Threat actors rarely miss an opportunity and COVID has presented ample chance to exploit the technical challenges around provisioning secure tools at scale. This has created visibility blind spots on networks largely designed to operate from within the traditional corporate environment.
CANCOM's CTO Mark Skelton and HPE's chief technologist, Alex Haddock joined Dan Swinhoe, Editor of CSO Online to discuss the security challenges presented by COVID-19, including:
- How have threat actors adapted to COVID-19?
- What security challenges are presented by remote working?
- What are the biggest security challenges within an organisation right now?
- How can CIOs and CISOs tackle cyber security threats?
Here are some exerts:
How have threat actors, whether cybercriminal or state sponsored, adapted their tactics to take advantage of this pandemic?
I think it's interesting – scary is probably the right term for it – how little they've had to adapt. Even prior to COVID, we were looking at a predicted six trillion-dollar transfer of funds in cybercrime by 2022. So, to put that into context, that's more than the entire illegal drugs trade - cybercrime is an industry, even to the point of having 24x7 support.
They have an agility that some of the businesses listening to this may be envious of. They've reacted very quickly. And, of course, what this has done is just give them a fantastic opportunity, a much larger attack surface with people working from home.
And they're leveraging things that we're now calling Fear Ware - that's increased phishing and spear phishing opportunities based around hot topics like COVID-19 masks and advice on how to protect and self-isolate, or pretending to be tracking solutions from governments.
There's been such massive growth in provision and need to work from home but not necessarily with the security and compliance techniques that would normally be applied. Cybercriminals have adapted very quickly from a very strong base and that's not a great thing for us.
What are the technological challenges of adapting an entire workforce to work remotely in a short space of time?
We've seen probably more change in the last two months than we have done in the last two years. It's incredible what the IT industry has had to pick up and support with the pandemic spread and the move to homeworking.
As an organisation, we've seen a massive demand for scaling out VDI platforms, for building new public cloud infrastructures and building new VPN solutions. Collaboration platforms like Zoom or Teams have been flying out the door to allow remote working scenarios.
And I think the big observation, is that Business Continuity plans from organisations just weren't robust enough; many didn't plan for this scale of remote working.
We've seen a lot of organisations go through a panic or reaction phase. Which then leads on to some of the points that we're talking about today around cutting corners around security or not having the correct governance in place.
Has provisioning of hardware been a big challenge?
Yes. One of the first things we saw as this hit Europe and the US was a massive shortage of devices. This was caused by early impacts on the Chinese supply chain and made worse by the well-known Intel C.P.U shortages that kicked in last year.
So, to that point, even though we're not an end user computing company any longer, what we found early on was that a lot of our requests were for our asset recovery business.
For instance, we supplied over 50,000 laptops to a U.S. bank just to get them homework enabled. Now, the reason I bring that up is that I've been privy to several calls where people, particularly health care organisations in the U.K., have been so desperate for those devices that they've been taking them from potentially unsanitised sources. And that's a dangerous thing to do.
You need to make sure that any devices you take on second hand have been properly cleaned to the right governmental standards. Certainly, right now one of the biggest challenges in the Enterprise is on the firmware of systems.
What’s your view on the human factor around security?
I think the human factor is one of the biggest headaches for CISOs. In other words, how do you get users to understand security policies and procedures that are put in place?
One of the big weaknesses in the IT industry in general is that we don't really think about adoption management and how it's implemented in organisations. For example, training the end users on how to interact with technology and what they can and cannot share. After all, there's only so much governance you can put into a tool to restrict things.
Most end users are not IT literate. And I don't mean that in a nasty way. It's just not the core nature of their role. For example, one of the big areas we deploy into is healthcare. This sector is incredibly stretched right now. So, it's vital as part of that roll out of the technology that we train end users on security principles.
How are companies enforcing good security behaviours?
As an IT company, at HPE we have regular cybersecurity training every year as well as regular phishing and spear phishing on us as employees.
Phishing is when you have the typical email saying you've won maybe 10 billion pounds. Spearfishing is far more sophisticated and is tailored to you or your organisation. I'm a technologist and I hate to say, I've been caught out on a couple of occasions in the last year. And it's a real "Doh" I can't believe I've done that moment. It's always when you're on a mobile device, it's always out of hours, it's always when you're just not paying full attention. It is so easy to do.
Are businesses equipped to operate going forward in terms of business-a-usual?
Yes. The good thing is the will is there now and the technology is also there. I think the important thing is having that third-party input to validate what's been done. To do the testing and improve what, in many cases, has had to be rushed. That's where I see partners like CANCOM and HPE come into play.
It's likely we're going to have distancing for some time. And after that, it's likely that we're going to have new business continuity plans that need to be put in place - not just around data centre recovery in case of catastrophic failure or terrorist attack - but also around what happens when the next pandemic comes along.
What’s your advice for any CIOs and CEOs struggling right now with security?
Treat cyber security as a 'when' and 'not if' issue. Make sure you’re spending time and investment to look at and examine your processes, as well as your people and technology.
I think the big thing that I would like to get across is that CISOs need to think about how they can integrate with adoption management. How do we get end users to understand what the policies and procedures are around the technology that they’ve got at their fingertips?
Another thing we at HPE are starting to see and recommend is cyber insurance. Insurance companies are very good at risk management themselves and will tend to help frame which products and systems may help you achieve your goals.
As with all insurance, make sure you read the T’s and C’s. For example, there’s some interesting stuff going on now in the press around get out clauses, around cyber war and nation states action. But overall, it's something I’d strongly suggest that if you don’t have it, you make some really, really close inquiries about.
How can CANCOM and HPE help technology leaders out there with what they’re trying to achieve?
At CANCOM we’ve got a number of different offerings that can really help organisations and our customers tackle some of the challenges we talked about today, so we’ve got things like assessment services, where we’re going back to customers and looking at where there may be risks associated with the technology they have deployed.
For identifying new attack vectors that may be unknown to organisations we’ve got several assessment services and pen testing services that we can offer to our customers.
I think it’s key that you get that third-party view. Now, of course, we would love it to be either CANCOM or HPE.
At HPE we are conspicuous by our presence on the 2019 inaugural cyber analysts validated product lists and our products are validated by an 8-industry member insurance consortium for cyber insurance.
So, that just shows we are architecting our servers and networks to be as resilient as possible and participating in the Zero Trust model.
Expect us to talk more around the Silicon root of trust and how we will expand that further up the stack.
- Review rapid deployments
- Review your Business Continuity Plan - not just around data centre recovery in case of catastrophic failure or terrorist attack - but also around what happens when the next pandemic comes along.
- Invest time and money reviewing your processes, people and technology.
- Consider Cyber Security insurance
- Think about how to get end users to understand security policies and procedures.
- Get a third party view of your security, governance and compliance.
Featured in this podcast:
Alex Haddock, Chief Technologist, HPE
Mark Skelton, CTO, CANCOM
Dan Swinhoe, Editor, CSO Online