Originally Posted by MIT Management Sloan School – via mitsloan.mit.edu – August 20, 2020

Why It Matters

Cybersecurity is more important than ever during the COVID-19 pandemic. Experts lay out new threats and detail ways you should address them.

Cyber incidents are consistently ranked at the top of business concerns, and it’s easy to see why: According to one estimate, the global cost of cybercrime will rise to $6 trillion a year by the end of 2021.

And this was before the COVID-19 pandemic disrupted businesses worldwide and offered new opportunities for hackers and bad actors.

Since the pandemic began, Marriott suffered a data breach affecting 5.2 million customers, and a ransomware attack forced Honda to shut down global operationsAccording to the Federal Trade Commission, by mid-August 2020 there had been more than 172,000 fraud reports related to the pandemic itself, at the cost of about $114.4 million.

“The pandemic has created the perfect amount of fear, uncertainty, doubt, and chaos,” Keri Pearlson, the executive director of Cybersecurity at MIT Sloan, said during a recent online panel session for the 2020 MIT Sloan CIO Digital Learning Series. “The bad guys have upped the game, and we have to do the same.”

Changing cybercrime tactics and a shift to employees working from home elevates the importance of security strategies, according to Pearlson and cybersecurity executives from companies including Mastercard, Booz Allen, Liberty Mutual, and the Mars Co. During two recent webinars, the experts talked about the security threats they are seeing and how their strategies have shifted — or not — during the pandemic, offering some best practices for cyber resilience.

The overall message: Working from home may change a lot of employee behavior, but relaxed security standards shouldn’t be one of them.

Here is the experts’ top advice for cybersecurity leaders, during the pandemic and beyond:

Look out for pandemic-related scams

Bad actors online have adjusted their methods to take advantage of the pandemic.

“Hackers are opportunistic, and that is, I think the biggest change [with COVID-19],” said Alissa Abdullah, also known as “Dr. Jay,” deputy chief security officer and senior vice president of cybersecurity technology at Mastercard, at the 2020 EmTech Next conference.

Hackers have pivoted from sending phishing messages asking for bitcoin to “something COVID-19-related or something that’s more personal and pulling on the heartstrings,” she said.

Hackers have also started attacking collaboration platforms — a data breach affected more than 500,000 Zoom users in April.  The pandemic and shifting to remote work “has changed the adversary’s opportunities, and shifted their focus on some of the other tools that we’re using,” said Abdullah, who was also the deputy CIO at the White House under President Barack Obama.

Rebecca McHale, vice president and chief information officer at Booz Allen, said these changes happen whenever there’s a crisis. This time, security experts are doubling down on awareness about phishing — emails that try to trick people into sharing personal information or clicking on fraudulent links that upload malware—and smishing, or SMSishing, which is sending phishing messages via SMS text.

Pearlson said pandemic-related email phishing scams can be disguised as information from the World Health Organization or the Centers for Disease Control, or pretend to have information about stimulus checks.

Other areas of added vulnerability during the pandemic identified by Pearlson:

  1. Information-stealing scams. Hackers embed code into websites that look real and provide legitimate information about the coronavirus. For example, hackers created an identical version of a map of global COVID-19 cases with embedded malware.
  2. Ransomware and malware attacks. Netwalker, a strain of ransomware, is using files with coronavirus in the name so that they look important. The files embed code that will encrypt your files.
  3. Work-from-home vulnerabilities. These include unprotected videoconference links or hacked videoconference passwords, which can be used to access a company’s network. Also, some people working from home might be using unsecured networks.
  4. Fake products. Several websites purport to sell masks or coronavirus remedies, but take money from customers without providing any product. Others sell fake face mask exemption cards purporting to come from a government agency.

Fraud reports related to the COVID-19 pandemic had cost consumers more than $114 million through mid-August of 2020.

Adjust security for a remote-majority workforce

In the face of a wide range of threats, companies should begin by reviewing the basics, experts agreed. Pearlson outlined some best practices for cybersecurity, during the pandemic and otherwise:

  • Employees should beware of any requests for information and verify the source, including unexpected emails or calls from co-workers.
  • Make sure laptops, cell phones, and apps are updated and install any required patches.
  • Consider dual-factor authentication.

