The coronavirus pandemic has caused worldwide disruptions across nearly every single public and private sector entity. The adverse effects of this situation are quite clear to many as we continue to practice social distancing, but the aftermath in the cyber-landscape may prove to be much more challenging in the months and years to come. Trends in cybersecurity can follow the paths of such events and pose heightened or even lessened risks in some cases. Here are some predictions that may become centerstage following the global crisis that has taken the world by storm:
Situation: Digital privacy concerns have long since been present in society. International, federal, state, and industry-specific privacy regulations regulate the manner in which private or sensitive data is shared, transferred, collected, and retained. However, exemptions are being made due to COVID-19 to keep public and private sector entities afloat. Recently, the Department of Health and Human Services relaxed HIPAA data sharing restrictions to enable healthcare providers to share data rapidly across previously unauthorized means. Keeping patients alive will always surpass privacy and security regulations. However, there are costs and compromises to enabling such data sharing.
Prediction: We are already witnessing privacy red flags being hoisted, such as the recent news with the Zoom meeting platform and their data sharing practices with Facebook and other entities. Remote collaboration, communications, healthcare, and data storage companies are experiencing large influxes of new customers and users. Therefore, this equates to raised awareness into their brands, practices, and methods of protecting data and privacy.
We will likely witness many large and small companies being placed under the proverbial security and privacy microscope as we transition into economic and health stabilization. Once the smoke has cleared, such companies will have to answer the masses on how they share, collect, and protect sensitive data and new discoveries will be made on this front. 2020 and 2021 are likely to be filled with a a large number of class action lawsuits and data privacy cases. Also, new laws and regulations will likely be formulated to prepare us for these types of situations in the future.
Situation: Due to the massive increase in remote workers, organizations have been forced to open their pearly gates to enable remote workers to be effective in their job duties. Luckily, this situation occurred in 2020 when many organizations are equipped to ride out the storm virtually. Virtual meetings, email and messaging, file sharing, VPN’s, and other remote access methods have been opened up to the outside world and the gates have been lifted. Organizations that were 100% locally staffed are now operating with remote workers and have been forced to allow entry into their corporate environments.
Prediction: Cyber attackers have been waiting and anxiously anticipating this day for a very long time. The hard outer shells of these corporate networks have been turned into Swiss cheese, quite literally overnight. We have already witnessed, and responded to, a series of cyber-attacks in which these network openings have been exploited. Attackers are likely gaining entry into many large and small businesses and planting footholds within their networks. Now, it is a waiting game.
Due to the average number of days to detection being between 50 and 200 days, we understand that attackers do not always strike as soon as access is gained. They wait, study, and learn about their targets as these tactics can yield much more fruitful opportunities. We will likely witness many organizations reporting data breaches and cyber-attacks in the coming months due to these network openings. The attackers will also be using these networks as staging areas to conduct other attacks or work their way up the particular supply chain that the target is a part of.
Situation: As stated prior, organizations that were previously 100% onsite, are now working effectively remotely. This change will likely prompt organizational staff members to question the social norm of working onsite. Flexibility will likely be granted for users to work from home more frequently. This will be due to viral avoidance or due to workers becoming accustomed to working from home. However, organizations are not necessarily prepared for remote work capabilities from a cybersecurity perspective.
Prediction: When the storm has calmed, workers may request and be granted the ability to continue to work from home. However, this introduces many new and heightened risks that should be considered. An increase in remote collaboration software is likely to continue well beyond the immediate pandemic. Web meeting software companies will continue to innovate and grow while new competitors will likely rise to the opportunity.
However, we are going to witness many organizations that have a whole new problem on their hands; personal device usage for business purposes. Personal laptops, smartphones, and other devices will be leveraged for business purposes with more remote work capabilities. Also, device theft, stolen laptops, missing smartphones, and insecure home networks will now introduce new risks to organizations.
Picture this: a remote worker is connected into their corporate network via VPN. However, the remote worker’s home network has several laptops that belong to their family members (that may be compromised), IoT devices sending sensitive network data to foreign countries, and children playing warcraft on their parents’ work laptop. Corporate network boundaries will soon include every device on the home networks of their users and all of the malicious artifacts that are also present.
While the immediate pitfalls of this pandemic are ever-present, the lingering aftereffects will shake the digital privacy and security community to its’ core. Privacy and security lawsuits will run rampant, new laws and regulations will be structured, current privacy laws will be amended, and the microscopes into company’s data sharing and collection practices will be under tremendous scrutiny. Attackers will attack, breach, and capitalize on the madness and hide within these networks until the time is right. They will milk organizations for all that they can with long series of cyber-attacks ranging from ransomware, data theft, and financial fraud.
The gates are open to many organizations to not only allow remote work capabilities, but also entry by cyber-attackers. Home networks are likely to be considered as extensions of the corporate network boundaries and new types of parallel attacks will occur. We will likely witness large corporate cyber-attacks that originated at users’ home networks from insecure IoT devices, the devices of family members, and other unknown variables within these home networks. Physical device theft is now going become even greater with more devices leaving the physical premises of organizations.
To mitigate the risks of tomorrow, we must delve within the changes happening today. Getting in front of global pandemics is much more than vaccines and anti-viral treatments. This has caused the security and privacy communities to re-think the limitations on what we believe to be static and unchanged. Everything has changed and will continue so for the foreseeable future. We must observe, orient, decide and act; such as described in the O.O.D.A. loop.
Our adversaries will challenge us in every single way that they can and this global crisis has become a particularly advantageous opportunity for them to gain the upper hand. We have a duty to secure the digital world; to protect the future state of operations. Get ready for change.
If you’re worried about the state of your current security posture, consider a security assessment, penetration test, or a vCISO engagement to help prevent and respond to the challenges to come.
If you’re facing a potential cyber incident, don’t hesitate. Email incidentresponse@igius.com to engage.