4 minute read 20 Mar 2020
Looking down at a woman sitting at home working on her laptop

COVID-19: Five steps to defend against opportunistic cyber attackers

By

Kris Lovejoy

EY Global Advisory Cybersecurity Leader

Cybersecurity guru. Married mother of four. Enjoys diving, hiking and refinishing furniture. Lives in McLean, VA.

4 minute read 20 Mar 2020

Enterprises across the globe are more vulnerable than ever to cyber attacks arising from the pandemic.

As the COVID-19 pandemic sweeps the world, businesses are adapting to a new “business as usual” model to minimize the health risks associated with employees and customers being in close physical contact. This adaptation has pushed millions into remote working structures or online interactions between customers and businesses. With this change in behavior comes additional information security risks to the confidentiality, integrity, and availability of key information systems.

To help EY clients manage these risks, we’ve identified the risk drivers, business challenges, and outlined five risk mitigations that can help enable an enterprise to be cyber resilient.

The surge of teleworking increases risks

As Information Technology (IT) teams scramble to enable remote working infrastructure, the pressure to ensure they can respond to the increased volume of requests from the business can result in some IT teams and/or users bypassing information security best practices. Look out for these challenges:

  • Users unhappy or unfamiliar with approved telework solutions may install their own or setup “shadow IT” – in other words, unmanaged software and assets without corporate information security and privacy controls.
  • IT teams may defer patches on critical assets to keep network operations stable and available. The increased load on telework-enabling resources may limit allowable downtime for patching.1
  • Ensuring connectivity between cross-enterprise resources could circumvent segmentation, resulting in “network flattening,” which would ordinarily prevent or detect a threat actor from gaining access to a network to traverse to critical IT assets without multiple layers of security.

Dispersal of previously in-person activities and processes is an enterprise challenge that requires adaptation of business processes and flexibility to keep business as usual activities operating.

  • Enterprises that monitor or restrict certain activity — such as high privileged activities like account creation, deletion, and security setting modifications — to on-premise systems are forced to adapt procedures and enable remote administration. This new remote traffic changes the network baseline, which requires tuning of advanced security analytics platforms that monitor remote traffic. As new baselines are established, these analytics will need regular monitoring and adjustment to spot anomalous, possibly malicious network traffic.
  • The surge of remote work increases load on IT support teams, with teleworking users repeatedly contacting the Help Desk, creating pressure to skip authentication or authorization steps in order to deal with the increase in call volumes. Further, physical presence requirements for IT services become infeasible; so services such as laptop upgrades, certificate issuances, or hardware repairs must be deferred.
  • In addition to employees and customers facing these challenges, an enterprise’s third-party supplier or contractors also introduce additional volumes of the risks described above.

Threat actors of all types are exploiting uncertainty and publicity of the pandemic

Cyber threat actors across the spectrum — from government-backed groups to organized crime gangs — are using the public’s fear, uncertainty, and curiosity about the pandemic to adapt their threat vectors, tactics, and targeting strategies.

  • There has been an increase in the number of phishing, malicious sites, and business email compromise attempts linked to the pandemic, according to multiple sources. This malicious content can appear as fraudulent news updates, precautionary guidance, virus maps, lab results, or employer memos.2,3,4,5
  • Threat actors conducting data theft for extortion, disruptive or destructive ransomware attacks, and/or seeking to damage an enterprises’ brand have targeted organizations perceived as under pandemic-related strain.6 Furthermore, a company’s actions or statements considered inappropriate could trigger “hacktivist” and insider threats resulting in IT business disruptions, or theft and disclosure. 

Threat actor motivations, tools, and objectives remain constant, but with the added benefit of users seeking information on the pandemic, in some cases willing to ignore or bypass user training and awareness or technical controls to obtain information.

  • Established, professional cyber-criminal groups and upstart cyber criminal gangs have used information about the pandemic to get users to download their malicious tools, according to multiple sources. 7,8,9 Such tools include downloaders, keyloggers, phishing sites, ransomware and remote access tools.10,11
  • These groups’ goals remain the same; to solicit private health information (PHI), personally identifiable information (PII), account credentials, donations, and ransoms.12
  • Government-backed threat actor groups have used information on the pandemic to target organizations with their own malicious tools.13,14,15 In addition to their standard goals of continued espionage; these groups’ government backers have been tasking them to collect virus-related health information, likely for national health response benefit.16

Enterprises must employ multi-faceted risk mitigations

  1. Centrally manage and promulgate robust teleworking solutions to empower and enable employees, customers, and third parties.
  2. Leverage role-based rather than location-based identity and access management solutions, analytics, and controls.
  3. Establish second-factor authentication for formerly in-person processes, such as manual phone calls, a system of shared secrets, or other authentication controls relevant to the formerly in-person process.
  4. Provide links to official resources for pandemic-related information to avoid the spread of disinformation within your organization.17,18,19
  5. Establish formal and transparent channels for corporate messaging to highlight what the enterprise is doing to address this pandemic.

My thanks to Haris Shawl, Senior Manager, Ernst & Young LLP and Vijay Raghavan, Manager, Ernst & Young LLP for contributing to this article.

Lead through the COVID-19 crisis

We have a clear view of the critical questions and new answers required for effective business continuity and resilience.

Explore

Contact us for immediate support

Gain access to our help with crisis management, business continuity and enterprise resilience.

 

Contact

Summary

As businesses adapt to changing workspace needs in the face of COVID-19, we highlight the risk factors to watch out for to help ensure enterprises remain cyber resilient.

About this article

By

Kris Lovejoy

EY Global Advisory Cybersecurity Leader

Cybersecurity guru. Married mother of four. Enjoys diving, hiking and refinishing furniture. Lives in McLean, VA.