Managing a Cybersecurity Crisis During a Pandemic

Most enterprises have taken extraordinary measures to protect their workers and ensure business continuity. They also ensure the continuance of service delivery during the coronavirus pandemic. The COVID-19 disease has ravaged the world, with the total confirmed cases and deaths exceeding 3,500,000 and 248,000, respectively.

However, the measures have exposed businesses to a variety of cyber threats. Due to imposed lockdowns and curfews, companies have opted to allow employees to work from home. Organizations with insufficient cyber defenses remain exposed to multiple risks as the majority of homeworkers may engage in insecure practices. Such include sharing devices with vital data, failing to update devices with latest updates and patches, poor password hygiene, among others.

Cybercriminals are also taking this opportunity to scale up their attack campaigns. According to FBI deputy assistant director, Tonya Ugoretz, cybercrime reports have quadrupled since the pandemic emerged. Ugoretz claims the FBI’s Internet Crime Complaint Center receives between 3000 and 4000 complaints a day, compared to 1000 daily complaints before the COVID-19 crisis. Ugoretz also noted an increase in nation-state attacks targeting the healthcare sector. The main motivation for such malicious activities is to gain access to critical data such as information on the latest vaccine research efforts.

Furthermore, the Microsoft Security Intelligence team noted a spike of Trickbot malware attacks. In particular, the team indicated that cybercriminals behind Trickbot malware sent hundreds of electronic messages purporting to be COVID-19 medical information and advice. The aim, however, is to use macro-laced documents to trick recipients into installing the Trickbot malware. Also, IBM X-Force researchers stated in a report that internet scams related to COVID-19 increased by over 6000%. They range from impersonating WHO (World Health Information) officials to US SBA (Small Business Administration) claiming to offer financial assistance. The coronavirus pandemic has caused an unprecedented increase in cybercrimes. As such, businesses should have relevant information on how to manage a cybersecurity crisis during a pandemic.

Time is a vital resource.

A cybersecurity crisis can directly impact essential assets and resources. This outcome can disrupt business operations, resulting in diminished revenues and customer loss. In such a scenario, time is a vital and precious resource. Every minute counts if the affected company will ably avert the crisis.

Containing the crisis is one of the options that can provide an enterprise with additional time to manage it. Containment means restricting an attack only to the affected networks or systems. To contain a crisis, the security team should disconnect the infected systems from the network, implement network segmentation to separate the compromised network from other networks or pull them down from the internet. The additional time permits the deployment of necessary solutions for managing a cybersecurity crisis.

Additionally, threat intelligence is an essential tool for managing cyber-attacks. Threat intelligence and analysis provide relevant information regarding security risks. For instance, security experts use threat intelligence to determine current and expected threats, assets they might compromise, and estimated impacts on business operations. Through the acquired information, an enterprise gains thoughtful analysis to decide how best to use the time to protect itself. Data obtained from threat intelligence analysis can inform planning, preparation, and proper practice. As a result, a business can prepare the required tools and responses when things go haywire due to a cybersecurity crisis.

Part of the preparation entails using the time to brief the C-Suite on the potential security risks and expected consequences. During a crisis, there might lack adequate time to inform executives about the threats causing the incidence or how they affect normal operations. Worse still, the time might be insufficient to correct any misconceptions executives might have regarding cyber threats. Moreover, during a pandemic, news and media stories may sometime draw reactions that drive individuals into denial or fear. This observation can cause executives to make erroneous decisions that escalate a crisis instead of de-escalating it. Furnishing executives with information on potential threats can assist them in making well-informed decisions for effective cybersecurity crisis management.

