Just six months ago, the extent of the changes the world has seen would have been all but unthinkable. The Covid-19 pandemic has shut down countries and forced people to quickly and radically change they way they live and work.
However, people and organisations have proved themselves to be agile and resilient, pivoted into the new reality and using technology to keep the wheels of industry and commerce turning.
On the dark side, however, the new realities have opened up new opportunities for cybercrooks, who have – as always – been quick to capitalise.
In this interview with Kathy Gibson, Bethwel Opil, enterprise lead at Kaspersky in Africa, explores the new challenges in the security space.
How has the Covid-19 pandemic and subsequent lockdowns/physical distancing affected the way people work and play; how companies do business; and how governments operate?
Never before has the connected world – and our ability to communicate, socialise, work, and transact online – been more front-of-mind, or more critical.
Although the ability to do so much online is incredible, the reality is, where people go, cybercriminals follow. If an opportunity exists to exploit a situation and lure people into disclosing personal data or relinquishing their money, you can be sure that cybercriminals will be working on it – and this is exactly what Kaspersky has seen take place.
Threat actors and cybercriminals adapted quickly to the pandemic situation, exploiting the associated circumstances to their benefits, where they have (and continue) to try to monetise as much by scamming individuals or by stealing their data.
Currently, due to the increase in remote working practices, cybercriminals now have an increased opportunity to target devices and home Internet connections/networks, especially those that are not protected with adequate IT security.
Additionally, for employees who have not undergone basic cybersecurity training to understand what to look out for, and how to ensure they are protecting the corporate network while working remotely, businesses could very well be left more compromised than they would be in an office based environment.
The reality is that no organisation, public sector entity, and individual should consider themselves safe from cyberattacks, and especially in this changed environment where remote working is more of a necessity than before.
During these times, a security-first mindset must become more prevalent if we have any hopes of stemming the tide of increased and more targeted based cyberattacks.
To my mind, the lockdown period and changes we are seeing in the way people work and how businesses operate has also reinforced the view that a future must be built around cyber-immunity to ensure organisations and their employees remain safe in this digitally driven world, no matter the circumstances.
In the evolving threat landscape, at Kaspersky, we believe that the concept of cybersecurity will soon become obsolete, and cyber-immunity will take its place.
Achieving true cybersecurity is more than just protecting endpoint devices – but rather it centres on developing an ecosystem where everything connected is protected, and all the systems in it, are secure, by design.
When we get to this point, such world changing outcomes will not give cybercriminals the opportunity they currently do. Building ‘cyber-immunity’ is about truly building a safer connected world that can benefit any individual working remotely or otherwise.
How has this new way of life changed the risks/threat landscape faced by public and private sector organisations, and individuals?
Over the last few months, with more people working from home, there has been an increase in cybercriminal activity with cybercriminals looking to exploit the situation to attack individuals as well as corporate resources that have now been made more easily available to remote workers.
As the move to remote working happened quite suddenly for many, cybercriminals have bargained (and continue to) on the fact that in some cases, IT security may not be up to scratch and thus can be easy to exploit.
In South Africa, for example, Kaspersky statistics showed a sharp spike in network attacks between 15 and 21 March, just prior to the official lockdown began, but coinciding with a time in South Africa when remote working increased in response to national emergency containment measures.
Affected devices increased from an average of 30 000 to peak at approximately 310 000 in a one-week period. While the attack types varied, Kaspersky research showed that attacks attempting to penetrate the network with brute forcing of passwords (repetitive attempts at various password combinations) was far more common.
This technique works well with weak or repetitively used passwords or poorly configured systems.
How should chief information security officers (CISOs) be pivoting to address the new challenges?
For some organisations, like IT companies, the process might be easier, but despite this we are all facing some form of technical issues that have only come to light due to the magnitude and mass nature of the challenge.
For example, does everyone in the organisation have a laptop? Are all security settings for remote work in place on these laptops? Do we need to change our information security policies to enable everyone to work efficiently from home?
Another aspect to consider is the adaptation of employees to remote working, with some people needing additional help, and support, when using some apps to carry out their roles and communicate with others.
Working from home can present a big change in the working day, as many employees are not alone but now with their whole family.
In addition to doing their job they have to take care of their children, parents, or other elderly relatives.
Moreover, our experience at Kaspersky shows that most employees do not have a proper work area organised in the home to be able to concentrate.
All of this demands more resources from people as they rearrange and get used to their new daily routine.
In these circumstances, psychological and emotional stress is the biggest challenge for people, especially the organisation’s management team.
In addition to the stress of re-organising our lives, we are also constantly bombarded with information about Covid-19. This makes people even more worried about their families, jobs, and financial stability, which in turn can lead to burnout and additional stress.
From a security aspect, CISOs must continuously evaluate their policies and procedures when it comes to their cyber defences and security best practices.
At the very least, they should adopt these basic precautions:
- Work with HR to manage employees’ stress so that it doesn’t affect their ‘cyber-immunity’.
- Provide a VPN for all staff to connect securely to the corporate network.