The sudden shift to working from home has raised other security concerns that experts need to check on.

“We’ve done two years of digital transformation in two weeks,” said Andrew Stanley, chief information security officer at Mars, at the July CIO Symposium. “The real risk I’ve seen increase is [in the use of] third parties.”

For example, he said, some workers abroad couldn’t move their laptops from offices to homes, so there was a scramble to get them new technology and ensure it was secure.

“Is tech set up correctly, are individuals using tech appropriately at home, maybe using personal devices or shared devices or sharing work devices?” he asked.

Danny Allen, the chief technical officer at Veeam Software, said the shift toward remote work accelerated the adoption of multi-factor authentication.

“I looked at this as an opportunity, more than anything else,” Allen said.

Pay attention to your employees’ state of mind

While it might be uncomfortable to think about, employee stress brings increased risk of inside threats, McHale said.

“I do think we have to take that into consideration,” she said. “Folks whose emotional health might be a bit taxed right now, folks in different economic situations than they were previously … what might make somebody more likely to be an insider threat to the organization?”

Also under the umbrella of employee mental health is the question of whether companies should continue with regular “bait-phishing” exercises, in which companies send a phishing-type email to their own employees to make sure they remain alert to potential scams.

While some companies have pulled back on these because of increased stress, Katie Jenkins, the senior vice president and chief information security officer at Liberty Mutual, said her team decided to continue.

“I thought now, more than any time, we need to make sure those skills are remaining sharp,” she said.

For one exercise, her team sent employees an email disguised as coming from Zoom, asking for updated credentials. Cyber crisis exercises with the leadership team also continued, Jenkins said.

Stanley said these exercises had been debated at length at his company.

“Part of me wanted to leverage this and get people a little more education. Let’s help them understand they’re more vulnerable now,” Stanley said.

In the end, the company went without regular anti-phishing exercises — which normally take place every six weeks — for several months, because of concerns the exercise would be alienating.

Prioritize access more than ever

Beyond the pandemic, cybersecurity has shifted away from a perimeter-based security model where all assets inside a network are trusted, according to McHale. Instead of these system-centric security models, companies are looking at protecting access to information and emphasizing identity as part of trust.

Companies should adopt zero-trust architecture, McHale said — the idea that individuals, devices, and applications cannot be trusted by default, and need to be authenticated and authorized.

Guiding principles include:

  • Assume there’s been a breach.
  • Never trust, always verify.
  • Follow the principle of least privilege access — giving the fewest people access to data and information as possible.

At the same time, McHale said, security professionals should consider design thinking and customer experience.

“Security can’t be viewed as an obstacle, or users are incentivized to go around it,” McHale said.

Embrace industry collaboration

Companies benefit from working together and sharing cybersecurity best practices. Abdullah said Mastercard collaborates with other financial institutions through the Financial Services Information Sharing and Analysis Center (FSISAC).

“We as fintechs get together and share a sense of what controls we have in place, and we share some of the signatures we’re seeing,” Abdullah said.

Fintech is the second most frequently attacked industry, she said, going back and forth with health care for first place.

“We get nowhere holding that information [to ourselves],” Abdullah said. “Reach out to others. Your network is bigger than you think it is. People will share more than you think. As we continue to be a sharing community, we will continue to help with the cybersecurity resilience of us all.”

Stick to your enduring principles

Looking forward, experts said, companies should be making sure their information is secure, plans are in place in case of breaches or illnesses, and their employees are holding up during a stressful time. Some of the cyber experts said they’d formally named backups for themselves and others in case of illness, and they are checking with employees to see how they are doing, and urging people to continue taking breaks and using vacation time.

“I think employees understanding that as an organization we have their backs, it’s allowed them a little more space to extend a hand to a colleague and say ‘Is there anything I can do to help, because I recognize we’re all going through this together,’” Jenkins said.