More importantly, it is prudent for all businesses to embrace the WHO message; “this is a time for facts, not fear”. Sometimes, individual incident responders might be overly afraid that their input is not sufficient in managing a security crisis. Such panic is not supportive nor definitive in achieving the overall objectives. Therefore, companies must ensure incident responders focus on managing the riskiest aspects of a cybersecurity crisis rather than lose their concentration due to dread of unlikely scenarios. Instead of focusing on fear of the unknown, businesses should ensure incident responders have a reasonable level of caution concerning a cybersecurity crisis but one that matches the risk levels. Despite this, some individuals might be overly fixated on specific threats like advanced hackers, while overlooking likely issues such as phishing attacks. Managing a cybersecurity crisis should find the right balance of incident responders.

Managing a cybersecurity crisis might, however, be fruitless if the involved personnel isn’t worried enough. As such, a business must provide employees with adequate reasons why they need to prepare how to manage a cybersecurity crisis effectively. One way to achieve this is by painting a realistic scenario by clearly quantifying attack likelihoods and damages. For example, as most businesses continue encouraging work from home during the COVID-19 pandemic, organizations should illustrate the likely threats and outcomes of poor security hygiene. To assist employees, get the full picture, the employer can consider using business instead of technological terms. Also, considering other risks such as recessions, technological changes, regulatory changes, competitors, among others, can enable employees to understand the magnitude of a cybersecurity crisis. Subsequently, everyone would understand the significance of their roles in managing the crisis.

Empower employees to manage a cybersecurity crisis

Threat-aware staff members provide the first defensive line against cyber-crimes. More often than not, the defense requires empowerment to strengthen it, especially during a pandemic period. PricewaterhouseCoopers did a phishing attack simulation targeting mid-to-large-sized financial organizations before the COVD-19 pandemic struck. During the exercise, 70% of the phishing emails got delivered to the intended targets, with 7% of the recipients clicking and opening the attached malicious links. However, as has been the case time and again, hackers only require one click to unleash cybercrimes. There has been an upsurge of phishing campaigns as adversaries target ignorant and gullible employees with COVID-19-themed phishing emails.

Heightened security awareness and training, therefore, is a powerful and necessary antidote. For businesses to protect themselves from phishing and other related social engineering attacks, they must train their employees on the precautions to observe to avert a cybersecurity crisis. Some points to consider during training include:

1. Be conscious of emails originating from unknown senders or familiar individuals who don’t communicate directly, such as CEO. Clicking or opening any attachments in the emails might result in costly breaches and IT infrastructure damage.
2. Before clicking on sent attachments, first examine the sender’s address to verify the authenticity of the email message. Phishing criminals often substitute a single character in the sender’s email address to make the information more convincing.
3. If an official email contains grammatical errors, it is most likely a spear-phishing email. Rarely do officially communicated emails from employers, financial entities, or the hospital have any mistakes.
4. Training employees the mitigation actions to take once they mark an email message as scam or phishing email allows cybersecurity crisis management. These include alerting the IT department, informing other employees, deleting the message, and marking the sender as spam, among others.
5. Always ensure the company-approved antivirus solutions and anti-phishing filters have proper configurations and running whenever connected to the internet.

Additionally, as organizations focus more on protecting employee safety and health, and also ensure they remain productive during the pandemic, most have opted for remote working. In light of this, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about remote working threats. They include:

• Increased possibilities of phishing attacks for businesses without multi-factor authentication
• An increasing number of vulnerabilities found in VPN solutions
• Limited VPN connections that expose a business to more security risks
• An increase in phishing campaigns as hackers seeks to steal vital information, such as passwords and usernames.

Despite the threats, organizations had a few weeks to roll out the infrastructure supporting remote work and access. However, to ensure the prevention of a cybersecurity crisis, enterprises should take note of the following guidelines:

1. Focus on security when transitioning to remote working. The practice involves deploying the required solutions such as multi-factor authentication, VPN connections for all employees, and anti-phishing filters.
2. Match the available solutions to the current circumstances. For example, to curb the security risks resulting from vulnerable improperly configured devices, businesses can issue secure smartphones and laptops.
3. Leverage on security technologies such as machine learning and artificial intelligence to monitor and identify suspicious user activities.
4. Implement proven and security-conscious remote working models.

