SINGAPORE (12 June): As countries slowly reopen their economies and workers in Singapore begin cautiously returning to their offices following the lifting of some “circuit breaker” measures on June 2, one may be tempted to hope that the worst of the Covid-19 pandemic is over. Yet for most organisations, lurking in the shadows is the spectre of a “cybersecurity pandemic”, with cyberattacks on the rise as it becomes more common for office workers worldwide to work from home (WFH).
A study by cybersecurity software firm McAfee observed a 630% increase in online attacks from external actors since the onset of Covid-19 lockdowns. iDefence, an Accentureowned cyberthreat intelligence firm, found that over 16,000 coronavirus-related domains have been created since January, with Covid-19- related domains 50% more likely to be fraudulent than others.
Phishing, where criminals pose as legitimate institutions and use e-mails, phone calls or text messages to deceive targets into divulging personal information, has been the most prevalent form of cyberattack. Cybersecurity firm Barracuda Networks observed a 667% spike in phishing cases since end-February, while a survey of 411 IT and security experts by Check Point Software Technologies saw 55% of respondents report phishing attacks against their organisations, followed by disinformation (32%) and malware attacks (28%) in terms of prevalence.
“I’ve never seen this volume of phishing. I am literally seeing phishing messages in every language known to man,” says Marc Rogers, head of security at the long-running hacking conference Def Con, in an interview with Reuters. In the UK, the National Fraud Intelligence Bureau reported GBP2.3 million ($4.04 million) in total financial losses from 1,000 Covid-19-related scams and almost 4,000 phishing attempts from the start of the pandemic in January to April.
But it is not just direct financial losses that are at stake, says Mark du Plessis, managing director of Accenture Security, in an interview with The Edge Singapore. Aside from the additional cost of having to clean up a cybersecurity breach with a more limited budget owing to the severity of a Covid-19 economic shock, businesses such as airlines could incur reputational risks that could turn away much-needed customers. Should a cyberattack lead to systems malfunction, workers performing dangerous work in industries like oil & gas could even find their lives at risk.
Cybersecurity vulnerabilities in Singapore can also have ramifications for global online networks as malware spreads across national borders. A central node in global supply chains and financial networks as well a hub for multinational corporations in Asia, Singapore is an attractive target for bad actors. “Attacks on MNCs based in Singapore could easily spread to other countries where other MNC personnel are based, especially for economies where WFH is more established,” says Du Plessis.
Du Plessis also notes that contrary to expectations, there has been no significant spike in state-related threats since Covid-19. Threat levels to targets like governments and government-linked companies have remained steady as state actors focus on coping with the pandemic in their own countries. Rather, nonstate attacks on the healthcare sector have increased significantly during the pandemic, as private actors look to capitalise on overwhelmed healthcare systems by performing ransomware attacks for financial gain.
“Hackers will continue to target vulnerable systems as long as there are profits to be made, from selling the stolen patients’ data to holding the healthcare systems hostage until the criminals’ demands are met. Currently, healthcare organisations devote just a small fraction of their budgets to implement cybersecurity measures,” says Urte Jakimaviciute, senior director of market research at data analytics firm Global Data. With the smooth functioning of healthcare systems key to fighting Covid-19, cyberattacks on these systems could have serious public health costs.
A new cyberthreat landscape
While the spike in cyberattacks does highlight potential gaps in present cybersecurity frameworks, such gaps do not completely stem from any incompetence on the part of organisations. If anything, Du Plessis remarks that most Singaporean organisations actually have in place excellent cybersecurity strategies that comprehensively cover most pre-Covid-19 risks. The shift to WFH, however, has significantly changed the present cyberthreat landscape.
Cybersecurity analysts look at information security through the CIA triad framework, where cyber defences must develop solutions that balance confidentiality, integrity, and availability. Before Covid-19, most experts prioritised confidentiality and integrity over information availability. But with the introduction of WFH, organisations have been forced to increase availability to enable remote working, consequently placing confidentiality at risk.
One way in which this vulnerability manifests is the increased use of private computers while WFH is in effect. As private devices lack the same degree of security and encryption as company devices designed to protect internal data, increased reliance on private devices make it easier for cyberattackers to obtain sensitive information. Worse, should a private computer be affected by malware, such malware could find its way into company networks when data is reintegrated into internal company servers.
