Data and IT vulnerabilities have only increased during pandemic
Cyber-risk is high on the list of concerns that keep CEOs up at night – not surprising, given the potential financial, operational and reputational damage that a breach of a company’s IT defences can cause.
Hackers have smelled ever greater opportunity since the onset of the pandemic compelled businesses to enable many of their staff to work from home. Growing interconnectedness and interdependencies have added to potential cyber vulnerabilities.
Some 81 per cent of global organisations have reported increased cyberthreats during the pandemic while 79 per cent experienced downtime due to a cyber incident, a survey released last November by cybersecurity firms McAfee Enterprise and FireEye found.
Darren Wray, CEO of Fifth Step, an IT consultancy that advises companies in Bermuda and elsewhere, said: “Most of the companies I work with would say that their digital transformation accelerated by about five years during the pandemic, but it was about ten years for those who had no work-from-home capabilities before Covid.”
The era of mobile devices, connected to company networks, has fundamentally changed the business of cybersecurity, Mr Wray said. “When I first started my career, when you left work, your work stayed in the office. The building was the perimeter, because once you’d left, you couldn’t connect to the network.
“Whenever you have mobile devices connected to the corporate network, then the people are the perimeter and so the people need to be trained in the dangers – ‘phishing’ attempts, for example. Many organisations offer training for this when someone joins, but it needs to be updated, annually at least, because the landscape is constantly changing.”
Hackers, looking for a way in, may only need a careless employee to click on a link in an elaborately disguised e-mail. Phishing and “spear phishing” – when hackers target individuals or employees in particular roles — have become more common during the pandemic, Mr Wray said.
Sometimes, they may seek a seemingly harmless morsel of medical or personal data – however, this may be the last piece in the jigsaw that they need to prove an identity to set up an obscure, profit-making activity, such as an insurance fraud.
Cyber thieves have become more organised since the days when phishing e-mails were written in comically bad English and contained ridiculous requests, such as “send your bank details to my Hotmail account”, Mr Wray added.
Forget the stereotypical image of the hooded teenager hacking into corporations from his bedroom. “The reality is somewhat different now,” Mr Wray said. “For many people, it’s a full-time job working in organised enterprises.
“I’ve seen this in some of the breach responses that I’ve worked on – when the attacks start, it’ll be 9am in a certain country and then they’ll clock off at about 5pm, and they may even have a lunch break – you see these patterns.” He believes that some of the hackers may not even realise the illicit nature of their work, believing perhaps that they’re testing for weaknesses in corporations’ security systems.
The Ukraine war may elevate the threat. Organisations in countries who get involved in the fighting or sanctions against Russia may find themselves under state-sponsored cyberattack. Russia too has already been attacked by hacker network “Anonymous”, among others.
Third-party vendors can be a weakness in a company’s cyberdefences. A famous example was the Target data breach of 2013, when hackers gained access to credit and debit card information of 41 million customers.
“They got in though Target’s HVAC company which had a connection to each and every Target store to measure air-conditioning efficiency,” Mr Wray said. “The physical equivalent would be getting into a store next door to a bank and breaking through the wall.”
Many data breach incidents never make the media. However, increasingly stringent personal data protection laws in Europe and many US states, for example, require companies to report breaches to regulators, if they reach a defined scale.
While training employees to be aware of cyberthreats is one action companies can take to strengthen their defences, another is ensuring the security team has a strong voice at board level and an adequate budget.
“Organisations are very willing to spend a lot of money to rectify things after an event, but they could spend substantially less, if they put in a little bit of effort upfront,” Mr Wray said.
“It’s about being more strategically minded, thinking longer term and not scrimping on security. Organisations who do that – even if they suffer a breach – will be better able to recover, because they’ll know where things are and they’ll know what they need to do.”