Few businesses are prepared for multiple, concurrent crises. Most can survive a single disruption but dealing with a second while already in a weakened state increases the impact exponentially. When the COVID-19 crisis began and the lockdown was implemented, the first action businesses should have taken (after getting staff working remotely) was to reassess their risks. Every organisation’s risk profile changed significantly but it’s not all bad.
If we think in terms of a business’ key assets (People, Premises, Resources, Suppliers – PPRS), having a remote workforce is actually a net-positive for continuity as it disperses a lot of potential risk. It is more likely that a single, city-centre office will be disrupted than 500 homes. Individual homes don’t have the reliable communications and power that an office does, but cumulatively, they are much less likely to all be disrupted at the same time.
Users aren’t the whole story though. If IT systems are still hosted from your HQ, that risk is the same. In fact, the situation is worse because the lack of staff onsite will hinder your ability to come back online following an outage.
Changing cyber risk
IT has proven to be the critical business service in lockdown as it has allowed businesses to continue working. However, there are physical risks to IT such as power and internet outages or hardware failure, but also the growing cyber threat. From a cyber perspective, a dispersed workforce increases the attack-surface.
That’s not to say your cyber risk just grew by a multiple of 500 (or however many staff you have). Cyber teams have been dealing with the challenge of securing mobile devices and cloud computing for the last 10 years, at least. However, a remote team is a much better target for social engineering and phishing. Unlike in the office, there’s no-one to turn to, to quickly ask “does this email look legitimate?” or “why is our CFO pushing me to change this payment?”
The combination of upheaval and changes in daily processes means staff may not follow normal procedures which increases the probability of a breach. This provides opportunities for cyber criminals in the following areas:
- New phone systems and a breakdown in transferring processes means it is possible to reach targets more easily.
- Increase in new collaboration software increases the chance of being fooled by phishing emails demanding ‘security updates and patching’ due to a lack of familiarity.
- Reduced teams through furlough and redundancy means new responsibilities are taken on by remaining staff.
- There is a desire to ‘get things done’ to stay productive and serve customers.
Is now a good time to attack?
Even if we are now more susceptible to attack and successful breach, is it a good time to target businesses? That depends on the type of attack. If you are looking to hijack supercomputers to mine cryptocurrency, now is a good time to do it. If you are seeking ransom payments, perhaps not. Coronavirus has hit the tourism, hospitality, and bricks & mortar retail sectors especially hard, with many businesses struggling to maintain continuity.
Ransomware attacks have been successful against manufacturing companies because they paralyse production, threatening massive losses. This makes paying the ransom the easier option. Norsk Hydro chose not to pay the ransom and instead decided to recover its systems which was the more difficult option with the cost to the business estimated up to $75m.
In some cases, the increased stress of dealing with the current crisis will make the easier option of paying the ransom even more attractive. For others, they may not have the available funds to make the payment.
Some of the leading cyber gangs publicly announced they would not target healthcare organisations during the COVID-19 crisis but not all cyber criminals are acting so honourably. The WHO has seen an increase in attacks and INTERPOL reported a significant increase in attacks against hospitals. Sadly, the critical aspect of the healthcare sector makes it an excellent target for those prepared to put lives at risk.
Firstly, if you’ve not reassessed your risk yet, do that now and then start taking necessary actions. If there were any jobs that were rushed to get staff working remotely, do them properly now and secure everyone. Any jobs that had been put-off in favour of other, higher priority needs? Do them now. In particular, think about Citrix, VPN vulnerabilities or unsecured RDP endpoints.
During the first month of lockdown, it would have been difficult to do everything correctly, but we’ve reached a degree of stability now and these risks need to be prioritised. The lockdown is not expected to end tomorrow and it is far longer than the duration of an incident most organisations have typically prepared for. The longer any security vulnerabilities exist, the higher the likelihood they’ll be exploited.
Ensure all users ‘stay alert and vigilant’ (yes, we know) to the phishing threat. If you’ve had to change any processes such as how you deal with physical documents like contracts and invoices, make sure everyone is clear about what they should and shouldn’t do. Finally, the methods to protect yourself against ransomware haven’t changed:
- Use anti-spam and anti-virus to stop the bulk of phishing emails reaching your users
- Educate all users on how to identify the phishing emails that do get through
- Have a reliable backup in place to restore systems quickly in the event of an infection
Beyond IT, think about incidents that could affect all your staff at the same time. Although staff aren’t all in exactly the same place, most will usually be clustered close to the office. We are fortunate in the UK that we don’t have to deal with type of natural disasters affecting large areas as much as other parts of the world, but they do happen. Storms Ciara and Dennis caused significant disruption just before the lockdown, so compare how you would fare had those incidents happened during lockdown.
The response to a cyclone in India and Bangladesh this month has shown how difficult Emergency Management can be when balancing evacuation from immediate danger with the increased chance of infection from COVID-19. Think about what physical actions need to be taken like resetting fuses and powering on hardware and consider how you will communicate with the crisis management team and the wider business. Whether the second crisis is flooding or a cyber-attack, your response plans need to be adapted to work for a remote team(s) and the lockdown restrictions.
Peter Groucutt, Databarracks’ Managing Director, founded the business in 2003 after working in a number of high-level risk management roles. Databarracks is the UK’s specialist business continuity and IT disaster recovery provider.