During March of 2020, organisations all round the world have shifted their daily administrative, sales and support operations from behind secure corporate networks, within which experienced IT and cyber security support is immediately available, to millions of homes around the world.
Or, to put it another way, thousands of organisations have simultaneously expanded their attack surface while making it dramatically more porous.
And cyber criminals know this.
Millions of people, working from home, using personal IT equipment rather than hardened corporate equipment, and often connecting to corporate services without going through a working VPN, provide cyber attackers with millions of routes into secure networks. The fact that many of those personal devices are also used by other people in the household – whether for school, work or leisure – opens up multiple attack vectors into the device.
It was obvious, in March, that the volume of cyber attacks would accelerate and that COVID-19 themed attacks would form the mainstay of attack content. And so it has proved. ‘Record-breaking’ increases in cyber criminal activity and huge surges in coronavirus-related attacks provide ample evidence of that.
Against this background, The lack of corporate activity to close some of the holes in the attack surface is surprising. The fact that an organisation is struggling to fund daily operations is a poor reason for failure to mitigate cyber attacks. At the simplest of levels, training ALL staff on cyber security – which can be done very inexpensively through online staff awareness training – should be a minimum step. Remote security testing and other defensive steps should be next – but around 75% of staff now working remotely have apparently not yet had any relevant security training.
And that means that the severity of cyber attacks will only increase. With defences wide open, attackers will plunder anything of value – from payment card and personal data through to corporate secrets and IP. And, in most cases, organisations will only find out when it’s too late – once their data has gone or ransomware is safely installed across their network. There are already multiple instances of these events. Clean-up costs are huge (eg Congnizant) and some organisations (eg AMCA) even go out of business as a result.
And the thing is, most breaches are discovered by third parties, and typically around 6 – 18 months after the breach occurred. Which means that many organisations who, today, are under-spending on cyber security, will discover – just as they are starting to return to normal – that their previous under-spend was a huge false economy. Sadly, there will be many organisations attempting to explain to regulators and their shareholders why their dereliction of duty at this stage in the cycle was justified.