"Usually big businesses agonize over a change like for months or even years"
As employers around the world made the decision to have employees work from home wherever possible in the face of the COVID-19 pandemic, the safety of their people was top-of-mind — as it should be. But the sheer scale and speed with which the workforces were deployed to home offices with little or no preparation has opened businesses up to a host of cybersecurity issues.
“It was necessarily sloppy,” says Brent Arnold, partner and cyber security specialist at Gowling WLG. “Usually big businesses agonize over a change like for months or even years — this all had to happen in days.”
This is an unprecedented time when it comes to data security and privacy risks, he says, but it will take some time before businesses know how bad it was.
“We do know the volume of attacks is much greater than usual. The volume of successful attacks we don’t know — but it’s going to be higher, it has to be.”
According to a Check Point Software & Dimensional Research survey, 71% of IT and security professionals globally report an increase in security threats since the beginning of the pandemic. Just over half (55%) cited phishing attempts as the leading threat, followed by malicious websites claiming to offer information or advice about COVID-19 (32%) and increases in malware and ransomware (28% and 19% respectively).
“We’ve seen the emergence of thousands of domains with COVID-19 related names and themes — even some presented as government websites — that are being used in attacks,” Arnold says, adding the situation is so unusual there’s been a “real opportunity” for hackers to take advantage of it. “You have a very scared and anxious workforce that is looking for information about the pandemic.”
In many cases a business may not to know it’s been the victim of a cyberattack for months — once they gain access to a computer, the hackers may bide their time before exploiting the data they now have access to, Arnold says. Sometimes they spend weeks or months studying the company’s systems to figure out how to be most effective, whether they plan to engineer false transactions or launch an especially effective ransomware attack based on information they wouldn’t normally have.
What businesses are discovering now — “Many for the first time, although it’s not like we haven’t been warning them about this for years,” Arnold adds — is that they aren’t well-equipped to deal with this in many cases. Some don’t have a breach response plan at all, and of those that do many if not most are discovering they hadn’t accounted for a situation like the pandemic. For example, a big company would have a designated committee that would typically gather in a war room onsite but you can’t do that in this environment.
“Now they’re having to adapt on the fly if there is a breach because the way their plans were set up all contemplated them being in the office to deal with it,” he says, recommending the plans are updates to take into account the prospect of a workforce spread out over the city, the province, or even all over the world. “Coming out of this, everyone’s planning is going to have to be a lot more agile.”
The pandemic has essentially heightened the cybersecurity risks that were always there — for example, there was always the risk that people taking information out of the office would leave their laptop in a cab, have something stolen at a restaurant or drop a USB key somewhere — but those pitfalls take on a different character on this scale.
Because of the hurried deployment, many employees are working on personal devices that aren’t covered by the corporate security umbrella and they’re working unsupervised — there’s no one from IT standing over their shoulder telling them not to use their own cellphone for work calls, or not to email from their personal email address. Employees also may circumvent existing security controls because it’s more convenient — the VPN takes up too much bandwidth so they do the work on a personal computer and email it to their work account, for example.
There are also issues around the privacy of communications. When talking on the phone or in a Zoom meeting, other people in the home are able to overhear what’s being said.
“If you’re home with just your immediate family who don’t care what your job is it’s fine, but some people have roommates and are living in close quarters with people they don’t know that well,” Arnold says. “That’s an information or privacy breach concern, which is obviously a lot worse right now because so many people are working out of the office so the opportunity is a lot greater.”
A few months in, companies are realizing they can operate with some or all of their workforce at home — and despite the heightened cyber risk they’re going to do it because it cuts down on overhead costs.
If this is the new normal, it’s time to take a long-term look at the situation and acknowledge some of those risks that are inherent in not having people in the same building under the same corporate security umbrella are going to be ongoing and need to be accounted for. Arnold recommends stiffening up cybersecurity on a technical front — for example, checking on what was deployed in a hurry such as an off-the-shelf VPN solution — and training employees to understand the risks and be alert. Training can be a challenge for smaller businesses, but he notes there are some low-cost options available, including free government resources.
Organizations should also be taking a look at existing cyber insurance coverage to make sure it’s adequate or getting insurance if they don’t have it. Many aren’t moving on these things yet, he says, but they do have an excuse — most are dealing with “a hierarchy of crises.”
“Some are facing exponential threats to their business — we’ve seen a number of very large scale bankruptcies starting over the last month and a half — so I can understand why cyber risk isn’t at top of the menu of things they’re trying to deal with or spend money on,” Arnold says. “That’s driving a lot of this — they’re facing such a much bigger financial crisis it’s just not the priority it normally hopefully would be.”
That said, the Office of the Privacy Commissioner of Canada was “very clear” businesses are still on the hook for privacy breaches and required to follow the usual protocol.
“No one’s going to get a pass on this because there was a global pandemic,” Arnold warns. “But that’s not going to change the way companies react — they’re dealing with the first crisis.”