I was saddened to learn that two people who attended RSA 2020 in San Francisco had subsequently tested positive for COVID-19. This virulent disease has impacted our lives with restricted travel and cancelled public events. eSentire included.
On the surface, COVID-19 reminds us that what we don’t know can hurt us. Until a vaccination is developed and distributed, we can do little more than wash our hands, avoid those infected and stay away from major public gatherings…effectively hoping that preventative actions like this will keep us safe.
In the world of cybersecurity, we’ve seen that prevention is a broken model. When a network virus spreads without symptoms or other known indicators of compromise, it evades oblivious AV systems and firewall rules and the digital corollary is only detected once it’s too late and criminal symptoms manifest. By then, the infection has metastasized into business-disrupting or financially punishing events.
Even worse, criminal elements take advantage when we are disabled, distressed or otherwise distracted, kick you when you are down and strike when you can least afford it. Reports of multiple campaigns using fears of COVID-19 to lure victims into clicking. In one, safety guidelines are offered in a CoronavirusSafetyMeasures.PDF which deploys a remote access tool (RAT) and malware, and an erroneous Microsoft Office document purportedly from the Ukrainian Ministry of Health deploys keylogging and other malware. Checkpoint reported that over 4,000 coronavirus-related domains have been registered in 2020, of which 8 percent were malicious or at least suspicious.
Learning from Hurricane Sandy
Hurricane Sandy was the most deadly storm of the 2012 Atlantic hurricane season. The storm killed 233 people in eight countries, affected 24 US states, caused major flooding in Manhattan streets and subway tunnels and was responsible for $64 billion in damage.
These facts are easily traceable through the concentric rings of headlines and insurance records. What’s harder to spot is the cyber rot that accompanies events such as this.
Our security operations team studied traffic analytics for a three-month period around Hurricane Sandy. Data showed a 30 to 40 percent drop in network traffic across our client base located in New York City for the two weeks during and after the hurricane. However, the level of threats remained constant throughout. In fact, the week following the hurricane, attacks spiked by 30 percent!
Criminals knew the disaster and chaos caused by the storm. Employees couldn’t get to work, blocked by flooded subway lines. And massive power outages ensured office buildings in Lower Manhattan were vacant. All that data just sitting there without the usual contingent of IT security supervisors … the world’s bank vault was open and the guards were stuck at home.
Hurricane Sandy became the instant bar by which business continuity (BCP) and disaster recovery (DR) plans were measured. As the American Bar Association’s Cybersecurity Handbook puts it: “If a client’s disaster recovery plans cannot pass the ‘Hurricane Sandy test,’ such plans might also fail if cyber incidents caused prolonged disruptions.”
And most plans failed. Most of the client data for major financial institutions resided in data centers located in New Jersey, a quick ferry ride across the Hudson river. Turns out, category 2 hurricanes don’t follow state lines, and operations were crippled, and data was exposed during the clean up. In hindsight, it’s an obvious flaw in any BCP/DR plan. But that just goes to highlight a filter we bring to the table: hindsight bias. Given the outcome, we exaggerate our ability to predict and avoid the same fate. Where was the “I told you so” gang, months before the storm season when business continuity plans were being drafted?
Protecting Your Data from Exposure
With the uncertainty of COVID-19, most companies have deployed employee travel restrictions. It’s a smart response to reduce the risk of exposure. Now consider the risk of your data being exposed. As the Hurricane Sandy SOC data shows us, attacks go up when the storm is at its worst.
Consider the knock-on implications of your employees working remotely. How will you meet your obligations to protect client information in the face of diminished staff capacity? What mechanisms and protocols do you have in place to maintain consistent security practices during this shortage? Can you still monitor your environment 24/7? And if you find an anomaly or threat, can you take action with a diminished security team?
What can you do about it
Run a COVID-19 incident simulation: One CSO I work closely with is using this event to run a tabletop simulation based on COVID-19. He’s putting his executives and IT teams through a lunch-time drill that simulates the decision making required when an employee tests positive for infection. It’s a smart approach.
Review your BCP/DR plans: It’s time to review your plans and determine if they cover an infection contingency. If they don’t, update them ASAP. Like the way the ABA characterized BCP plans nearly ten years ago, insurers will ask whether your BCP/DR plans now pass the “Coronavirus 2019 test”.
Review remote access protocols: Criminals know your employees are working from home. That’s go-time for phishing lures designed to harvest VPN credentials! This could be a good time to reset passwords, require multi-factor authentication, and restrict access to critical information, not required for everyday duties.
Protect your endpoints: As more employees work remotely, it’s critical to expand your umbrella of protection to include those distributed laptops, tablets and phones. And this goes well beyond basic antivirus services. Consider endpoint protection platforms (EPPs) and endpoint detection and response (EDR) solutions. We have a few flavors to offer.
Inform your employees: Remind employees that criminals will attempt to take advantage of the chaos created by COVID-19 through fraudulent invoicing, fake donation sites on social media, and likely attempt to collect VPN credentials. Forewarned is forearmed. Remind your employees to remain vigilant and follow security protocols.
Don’t forget your supply chain: Have you spoken to critical vendors to identify risks in your supply chain? Perhaps you have strong protocols for COVID-19, but your vendors haven’t quite got there. As I reported last year when we surveyed 650 executives, we found nearly half had suffered a material business disrupting breach as a result of vendor actions (or inactions). Read the report.
Be hyper vigilant and expect attacks: Adversaries are looking for a weakness and ready to strike when you are down. It’s even more critical to monitor your environment 24/7 and be able to respond to a threat. In these situations, it’s often best to ensure your detection and response eggs are not in one basket. Outsourcing Managed Detection and Response (MDR) reduces your coverage risks and improves your odds of catching attacks during contingency plan activation.
Ignorance isn’t bliss, it’s negligence
As I explain in my upcoming book, No Safe Harbor, ignorance isn’t bliss, it’s negligence. Data breaches, lawsuits, insurance claims and so on converge to create a line in the sand when it comes to expectation and accountability. Once we identify a risk, there is no plausible denial. We are obligated to manage this risk and be consistent in our approach. Even when the risk comes as a result of a global viral epidemic.
Ship’s captains aren’t responsible for the ocean’s weather, but they are accountable for keeping their ship, crew and cargo safe from harm. Similarly, you won’t get a pass because the coronavirus ate your BCP homework.
As corporate leaders, you are the ship’s captain. Can you navigate this storm? Can you keep your employees safe and manage the associated cyber risks with travel restrictions and a workforce working from home on-mass? If a data breach occurs during COVID-19, you won’t get a pass.
Missing employees or inability to provide 24/7 protection won’t provide an escape and influence insurance companies to cover an otherwise denied claim. And the inevitable finger pointing will begin. Cue the CSO: the Chief Scapegoat Officer. While we haven’t hit this inevitable stage, we will.