The sudden operational changes required by COVID-19 and the lack of preparedness by companies was a Pandora’s box for cyber criminals.
Barely a month into the lockdown, the FBI reported a 400% increase in cyber attacks compared with the pre-coronavirus period and an increase in cyber espionage by nation-states. Interpol reported a shift away from cyber crime targeting individuals and small businesses and warned of increased attacks on major corporations, governments, and critical infrastructure. It also noted the impact of remote working: “With organizations and businesses rapidly deploying remote systems and networks to support staff working from home, criminals are also taking advantage of increased security vulnerabilities to steal data, generate profits and cause disruption.”
One thing is certain: the events of 2020 will continue to shape the cyber threat environment and influence the way organizations manage cyber risks in 2021. Here is my take on 2020’s top cyber risks and what to prepare for in 2021.
Top Cyber Risks of 2020
1. Remote Working
The sudden shift to home working created significant cyber risks as personnel began working from personal devices that might not have up-to-date software and strong antivirus protection and may even have malware. Company data was at greater risk of disclosure or insider threat because some employees placed it on thumb drives or external hard drives or uploaded to online storage platforms for use at home.
2. Phishing Emails Exploiting Coronavirus
According to Interpol, about two thirds of countries around the globe experienced a significant increase in phishing emails and online fraud centered on COVID-19. Scammers used email, instant messaging, and social media platforms to impersonate government officials, mimic government orders, offer fake financial loans, and fraudulently market inferior equipment or supplies that were in short supply.
Ransomware attacks against large corporations increased, and the amount requested in ransom demands skyrocketed, taking advantage of companies with unencrypted data and inadequate backup/recovery plans. Some demands were in the form of “doxware,” where the hacker threatened to sell the data and notify customers of the breach.
4. IP Theft
Early in the pandemic, an FBI official warned that foreign governments were targeting healthcare and research organizations with valuable intellectual property (IP) concerning the coronavirus. Bill Evanina, director of the National Counterintelligence and Security Center, advised companies to be “vigilant” about protecting their IP against nation-state actors. Subsequently, the FBI, NSA, DHS, and the UK National Cyber Security Centre reiterated warnings against healthcare, pharmaceutical, academic, and research organizations.
5. Nation-State Attacks
Nation-state sponsored attacks are on the rise. In 2019, Google’s Threat Analysis Group issued 40,000 warnings of nation-state hackers to account holders. Between July 2019 and June 2020, Microsoft issued 13,000 warnings of nation-state attacks to account holders, with more than half of them coming from Russia. China and North Korea were also named. The Center for Strategic and International Studies maintains a list of Significant Cyber Incidents, and a shocking number of the entries are nation-state attacks.
6. Privacy Penalties for Failure to Maintain Cyber-Security Program
Personal identifiable information and personal health information are still actively targeted by cyber criminals. State and federal laws now routinely require that companies have reasonable cyber-security procedures and practices in place prior to a breach. Fines are increasing as regulators grow weary of companies’ failure to develop and maintain an enterprise security program. Consider the following GDPR fines in 2020: Google €50 million ($65.69 million), H&M €35 million ($45.98 million), and British Airways €22 million ($28.9 million). The FTC continued a string of cases linked to cyber security failures.
7. Business Email Compromise
Business email compromise remained a steady problem throughout 2020, with cyber criminals sending emails that appear to come from a known person with instructions to wire funds, send sensitive data, or change an address or bank account for payment. Email account compromise has become more popular with cloud environments. Once an attacker has credentials, emails are sent by the hacker from the actual email account.
8. Clickless Attack
Organizations with out-of-support or unpatched hardware or software can be the victim of the “clickless attack,” which occurs when cyber criminals exploit known vulnerabilities to enter the system. These attacks originated in 2017 with WannaCry and NotPetya and caused some of the largest business interruption losses to date. Clickless attacks are low-hanging fruit for cyber criminals.
9. Attacks Leveraging Artificial Intelligence
Attacks using artificial intelligence presented a new and real threat in 2020. Norton Security noted that hackers are leveraging artificial intelligence “to create programs that mimic known human behaviors,” such as the human voice. These attacks trick the user into providing personal data or account information. AI has also been used to create “deepfakes” of images and sounds that appear real.
Malware just keeps on coming through social engineering, phishing emails, poor security configurations, weak passwords, and the list goes on. It can exfiltrate data, turn off antivirus software, change system settings, use a computer for cryptomining, corrupt or zero out data, etc. Malwarebytes’ “2020 State of Malware Report” indicated a sizable jump in hack tools targeting consumer endpoints. Hack tools can also drop in malware, collect data or perform additional intrusions. The Center for Internet Security reported that spam (“malspam”) remains the primary mechanism for malware to enter a computer.
The Outlook for 2021
So, does 2021 look any better? No. The top 10 threats from 2020 will continue. Telecommuting will continue. Nicholas Bloom of Stanford notes that twice as many employees are working from home as those working from their office. With ongoing caution over COVID-19, companies are facing long-term changes in the workplace, with an increasing percentage of personnel indicating they want to continue working from home.
Cyber risk management in this environment requires revisions to policies and procedures, the deployment of new technologies, improved governance practices, and revisions to incident response and backup/recovery plans, to name a few. It will require more encryption of data and improved security monitoring and analysis. In order to cope over the long term with remote staff, some companies may be forced to move their operations to cloud environments or migrate legacy apps to vendors.
Funding and lack of resources will be the main problem for many organizations. Companies are already strapped for money. On top of that, there is an acute shortage of cyber-security personnel in the marketplace. The pandemic has increased the demand for financial and personnel resources as companies struggle with adapting to operational changes and increased cyber attacks. Cybersecurity Ventures predicts there will be 3.5 million unfilled cyber-security jobs in 2021. This means that companies will be forced to move their security operations to managed security service providers because they won’t be able to hire the in-house personnel they need. These transitions require planning and coordination with staff—an effort that is harder to achieve with personnel working from home and using cell phones.
All of this means that 2021 is going to finally push cyber governance to the forefront. Boards and executives are going to have to establish frameworks for cyber governance and begin the hard work of managing cyber risks through allocation of resources, appropriate information flows, risk transfer strategies, and regular cyber risk assessments. Agents and brokers can assist their clients by helping them understand what actions may result in lower cyber insurance premiums, referring them to qualified resources for assessments and governance assistance, and guiding them on risk transfer strategies. One thing is certain: cyber risks cannot be ignored in 2021.