- All corporate devices (including smartphones and laptops) must be protected with appropriate security software. Furthermore, the software must provide the functionality for data to be wiped from devices that are reported lost or stolen, segregate personal and work data, and restrict which apps can be installed.
- Employees must be informed and prompted to implement the latest updates to operating systems and apps.
- Restrict the access rights of people connecting to the corporate network based on the need-to-know and least privilege principles.
- It is necessary to remind employees about basic cybersecurity rules. For example, do not follow links in emails from strangers or unknown sources, use strong passwords, and so on. Staff must be made aware of the dangers of responding to unsolicited messages. Also, it is essential to agree on rules of work: whether all questions are asked in protected chats and conference calls are made via secured channels.
And what do individual users need to understand, and change, to adapt to the new realities?
At a fundamental level, individuals need to become more aware of the new and increased risk landscape when working remotely, as well as when they are merely relaxing at home, but using digital services.
Anyone is a target, and individuals need to take this seriously.
By way of example, our research shows that the number of overall PC malware attacks Kaspersky has recorded (blocked) in the South African region, from January to July 2020, is 9 574 070. This refers to purely dangerous programmes/malware items detected, that cybercriminals are using to infect computers.
The figures show that February and July 2020 saw a peak in PC malware attacks in the local region. With almost 10-million computer malware attacks recorded, such attacks remain a threat and concern for the local region, emphasising the need for adequate PC protection.
Additionally, in terms of malware types, mobile malware also remains a prominent threat for the local region. As people rely on their mobile phones more and more, and especially during times of remote working, cybercriminals will continue to use mobile malware as a means to infect and infiltrate devices, for their own gain.
With many businesses still managing remote working operations due to the global pandemic, employee mobile device protection needs to be a key consideration, to ensure that business critical information is secure.
Establishing effective cybersecurity measures is critical, especially as remote working can bring new risks such as increased spam and phishing attacks, connecting to compromised or vulnerable WiFi spots, or the use of shadow IT by employees.
Employees should be asking employers about cybersecurity measures and training, so that they do not fall for a potential cyberattack and compromise the business; it is a mutual benefit for both sides.
Furthermore, it is not just corporate information that cybercriminals are focusing on. Individuals must be aware that as they spend more time online and make use of online services, like streaming for example, they are at risk if the necessary cybersecurity measures are not in place.
In fact, recent Kaspersky research found that when it comes to disguising malicious files under the names of popular streaming platforms and their content, cybercriminals most frequently use Netflix and The Mandalorian (a Disney + original) as a lure to steal usernames and passwords.
Between January 2019 and 8 April 2020, there were more than 22 000 intrusion attempts detected that used Netflix as a lure. The attacks were registered as users were attempting to gain access to Netflix via unofficial files that used its name.
Remaining in a constant state of vigilance is a big task to do effectively. However, with individuals now predominantly working from home, it is a priority. People must change their online behaviour and take responsibility for upskilling themselves when it comes to cybersecurity best practice.
Of course, the organisation does play a critical role in this regard, but for it to be effective, this must be a joint effort.
The solutions can’t be just technology; what behavioural/cultural changes should we look at adopting?
Humans are often considered to be the weakest link in the cybersecurity chain – no matter how much protection is in place – and so if anything, this pandemic has emphasised the need for continued cybersecurity awareness training within business – and across all levels, all the time.
An informed and trained group of employees, equipped to work remotely if required, can massively reduce the risk of cyberthreats a business could be exposed to. If a workforce has no understanding of the cyberthreat landscape and how to ensure protection, the risk is obviously high.
Cybercriminals are always developing more sophisticated ways to conduct their attacks and often look to exploit the ‘current’ situation. Security awareness training agendas should therefore be reviewed regularly. This means that future basic cybersecurity courses will include topics and recommendations that we cannot begin to foresee.
But even now, effective training should not only make people remember rules, but also develop vigilance and pattern recognition skills that almost become second nature in the digital world. As a result, when employees face a new threat, they will be able to recognise that something is wrong and apply the rule to this specific situation.
Governments have pushed through a number of interventions to track and trace Covid-19 infections. Among these is smartphone location-based tracking. What are the privacy or other risk implications of this? Once the current crisis is over, will it be possible to put the genie back in the bottle?
Using location-based tracking around Covid-19 infections makes sense, at face value. However, there is always a risk that this data can be compromised and fall into the wrong hands, especially if the cybersecurity systems to safeguard it are bypassed.
Furthermore, by accessing people’s movements there is a significant privacy concern to be addressed. The data could be used to reveal identities and associations in such a way that personal privacy is compromised.
Although a disaster situation, such as the one presented by the Covid-19 pandemic, resulted in many governments temporarily putting restrictions on the right to privacy, there is cause for concern on when (or even if) this will be removed once the crisis is over.
Furthermore, some are worried that interfering with location privacy could lead to restrictions on other rights. Adding to this debate is whether location-based tracking assists in combating the spread of the virus.
Suffice it to say, there are likely going to be a myriad of court cases challenging the legal merits of allowing this to take place that could detract from the core focus of fighting the virus.