Take the pandemic as a test for enhancing resilience.

Companies should consider the COVID-19 pandemic as a continuous test of their resilience to become stronger. Whereas technical safeguards and training can prevent attacks such as BEC (Business Email Compromise) scams and phishing, a multifaceted defense approach is vital to managing a cybersecurity crisis. The following pointers can assist businesses to increase the resiliency and security of their IT infrastructures and networks, thus enabling effective management of potential cybersecurity crisis:

1. Improve the response plans: IT security teams should enhance the response plans to cover new security requirements resulting from new work methodologies, such as remote working. Also, lessons drawn from past adversarial occurrences should inform the required measures needed to close existing gaps in the response plan.
2. Strengthen the defense perimeter: Organizations should use the security resources and solutions at their disposal to identify security vulnerabilities. Once identified, they should deploy working mitigation strategies to prevent attackers from exploiting the vulnerabilities. Also, incorporating proven and tested solutions for monitoring and detecting harmful events can assist in strengthening the defensive capabilities. Other necessary measures include restricting data access to only essential needs and minimizing the attack surfaces.
3. Strengthen the remote access policies: Remote working and access have become the norm as businesses aim to remain productive and competitive during the COVID-19 pandemic period. As such, strengthening the procedures governing work from home and remote system or data access can significantly boost organizational security, as well as facilitate easier crisis management. The measures to consider when strengthening remote access policies are deploying VPN tools for all staff to ensure multi-factor authentication whitelisting IP address, restricting RDP (remote desktop protocol) access, and bolstering monitoring of networks connecting remotely.
4. Enhance endpoint security: Organizations are responsible for protecting user devices from advanced or standard malware. Endpoints provide hackers with multiple attack vectors. As most enterprises grapple with the COVID-19 pandemic, attackers may focus on endpoints. Remote working presents multiple endpoints, some of which could be insecure. Focusing on endpoint security can facilitate efficient monitoring of cybersecurity incidents. Implementing an (EDR) endpoint detection and response system can enable security teams to monitor cyber-attacks in real-time. Also, due to its distributed and centralized nature, an EDR can assist in containing attacks. This control involves disconnecting the vulnerable endpoints to prevent further spread. Endpoint security can enable easier management of a cybersecurity crisis.

Plan, evaluate, and maintain 

Businesses should conduct meaningful and thorough evaluations of their current emergency plans. These include disaster recovery, incident response, and business continuity plans. Often, conducting reviews allows an assessment of the sufficiency of a current plan concerning existing conditions. However, for such plans to contain a strong shelf-life, it is advisable to review them against all the potential future and current requirements. It enables a company to plan well in advance on how to manage cybersecurity crises from different perspectives. It can acquire the physical and human resources capable of managing and thwarting a cybersecurity incidence. It also provides a clear awareness of expected roles for different individuals.

There are different tools a business can use to identify potential security threats that can lead to a cybersecurity crisis in the future. Others enable a hazard vulnerability analysis, providing insight onto existing vulnerabilities, thus informing the remediation measures. Despite the availability of different models, the data confidence and accuracy entered in the model to get an outcome is essential. The complete reviews also provide direction regarding the updates to implement, as they must be operational and practical. In tandem, all employees, and in particular those responsible for managing an expected crisis, must familiarize themselves with the newly updated plans.

However, the created and continuously updated plans may contain undetected flaws that could cause fruitless efforts when managing a cybersecurity crisis. This calls for frequent and detailed testing and exercises. Before the exercises, the cybersecurity crisis management plans are merely a concept. Although most organizations consider training and testing as extensive in regards to expenses and planning, they can evaluate the response components through a progressive program with minimized staff and devoid of operational impacts. All key partners and stakeholders should be involved in the exercises. The exercise and testing methods must also allow areas for improving the plans and addressing existing challenges before the subsequent and more complex tests. The final plan would enable the response team to contain a cybersecurity crisis effectively, eliminate it, and deploy the necessary preventive measures.

