Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lack or have inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices. Many also have had to adapt and adopt digital tools quickly, taking on new technology that may not be adequately secured.
Already, 21% of organisations in Singapore revealed they had seen an increase in attacks on their IT systems due to the pandemic, according to a HackerOne report released this week. Some 58% of these businesses believed they were more likely to encounter a data breach as a result of the global pandemic, found the survey, which polled 200 respondents in the city-state. Conducted by Opinion Matters in July 2020, the HackerOne study polled 1,400 security professionals in Singapore, Australia, France, Germany, Canada, the UK, and the US.
Across the board, 64% felt it was likely their organisation would experience a data breach as a result of the pandemic. HackerOne CEO Marten Mickos said: “The COVID-19 crisis has shifted life online. As companies rush to meet remote work requirements and customer demands for digital services, attack surfaces have dramatically expanded, leaving security teams stretched thin and not staffed to cope.”
With more employees working from home, it has become easier to launch attacks at enterprises, warned Eugene Kaspersky, CEO of Kaspersky, who was speaking at Kaspersky’s Asia-Pacific Online Policy Forum last week.
The security vendor saw a 25% increase in the number of new malicious apps to more than 400,000 a day, from 300,000 before the virus outbreak. Kaspersky said this was the reality today and why having the right cybersecurity strategy was even more important now amidst the pandemic.
Fellow panelist David Koh, Cyber Security Agency of Singapore’s (CSA) commissioner of cybersecurity and chief executive, concurred, noting that governments, industries, and individuals have had to change the way they live, work, and play, and all in a very short span of time.
Companies had to adapt to work from home arrangements and engage partners and customers online, Koh said. “Things that some thought were too difficult to do nine months ago have had to change overnight,” he said. “We had to fundamentally adapt and employ new technology literally overnight [and] a lot of this new technology is much less secured.”
Databases, for example, had to be extended so employees could access them from their home environment and controls that were in place previously within physical workplaces were no longer relevant.
Instead, employees’ home Wi-Fi systems now were the main connectivity hubs and these were not as secured as the office environment, Koh said. An organisation’s risk profile had changed and it had to deal with a larger attack surface, he added.
Employees had been taken out of offices and into homes, but organisations did not have security systems set up outside their enterprise walls, said Mark Johnston, Google Cloud’s Asia-Pacific head of security for networking and collaboration specialists.
Speaking to ZDNet in a video call, he noted that businesses now had to deal with devices outside of their network they never had to to manage before. Traditional virtual private network (VPN) tools might not necessarily work well as these could not scale well, Johnston said, adding that his team saw a sudden influx of customer queries on how to securely handle access from devices outside of their infrastructure.
Cybercriminals also had adapted, widening their focus to tap public interest in COVID-19 as lures for scams, phishing, and ransomware attacks.
New vulnerabilities also were exposed because users had moved outside of their enterprise environment and were no longer protected by a firewall, Johnston said, noting that Google’s machine learning platform dynamically adjusted to the spike in COVID-19 themed attacks.
He said the system clocked 3 billion COVID-related email communications in a week, of which 240 million were spam and 20 million were malware attacks. Some 99.9% were blocked before they could hit inboxes.
Rajesh Pant, India’s National Cyber Security Coordinator, also noted a spike in online usage across his country due to the pandemic. The National Informatics Centre, which manages India’s e-government services and supports the public sector’s ICT needs, previously handled 20 million e-mail queries a day. This now has climbed to 70 million a day, according to Pant, who was speaking at the Kaspersky forum. Correspondingly, there has been a 600% increase in cybercrime.
To help its population safeguard their cyber space, he said the Indian government issued advisories, for example, to guide employees on working from home and running videoconferences securely, such as creating waiting rooms for Zoom.
There also had been increased focus on credentials and identity, since more were accessing the corporate network from different home and online environments, he noted. “The entire system has become distributed,” he said, stressing the need for a new cybersecurity architecture.
Noting that the often-cited critical areas of “people”, “process”, and “technology”, still held true in cybersecurity, Pant underscored the importance of educating users on safeguarding their own cyber hygiene.
Mihoko Matsubara, NTT’s chief cybersecurity strategist, said: “We’re now more vulnerable because so many companies have shifted abruptly to work-from-home and remote work arrangements.” She noted that 45% of organisations in Asia-Pacific had yet to provide training to guide employees on how to work securely when doing so remotely.
Budgets also were likely to have been cut due to the uncertain economic climate, which further compounded the problem, Matsubara said.
