Is your data at greater risk in a pandemic?

By:

Date: 6 July 2020

A hacker releases malware to take advantage of COVID-19 security lapses

Criminal groups, such as hackers, typically increase their efforts during periods of crisis. An increase in activity of this nature has been documented during the COVID-19 pandemic. The virus has provided hackers with a golden opportunity to carry out their attacks because we have all been forced to make rapid changes to the way we work and the systems we use to manage our professional and personal lives.

To what extent the threat of cyberattack is realised, however, depends on a multitude of factors. By exploring a few of these factors more closely below, we can begin to understand the risks, forecast possible consequences (of any attacks) and potentially even prevent (or minimise the impact of) certain attacks.

Types of data

In order to properly assess the risk of cyberattack during COVID-19 (or at any time), it is important to consider the type(s) of data that could be at risk. There are four key types of data that are commonly most vulnerable to cyberattack:

  • Personally Identifiable Information (PII)
  • Financial data
  • Electronic health records (EHRs)
  • Intellectual property (IP)

CSO Magazine, a top source for security professionals, recently compiled a list of the top 15 "biggest data breaches" so far this century. Looking at CSO's top five listed breaches, we can identify some patterns in the types of data targeted.

  1. Adobe – involved credit card records (financial data) and login data (PII).
  2. Adult Friend Finder – involved names, email addresses and passwords (all PII).
  3. Canva – involved names, email addresses, usernames, passwords and cities of residence (all PII). Partial credit card details and payment data (financial) was also viewed.
  4. eBay – names, addresses, dates of birth and passwords (PII).
  5. Equifax – involved various forms of personal details, including dates of birth, SSNs, addresses and even driver's license numbers (all PII) in addition to credit card data details (financial).

This reveals that financial data and PII were exposed in combination for four out of the top five breaches, and PII was exposed in all of the top five breaches. Another commonality to all five top data breaches is the involvement of consumer data (as opposed to business data) although the online businesses that (inadvertently) "hosted" these breaches were also harmed.

The other two key types of data frequently exposed or compromised, EHRs and IP, are also important to bear in mind today. While they may not have been involved in the top 5 breaches featuring in the list, the repercussions of a compromise of this type of data can be just as devastating, if not more so. Furthermore, the current economic and environmental factors offer the perfect breeding ground for these types of data breaches.

For EHRs, the connection is a fairly straightforward one to make: COVID-19 is a global public health crisis, producing massive-scale infection rates and a massive increase in health-related data (once documented electronically.) A hospital attack was reported in March at Byrno University Hospital, one of the largest COVID-19 testing centres in the Czech Republic. Little about the attack's nature was disclosed, but it was significant enough to force an entire IT network to shut down.

It is worth noting the potential of future attacks to the healthcare system, given the pandemic is still active and that some attacks may already be in progress, undetected. Several large hacker organizations stated in March that they had agreed to halt any targeting of hospitals and healthcare organizations during the COVID-19 pandemic. Whilst it is certainly a relief to hear, it should be regarded with some caution given the source (antagonistic "hackers"). By acknowledging the selective avoidance of these target, it then becomes unclear where exactly the lines are being drawn. Are non-healthcare organisations directly aiding COVID-19 causes also safe? Could the healthcare sector still be attacked or damaged somehow as the result of an attack on some other non-healthcare target. 

IP-related data breaches can ravage business organisations of all sizes ranging from start-ups and medium-sized businesses all the way up to Fortune 200 companies. A particular cyber risk that is particularly relevant at the moment as a result of the unprecedented rates of unemployment and employee furloughing is the risk from your employees. Up to 72% of departing employees have historically reported taking company data with them. Additionally, up to 70% of IP theft has been reported to happen within 90 days before an employee resigns.

It is often the case that individuals tend to make big, personal life changes (such as a career move) during or following periods of major disruption to the normal daily life patterns at the group or societal level. So, it is safe to speculate that departures of this kind have been occurring in higher numbers as a result of the COVID-91 pandemic, with IP data at greater risk as a result.

To what degree is your data is centralized?

In tracking cyber risk and the potential progression of a cyberattack, a major ongoing debate in IT (and other technical industries) is whether measures should be centralised or decentralised. There are tech experts who argue strongly toward one approach or the other, either broadly or for certain specific technical contexts. Other experts stress the necessity of a more hybrid approach. For instance, Doug Grindstaff, SVP of cybersecurity solutions for the CMMI Institute, argues, "The reality is that virtually every business should put some centralised measures in place, while allowing room for other steps to be taken in a more decentralised fashion."

An example of this is when companies are considering the pros and cons of conducting their business communication and daily workflow using a single cloud platform vs adopting multiple platforms and solutions. When considering the protection of a company's intellectual property (IP), a business may find it easier to manage their employees' usage of valuable company data when their access is more centralized and streamlined (through a single account/login). Alternatively, they may find better and more secure outcomes when company data is accessed in a more segmented and decentralized fashion.

Whatever corporate decisions are made when considering the company-wide data strategy, it is important to know the risks going in, particularly in periods of economic turbulence like this COVID-19 pandemic. This brings us to a final factor for consideration.

How well are your data assets managed and monitored?

There's no disputing the health benefits of remote working during the pandemic. However, extended periods of company-wide remote working do make it more difficult for companies to manage their assets – data, equipment (devices etc) and even employees. Companies need to implement sufficient controls to protect corporate data, while also allowing workers the flexibility and access to the assets they need to do their jobs properly (such as devices, data, apps, finance). Implementing just a few basic measures can reduce the cyber risk. You should consider:

  • Putting every remote worker on a virtual private network (VPN) while they connect from home
  • Using two-factor-authentication for identity verification
  • Relaying information to employees about the latest collaboration tools and any security concerns.
  • Reviewing worker's usage of personal devices to access work networks. Are there additional risks posed by older laptops or outdated operating systems? Gauge the risk/reward of buying laptops and phones for remote employees versus operating a bring-your-own-device policy.

Despite a general collective feeling of togetherness and unity in cities and nations during the lockdown, not everyone is on board with concept of protecting the broader community. Cybercriminals are out in force during this pandemic, preying on individuals and companies that aren't prepared with the latest training and technology. An increase in attacks means companies need to conduct employee training and put in place the right technology to minimise cybersecurity threats. Individuals should also be educating themselves on ways to better protect their personal data.

Copyright 2020. Featured post made possible by Elizabeth Gallagher, Chief Revenue Officer of Lineate

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.