Think globally

The word pandemic means a disease that has ravaged most parts of the world. The COVID-19 illness has already spread to all countries resulting in country-wide lockdowns. Therefore, when evaluating security threats to inform business continuity and disaster recovery planning, organizations must prepare for possible impacts on a global scale. As such, all plans for responding to and managing a cybersecurity crisis must factor all international aspects of the supply chain. These include service providers, supply chain partners, and customers. Besides, unlike other calamities such as natural disasters, the coronavirus pandemic can not be isolated according to geographic locations. Also, considering that most businesses thrive on reliance on various global inputs, enterprises must regularly follow the security preparedness and reliability of worldwide partners and providers.

Time to trace the roots to basic cybersecurity hygiene

Businesses cannot stress enough the essence of observing unquestionable cybersecurity discipline and hygiene. This is due to the exponential growth of factors such as more employees having to work remotely, and the direct proportion of increasing risks. Some best practices applying to employees, supply chains, and partners can significantly enable an organization to manage and avert a cybersecurity crisis. They are as follows:

1. Separate work from home devices: One of the top risks for employees working from home is using home devices for work reasons. Using devices for personal use may increase the attack surface due to frequented applications such as social media platforms and movie streaming sites. Besides, unauthorized individuals such as family members or friends could access private information, which could become a crisis if leaked.
2. Safe password practices: Strong password creation and practices are basic cybersecurity hygiene every employee must adhere to. Today, there are numerous tools used to crack simple and complex passwords. To counter a potential cybersecurity crisis, therefore, organizations should ensure to implement multi-factor authentication across all applications and server access. Incorporating accurate device security testing and identity management can further boost cyber defenses and wield of dangerous attacks.
3. Quick IT support: Businesses have the prerogative of providing employees working remotely with standby IT support. They must also ensure the workers are aware of the expected actions once they misplace a device or if it becomes compromised. Moreover, the IT support, as well as security teams, should have access to the latest tools and technologies with full visibility of the organizational networks. This should include the connected devices, irrespective of whether they are remote. Full visibility can allow 24/7 monitoring for abnormal user behavior, and containment of an incident to the original point of infection, thus containing and managing a crisis.

Make sure all technological controls are in place.

As organizations roll out technologies for facilitating remote work and access to ensure business continuity, the IT and security teams need to mitigate arising risks. Implementing technological controls can provide stricter data control and network access. Additionally, they prevent security vulnerabilities from emanating to a cyber crisis. The following are some controls businesses can use to protect themselves:

1. Automatic patching: Automating patching and security update installation can strengthen security and prevent a cybersecurity crisis. An automated patching approach shortens the patch cycle for critical systems. It also ensures timely patching for other IT infrastructure, including cloud interfaces, virtual private networks, and end-to-end security. These systems play a crucial role in remote work and access since they assist companies to discover security flaws rapidly and eliminate them.
2. Fill the security gaps of migrating facility-based applications: For some organizations, some systems are only accessible onsite. However, the pandemic has forced most to migrate to cloud-based services to support remote working. Such processes often result in more vulnerabilities. This necessitates the deployment of additional controls to counter emerging risks. Using VPN tools presents new risks that must be mitigated to avert a security crisis.
3. Monitor shadow IT: The current generation has a higher inclination for trying out new technologies. Some employees might set them up without support or approval, especially during the current COVID-19 pandemic, where most work from home. This is termed as shadow IT. Using shadow, IT places the employees and organizations at a disadvantage. Without approval, the systems might break down, become infected with malware, or be compromised. To prevent such a crisis, the IT teams must transition, secure, and support the shadow IT systems. Moreover, they should lookout for new shadow IT set up from home and monitor foe security weaknesses and flaws. This is key to managing and controlling a crisis, should it arise.