In this article to mark #CybersecurityAwarenessMonth, Expleo’s Helmi Rais recommends a back-to-basics approach to combat the recent surge of attacks caused by the disruption of the COVID pandemic.
From a cyber criminal’s perspective, the arrival of the COVID-19 pandemic was a welcome surprise. The sophistication of phishing scams and ransomware was already at a high level. With the rapid switch to work from home, the attack surface and vectors multiplied almost overnight.
Lockdown put companies in a precarious position. They had to keep their people working for obvious financial and operational reasons. But this came with an increased risk of attack. The change was all so sudden that many companies lacked the necessary remote access tools to fix vulnerabilities on employee devices. Inevitably, people made choices at home they wouldn’t consider in the office. They installed software and tools, data storage solutions or personal devices that rendered the system vulnerable. The furloughing of employees also strained control measures.
In short, people let their guard down during the pandemic. For example, a 40% surge in machines running Remote Desktop Protocol (RDP) connections caused RDP Brute Force attacks to skyrocket in March and April alone. Users today are almost three times more likely to click on a phishing link and then enter their credentials, than they were pre-COVID. Of course, many of those scams had a COVID-related theme, which played on their victims’ hopes and fears.
So, what’s to be done? How can companies regain control when the opposition is getting smarter and their defences are compromised by force majeure? We are compelled to go back to basics. Identify what is important to the business and then focus security controls to optimise energy and effort from that position of clarity. This means Security by Design and a risk-based strategy. We must be exhaustive in the identification of different assets and embed security in the DNA of a new project. An internal audit to classify all assets is a good place to start.
In the Art of War, the Chinese general Sun Tzu wrote: “Know thy self, know thy enemy. A thousand battles, a thousand victories”. This advice still stands 2,500 years later. What type of servers, network components, hardware or software do you have within the information system? What are your weak points? How would you attack yourself, if you were the enemy?
Think two moves ahead…
If an organisation doesn’t have full visibility of their entire security environment, or if they are unable to focus remediation on their most exposed vulnerabilities, then they may fall victim to attack. Security assessments and mitigation policies are both critical steps, whether you are a bank, retailer or manufacturer that’s engineering embedded systems for connected cars.
The ex-FBI director Robert Mueller once noted that there only two kinds of company: those that have been hacked and those that will be. If attacks are inevitable, then we must focus on time of detection and time of response. Our capacity to limit the window of opportunity for hackers is a competitive advantage. If it’s three days, that’s manageable. If it’s three years, then it could prove terminal.
Think of cybersecurity as a game of chess. However well you play, you have to expect to lose a few pieces along the way. It’s how you respond that matters – as close as possible to the moment of attack. The right reaction plan, backed by automation, will kick in to mediate the damage. By staying two moves ahead of the aggressor, you can quickly shore up your defences.
There’s no good time to be hacked, but right now, when the need for business continuity, brand trust and fiscal stability are potentially make or break, companies must prioritise cybersecurity. Under-investment is simply asking for trouble.