September 28, 2021
This article was originally published in October of 2020.
Pandemic and Cybersecurity
When the COVID-19 pandemic began sweeping across America in March of 2020, it impacted life and business in innumerable ways. One saving grace was, and remains, the Internet. In some ways, though, it’s a cursed blessing. Although we were able to conduct a lot of traditionally in-person activities online — school, business gatherings, shopping, worshipping — doing so left us open to cyber threats like never before. And more vulnerabilities meant greater liability — especially for companies. According to a recently released survey by Information Systems Security Association (ISAA) and the Enterprise Strategy Group (ESG), “cybersecurity professionals saw a 63 percent increase in cyber-attacks related to the pandemic.”
And here’s why: “Processes that were quite locked down before — like showing your ID when visiting a company in person — are now all online, and the security systems are too weak to handle the volume,” says Mishaal Khan, Security Leader and Senior Solutions Architect at Mindsight. “Companies weren’t ready for this.”
Taxed to the max, video conferencing services are experiencing disruptive intrusions like never before, including graphic content that suddenly flashes on screen and pranksters who crash meetings. Khan says an effective remedy is stronger passwords. Automatically generated ones that use letters, characters and numbers are your best bet. Recycling ones that combine, say, a favorite pet’s name and your birthdate is discouraged. While Cujo1982 might be easy to remember, it’s also easy to guess. Two-factor authentication that employs either a code or a physical security key provides an extra layer of protection.
The pandemic-spurred online shift has also prompted a rise in data theft. Unlike with personal accounts, however, individuals have no control over how or even if their sensitive information is guarded by hospitals, corporations and the government. Despite a rash of breaches — at Adobe, Equifax and Marriott International, among many others — that happened well before and leading up to the pandemic, many organizations are still far too lax about cybersecurity. Even as cybercrime spikes, Khan says, they continue to take a reactive approach, relying on their insurers to cover consumer payouts when things go wrong. They either don’t realize or don’t care that breaches have long-term adverse consequences to brands and customers alike in the form of ruined reputations and additional attacks .
“They should be accountable,” Khan says. “What we have learned from this pandemic situation is that we’re not in control of our data, and more stringent privacy practices need to be in place.”
Sadly, since March of 2020, more people than ever fell victim to some sort of social engineering. Phishing in particular. According to the FBI, there were more than 241,000 reported victims of phishing in 2020 – a number that’s almost two and a half times larger than the second-most-frequent type of attack.
Last March millions of people suddenly lost their jobs, or were furloughed, misinformation spread like wildfire, and fear surged as the virus rapidly spread. This created an ideal environment for scammers to hook victims with fake government alerts and health department information, fraudulent offers of remote work, and even requests for donations to phony healthcare charities. A study by F5 Labs found that phishing attacks increased by 220 percent as anxiety about the pandemic reached its peak.
This is a start reminder that hackers and cybercriminals are constantly adapting their techniques to fit current events. Phishing is especially dangerous because safeguarding against the human element is the most difficult part of a cybersecurity strategy.
Keys to Effective Cybersecurity
The first step, Khan explains, is to perform a full security risk assessment. Part of that involves what’s called penetration (or pen) testing – assuming the mindset of a would-be cybercriminal and attempting to crack an organization’s defense system through various technological and psychological means, including different forms of deception known as social engineering. It is important for this assessment to be unbiased, so hiring an outside expert is often done.
It’s also a matter of educating every employee about cybersecurity. The more they know, the less they’ll succumb to trickery. “It’s going to take time,” Khan says, “but education is the way forward. You’re only as strong as your weakest link.”
And size doesn’t matter. Effective cybersecurity isn’t just for financially flush behemoths. Small and medium outfits also need to up their games — significantly in many cases. Yes, there’s a price, but it’s a steal compared to the alternative. As Khan puts it: “Are you willing to lose a million dollars a day if your factory closes because you didn’t spend $100,000 on cybersecurity?”
For most businesses, that’s a very easy question to answer. Step one is finding the right expert or team of experts to assess and manage your cybersecurity operations. That’s where virtual chief information security officers (vCISO) can help.
Mindsight is industry recognized for delivering secure IT solutions and thought leadership that address your infrastructure and communications needs. Our engineers are expert level only – and they’re known as the most respected and valued engineering team based in Chicago, serving emerging to enterprise organizations around the globe. That’s why clients trust Mindsight as an extension of their IT team.
Visit us at http://www.gomindsight.com.
About the Expert
Mishaal Khan, Mindsight’s Security Solutions Architect, has been breaking and – thankfully – rebuilding computers for as long as he can remember. As a Certified Ethical Hacker (CEH), CCIE R&S, Security Practitioner, and Certified Social Engineer Pentester, Khan offers insight into the often murky world of cybersecurity. Khan brings a multinational perspective to the business security posture, and he has consulted with SMBs, schools, government institutions, and global enterprises, seeking to spread awareness in security, privacy, and open source intelligence.