete the data. Attackers are capitalizing on COVID-19 with fear-based phishing emails and malicious COVID-themed websites, and targeted Remote Desktop Protocol (RDP) attacks.
While ransomware is most prominent today, we believe the next wave of attacks will focus on connected devices and infrastructure. The rollout of 5G will result in a dramatic increase in the number of connected devices. Past experience suggests that device security is not as strong as we’d like it to be, and that’s likely to continue into the future absent a set of industry-developed security norms/standards. Also, connected devices are likely to be used in more critical processes—like transportation and medical surgery—so the costs of future events may include human life and property damage to a greater degree than the past.
The survey found that companies are underestimating their exposure to a major breach and overestimating the protection of NIST compliance. How can firms do a better job of identifying and forecasting their exposure to risks? Is the pandemic increasing risk probabilities? How do CISOs need to go beyond NIST to boost cybersecurity effectiveness?
Edwin Doyle, Global Security Strategist for Check Point Research, Check Point Software Technologies: Most compliance standards should be used as a bare minimum framework. CISOs should look for technologies which trend and baseline the holistic view of the entire organization: cloud, apps, APIs, network, edge, endpoint, and the people! Then, using an enhanced framework, they should liaise with folks like the general counsel, to identify the valuable assets within their organization – these assets are the same ones most targeted by threat actors.
Davis Hake, Co-Founder, Arceo.ai: As enterprises rely increasingly on telework (many for the first time), we anticipate an increase in claims caused by cyber criminals and exacerbated by human error, misconfigurations, and employee devices as people adjust to the new normal. Tech like encryption, endpoint monitoring, virtual private network connections, multi-factor authentication, and data loss protection tools can help reduce the risk but deploying them should be prioritized considering a company’s particular risk profile. For example, this may include focusing on the encryption of private health data or deploying upgraded security tools to teams that handle trade secret information.
What are the key cybersecurity lessons that you have learned over the years? What advice would you give to CISOs preparing for tomorrow’s riskier, digitally enabled world?
Chintan Jain, Founder and VP of Security Engineering, Security Mantra Corporation: You have to make cybersecurity scalable. You have to see that whatever processes you are creating can be spread out across the whole company, because cybersecurity is not one person’s job. It’s everybody’s job.
Jamie Singer, Senior Vice President, Crisis & Risk Management, U.S. Data Security & Privacy, Edelman: A primary lesson is not to underestimate the value of proactive preparedness. It is no longer a matter of if, but when any organization is likely to face a significant cyber threat – and those threats are only likely to increase in frequency, sophistication, and complexity. Organizations should embark on an ongoing and iterative process of risk identification and prioritization, scenario planning, and training. This ongoing work will help to expose any gaps or weaknesses in processes before a cyber crisis hits, build organizational resilience, and enable companies to maintain or enhance brand reputation over the long term.
Anthony Shapella, Head of Analytics, Global Cyber Insurance Team, AIG: It’s virtually impossible to stop all successful attacks no matter how good one’s cyber security efforts. As such, companies should focus on resilience—getting back up-and-running quickly—and insurers can help clients do that.
Edwin Doyle, Global Security Strategist for Check Point Research, Check Point Software Technologies: If the CMO’s job is to get the company in the news, the CISO’s job is to keep the company out of the news! By establishing a culture of understanding, specific to cyber security, the CISO should endeavor to turn the entire organization from a potential liability to an asset.
Davis Hake, Co-Founder, Arceo.ai: The pandemic is an opportunity to refresh your organization’s business continuity and disaster recovery plans (both cyber and otherwise) to ensure that you are as resilient as possible in the face of unforeseen interruptions.