Threats are not found just outside companies, however, but within them as well. Du Plessis notes that clients expressed concern about “malicious” threats — usually disgruntled employees leaving the organisation — who seek to download as much internal data as possible before they leave. Malicious internal threats regularly appear at the onset of a disease outbreak, with clients noting that they had experienced similar situations during the SARS and H1N1 epidemics.
“In 2018, of the five billion records stolen or compromised, over two billion were a result of insider circumstances. Many organisations are challenged to detect internal nefarious acts, often due to limited access controls and the ability to detect unusual activity once someone is already inside their network. Security functions have traditionally invested much more heavily in combating external threats,” says a report from consultancy firm Oliver Wyman.
Ignorant or complacent workers are easy prey for cyberattackers, with online misinformation making such individuals more threatening by causing them to misapprehend the nature and extent of cybersecurity threats. Though Singaporeans are relatively well-informed about cybersecurity threats, the rapidly changing situation of Covid-19 risks overwhelming Singaporeans with large quantities of information, potentially numbing workers to cybersecurity threats and causing them to fall back into poor cyber hygiene habits.
“What comes as no surprise is that the vast majority of breaches were due to employee errors in the handling and disclosure of data: 32% of all incidents were due to personal or sensitive data being inappropriately disclosed or sent to the wrong recipient,” reports UK consultancy IT Governance, which examined 66 incidents of data breaches punished by the UK’s Information Commissioner’s Office from 2013–2014. Such errors were the largest single cause of breaches.
While monitoring large-scale file downloads from outgoing staff and cutting off their access to internal servers quickly could contain malicious internal threats, countering non-malicious threats is more difficult. Stronger WFH communications is required to address misconceptions and educate workers over a period of time, which is a challenge for cybersecurity teams since, according to Du Plessis, many of them are not adept at change management.
The relative scarcity of cybersecurity experts relative to the increase in volume of cyberattacks further limits the ability of organisations to respond swiftly and comprehensively to such threats. “There are never enough people in cybersecurity since it is very hard to find people interested or trained in cybersecurity in Singapore,” says Du Plessis, who regularly faces shortages of trained experts in his own work. He suggests that organisations adopt automation and cloud-based solutions to save labour on monotonous tasks, though such a transition is likely to be expensive.
What can be done?
With the nature of work likely to be forever changed by both Covid-19 and the adoption of new technology like cloud computing, organisations need to swiftly tailor the premise of their cybersecurity strategies to adapt to this new normal. Crucial to this process is shifting the premise of cybersecurity strategies from one of a “walled garden” to one of “zero-trust”.
A “walled garden” approach works on the premise that organisations can minimise cybersecurity risks by restricting user access or what people can upload to a given platform. Yet, considering the existence of internal cybersecurity threats and the growing need for information availability on the cloud, “walled garden” security systems are unlikely to be as successful within a more open Covid-19 security environment where WFH is more prevalent.
In such an environment, a “zero-trust” approach to cybersecurity is likely to be more effective. This approach relies on strict identity verification and authentication of users and devices attempting to access resources on a private network whether or not they are insiders or outsiders. No user or device is automatically trusted as in “walled garden” systems — which implicitly trust all internal actors — allowing cybersecurity strategies to operate more effectively in a landscape where greater information availability is required.
In practical terms, organisations will have to build on their experiences from the widespread introduction of WFH, to refine, establish and normalise new cybersecurity norms. Existing cybersecurity policies will need to be updated and workers educated in good cyber hygiene practices to reduce non-malicious internal threats. Existing weaknesses in cybersecurity systems will need to be patched while VPNs and anti-virus software are introduced to strengthen systems’ defences.
ISC SANS instructor Guy Bruneau tells ZDNet that VPNs will be especially important, as they are the most secure method of accessing organisational networks and internal data remotely. “It will be very important [that] the VPN service is patched and up-to-date because there will be way more scrutiny (scanning) against these services,” he observed. An ongoing survey of local workers by People Analytics firm EngageRocket finds that 90% of respondents wish to work from home in some capacity post-Covid.
Still, Du Plessis notes that it is far too early to say for sure how organisations will adapt their operations to the post-Covid-19 new normal. While most firms will likely now account for future pandemics in their cybersecurity strategies and retain WFH as a contingency plan, it remains unclear if firms will prefer a full return to the office for most workers or keep at least part of their teams on a WFH basis. Each scenario would likely require different cybersecurity strategies to keep operations secure. In a world facing significant economic disruption amid this crisis-ridden year, however, the best answer to this question may be that it is too soon to say