According to a Barracuda Networks study, 40% of companies worldwide had their cybersecurity budget cut as a cost saving measure due to COVID-19. Some 51% said their workforce lacked proper training on the cyber risks associated with remote working and 51% had seen an increase in email phishing attacks since moving to a remote working model.
“We’ve had to adapt to the COVID-19 situation abruptly…[and] from a technology perspective, many of us were not ready,” Koh said. He noted that cybersecurity required a balance of the iron triangle comprising usability, security, and cost.
HackerOne’s Mickos noted that the outbreak also compelled organisations to realise they were slow with their digital transformation and cloud migration. Some 37% in Singapore said the pandemic pushed them to accelerate their digital transformation efforts, with early 40% admitting they were forced to do so without being fully prepared.
“The strain this puts on security teams is immense,” he said. “Cost-cutting measures combined with an increase in attacks means data breaches present a significant threat to brand reputations that may have already taken a hit.”
Need for common rule of cyber laws
Koh pointed to “a strong need” to develop rules-based international order for cyberspace, similar to what the world already had for the physical domains of land, sea, air, and global trade.
In this aspect, he said Singapore believed the United Nations played an important role in facilitating dialogues and facilitating international cooperation. He noted that there already were ongoing efforts to establish an Asean cybersecurity framework.
Kaspersky noted that while he supported the need for a global federation, previous attempts to do so — including at the 2011 London Cyberspace Conference — had not resulted in anything substantial.
He expressed hope that the COVID-19 pandemic would encourage more nations to recognise the importance of such efforts and finally establish a working system for a safer cyberspace. This would be critical to help identify and stop cybercriminals across jurisdictions, he said.
Matsubara welcomed the regulations within each region, but noted that the diversity between countries and even within smaller regions such as Asean, where there were different languages and cultures, would make it difficult to impose regulation across the board. And it would take years to establish such regulations.
So while it was important to have regulation to incentivise companies to implement good cybersecurity practices, she stressed the need to also educate governments, businesses, and individuals to ensure robust cybersecurity was embedded in every organisation.
“We use IT more during this pandemic, so cybersecurity need to be everywhere and for everybody,” she said, urging the need for a change in mindset.
Johnston also called for more standardisation on regulations governing the use of data. He noted that there currently were different levels of maturity in regulatory and privacy laws and even between industries with regards to their use of ICT and how security was applied.
And while the European Union had a common data security framework in the General Data Privacy Regulation (GDPR), Asia-Pacific still lacked a similar legal directive. This created challenges for multinational corporations looking to expand into this region, compelling them to ensure they complied with different bars of privacy and security of legislations across the different markets, such as Singapore’s Personal Data Protection Act (PDPA) and the Reserve Bank of India’s laws on payment data, he said.
Security needs to be ‘by default’, simpler
Koh also advocated the need to simplify technology, which currently was too complex and difficult to manage. “We’re asking everyone including SMBs to be responsible for their own cybersecurity. This is impossible,” he said. “It needs to be made simple so everyone on the street can take care of their own cyber hygiene. It needs to be security by default, not just security by design.”
Regulations, for instance, would help ensure telcos were doing the right things upstream, so consumers were delivered “a cleaner internet pipe”, he noted. Pointing to how water systems were commonly operated today, he said: “Now, [in cybersecurity] everyone’s left to purify their own water…isn’t it easier to have a central organisation purify it first [before it’s delivered through water pipes]? It should be the same with cybersecurity.”
To facilitate such efforts, Koh said Singapore earlier this year introduced a labelling scheme to help increase consumer awareness about security when using Internet of Things (IoT) devices, specifically, home routers and smart home hubs. The initiative also aimed to push manufacturers to deploy enhanced cybersecurity measures and create a mandate for a set of minimum security requirements for home routers.
Noting that price, functionality, or colour typically were deciding factors when consumers purchased a tech product, he said few would consider the level of security in the device. The labelling scheme would help address this with its simple three-tick system, he added, where devices with three ticks were assessed to have good security features.
Tech vendors such as Google and Kaspersky are hoping to take the complexity out of security by tapping automation and artificial intelligence (AI).
Similar to its aim to democratise AI, Google hoped to do the same with security, Johnston said. The goal here was to focus design efforts on ease-of-use like it did with its consumer products to more advanced business security tools, he said.
Kaspersky also noted that AI and machine learning were essential in security to help those who were unable to help themselves.
Such tools would monitor enterprise environments to ensure users, as well as applications, were doing what they were expected to do and identify any abnormalities within the systems, he said.