image

InsideNOW

Cyber impacts of COVID-19

While the COVID-19 crisis has significantly affected the economy, cybersecurity has been greatly affected too.

Authors

Authors

Stéphane Hurtaud - {Sponsoring} Partner - Risk Advisory - Deloitte

Maxime Verac - Director - Risk Advisory - Deloitte

Bérénice Salliot - Analyst - Risk Advisory - Deloitte

Published on 4 August 2020

Share this article

image

As the first wave of the COVID-19 pandemic seems to be abating in many countries, we can begin to understand its global impact. We now see that this crisis has reshaped many organizations’ ways of working and, as such, exposed them to new cyber risks. Threat actors, thriving on confusion, panic and isolation, saw the pandemic as an incredible opportunity. So, what are the cyber impacts of the COVID-19 crisis?

As the COVID-19 pandemic began, new cyberthreats emerged. Cyber criminals capitalized on the fear and general panic around the situation by using COVID-19-themed lures and urgent language to induce their victims into clicking malicious links or executing harmful attachments. Affordable turnkey phishing kits allowed every aspiring cyber criminal with limited technical skills and ethical standards to take advantage of the general confusion to deliver malware, harvest credentials and personal information, or even receive payments. For example, attackers (i) pretended to provide coronavirus updates or information about governments’ relief funds that redirected the user to fake websites requiring credentials or personal information, or (ii) suggested downloading a “corona antivirus” or executing email attachments titled “COVID-19 supplier notice” to deliver malware.

Several mobile applications emerged to address the demand for updates and information about the coronavirus. Some provided legitimate information and were government developed and recommended.

Others were developed by threat actors exploiting the situation: the “Real-time coronavirus outbreak tracker” app installed “COVIDLock” ransomware, while the “Coronavirus updates” app delivered “Project spy” spyware.

As the crisis increased people’s confusion and lowered their ability to identify phishing emails or malicious mobile applications, it is important to inform and educate about these new specific threats. The best methods available to fight these simple but very efficient attacks are the usual ones; awareness, training and communication, but reinforced and made more specific to the context. Disinformation also helps cyber criminals, so it is crucial to communicate verified information responding to employees’ potential questions. Moreover, by limiting employees’ exposure to phishing emails, you limit their risk of making a mistake; so it is important to strengthen the detection of these emails as well your capability to respond if an incident does happen.

In March, in Luxembourg, the shift to remote working became a necessity for most organizations. Worldwide, this meant going from an average of 27% of employees working remotely to more than 60%, with an extremely quick adoption. In the face of this challenge, four types of organizations could be distinguished based on their previous level of remote working adoption, which influenced their level of risk exposure.

Organizations where remote working was already commonplace did not significantly increase their risk exposure. However, others had to change their practices and IT environments to allow their employees to work remotely. The following topics are key to understanding the change in risk exposure when an organization shifts to a fully remote working mode:

  • LAPTOPS. Corporate laptops are for business purposes only and managed by the organization so that they can be configured to enforce security policy requirements. If employees are not provided with corporate laptops, several options are possible: (i) the company could purchase and distribute corporate laptops to their employees (difficult to do during a global crisis); (ii) deploy corporate workstations in the home; or (iii) ask the employees to use their personal computers (which may not exist, or not be updated, patched nor particularly secured). Personal computers could be used either to work directly on the local system or to connect to the corporate environment by using a dedicated solution where the level of security may vary (such as direct RDP connection, VPN [Virtual Private Network], virtual desktop environment, etc.). Each of these connections should be secured, the ease of the task mostly depending on whether the solution was already in place before the COVID-19 pandemic. In any case, the use of corporate laptops is generally preferable.

  • NETWORK CONFIGURATION. When employees work from home, their computers are connected to their home network, which may also be used by other devices and people. So, it is important to consider the network as untrusted. Allowing employees to connect from an untrusted network usually requires a dedicated infrastructure that will need to be correctly secured. Another difficulty is that this secure configuration must be able to handle the load created by the entire workforce working remotely.
  • SECURITY CONTROLS AND REQUIREMENTS. Some organizations were forced to increase their risk exposure by loosening some of their security requirements (e.g., giving local administrator rights to end-users) or limiting the global deployment of security controls (e.g., strong authentication devices limited to high-risk users only), because they were too difficult to generalize quickly due to their operational impact or cost.
  • RISK ASSESSMENTS AND DUE DILIGENCE. In the context of COVID-19, organizations had to make quick decisions regarding IT changes, sometimes even skipping the preliminary risk assessment. This led to the rushed adoption of new tools without an awareness of the related risks and sometimes ignoring important security vulnerabilities. This increased the risk of using nonsecured or noncompliant tools and the risk of misconfiguring these new tools, but also the risk of employees using unapproved software solutions (shadow IT) such as collaborative tools for convenience, that prevented IT from securing these new solutions. To avoid these situations, organizations need to take the time to perform sufficient risk assessments before adopting a new tool or technology. They also need to follow-up on the adoption of shadow IT solutions to have them under control.
  • TRACKING OF DECISIONS MADE AND ACTIONS PERFORMED. In the face of a difficult situation, organizations had to make many quick decisions. In the rush, they sometimes forgot to keep track of them, preventing organizations from assessing the risks taken, and managing potential exceptions afterward. Organizations need to take back control by keeping logs of all decisions and actions taken during the crisis, reviewing all exceptions made, and investigating whether an attacker took advantage of the general confusion.

When assessing the security state of your organization, it is important to remember that your supply chain may be affected by the same crisis as you. If one of your providers is compromised, the entire chain could be affected. Make sure to share good practices with your providers and to communicate often regarding your respective security states. Furthermore, be aware that the email accounts of your partners, providers and clients could be compromised. Therefore, you need to remain vigilant and avoid performing sensitive actions that are only prompted by an email request.

As the pandemic slows down and employees are expected to gradually return to their offices, it is more important than ever to be careful and to not lower your guard: a hybrid working mode means an even bigger and more complex attack surface, at a time when cyberattacks are not decreasing.

Conclusion

At the early stage of a crisis, communication is key. Communicating on emerging COVID-19-themed phishing attacks, the risks and consequences of phishing or the risks related to remote working practices are essential to onboard your employees in your cyber defense. However, communication alone is not enough to prevent and detect the increasing cyberthreats that organizations are facing today. While during a crisis, many organizations need to restructure and may cut costs, we believe that consolidating your cyber budget is more important than ever.

Organizations need resources to evaluate the risks resulting from the adoption of new technologies and implement preventive and detective controls to mitigate these risks and ensure the organization’s resilience.

Share #DeloitteInsideNOW

image
image

Cyber Risk Services

Deloitte helps organizations prevent cyberattacks and protect valuable assets. We believe in being secure, vigilant, and resilient—not only by looking at how to prevent and respond to attacks, but at how to manage cyber risk in a way that allows you to unleash new opportunities.

© 2020. See Terms of Use for more information.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms.

The Luxembourg member firm of Deloitte Touche Tohmatsu Limited Privacy Statement notice may be found at www.deloitte.com/lu/privacy.