CISM, CTO & CISO, Virtually Informed

June 8, 2020

Sign up to free email newsletters

Download

A Barbour guide to business continuity

Cyber & physical security

Pandemic – The perfect storm for cyber and physical security attacks

Sarb Sembhi explains why a global pandemic has created the ‘perfect storm’ for cyber and physical security attacks.

NOTE: This article is adapted from the presentation Sarb gave recently, available here, with three other presentations on business and cyber security responses to the pandemic in late May.

In the not too distant past…

A majority of corporate users were all at the same physical place as where the corporate security controls reside. The place where most of the hardware assets reside or are mainly used are a few corporate offices, and most assets leaving corporate office will be back there within 12-16 hours as that is where they are used the most.

A majority of the access to corporate data was from the corporate office, with predictability of its internal use, while the help and support desk team dealt with issues on site, with adequate turnaround for users. So, this meant that all enterprise security controls, and technology were centred on the corporate office.

Physically, the corporate offices were swarming with employees for much of the day, while security guards monitored staff and visitors at all times. However, overnight guards were only alone for 12-16 hours.

Now, this has changed. Corporate offices have very few humans left in them, but still have all the infrastructure, while end points (computers and mobiles) are now operated from home. The few humans left in offices are the security guards.

Cyber security has long talked about the concept of de-parameterisation since the early days of the Jericho Forum, and many corporate businesses felt that they had actually implemented it. The old view of security was based on the castle approach where you built strong, solid walls. However, this approach has since been recognised as being flawed, because once an intruder got past the castle gates, they were able to get anywhere and do almost anything.

The whole concept of de-parameterisation is that you create localised parameters based on the value of those assets you are trying to protect – so you take away a single parameter and create many of them, based on the value of assets and risks to them. This is sometimes called defence in depth, or a multi-layered approach.

The problem that many corporations have found in this pandemic, however, is that the de-parameterisation they thought they set up can’t be very real when it continues to be based on all their controls being based in corporate offices. This isn’t the case for all, but certainly is for many.

Game changer 1 – Security controls and internet traffic

For users to be productive and do the work they need to do, they have to take their corporate laptops from secure office environments to insecure home environments. This means that users and corporate technology assets are no longer at the same place that the majority of the enterprise security controls were established in. Traditional approaches route traffic through local or regional corporate offices, meaning that the VPN (Virtual Private Network) would route all users traffic through the corporate infrastructure, thus creating bottlenecks when everyone starts video conferencing.


READ: It’s time to wake up to the insecurity of IoT devices! 


Part of this challenge is that the technology doesn’t necessarily separate corporate data access from other resource intensive internet traffic, such as video conferencing. The increased use of video conferencing apps means greater bandwidth requirements, not just in the corporate offices, but across the rest of the internet. So, in some cases where user connections to the internet may only be via corporate VPNs, even when you’re using a fast video conferencing app, with a fast local home broadband, it will be slowed down because it is all being routed through the corporate security controls with the rest of the corporate traffic for the day. This causes great frustration in getting things done during the working day.

Game changer 2 – Our empty business castles

The reality is that our ‘business castles’ are empty – “Someone switch the lights off on the way out!” They are only occupied by one or two security guards each day, compared to before the pandemic.

EmptyBuilding-PandemicSecurity-20

This means that now is the best time for both a physical and cyber-attack:

  • Cyber-attacks at the edge a) end-users and b) edge devices in smart building technologies.
  • Physical attacks. There is less chance of being seen, because not only are buildings empty, but there aren’t many people around the building, the street or anywhere outside of their homes.

There is even a greater likelihood of the use of drones to stake out the target office buildings which have data, technology and other valuable assets, often only overseen by a few underpaid security guards.

Game changer 3 – More furloughed and unemployed staff needing additional income

It is possible that a greater number of phishing attacks will be picked up, as many employees have been furloughed, and often using their personal email addresses on corporate laptops. And, where users use their own devices – often with limited or no anti-malware solutions installed – to respond to emails, phishing attacks will likely be more successful.

When personal email isn’t routed through the corporate security controls, but may still be accessed on corporate devices, it could still leave the device open to compromise, as there is a reliance and assumption that users will not click on anything unless it has specifically been identified as malware.

The overall effect of this may mean that phishing links are more likely to be clicked on by staff who have a shortfall in their income, and a desire to make up that shortfall through other means.

With some research estimates stating that phishing has increased by 60% since the start of lockdown, users have to be more vigilant. Unfortunately, it doesn’t offer hope that devices will be as free from malware as they once were.

Game changer 4 – Employee and public mental wellbeing

MentalHealth-CitySecurity-20This is perhaps the most important one for many people. The pandemic hit each country at different times and extraordinarily little thought had gone into the planning for the future. Hence, there was an unknown/underestimation impact:

  • of social isolation on different people;
  • of continuous conference calls;
  • of boredom on isolated people and viewing COVID-19 misinformation from trusted contacts;
  • of isolation on user attention to follow security behaviour after 8, 10, 12 or more weeks.

People’s psychological states are likely affecting their ability to make the right choices after being in lockdown for so long. This is further accentuated by uncertain economic stability of the world economy, leaving people wary of future prospects.

Game changer 5 – Political leadership

This is not a political article and nor should it be seen to be one, but it is important to understand that decisions made during this time will affect the potential of security risks as time goes on. Those countries that have fared the best have been those whose leaders acted early and decisively, where the rest fumbled and have continued to be inconsistent.

The worst of these have been in the inconsistencies in following expert advice. Alongside this, the use of real numbers to illustrate how much better one country is doing than others have resulted in uncertain statements.

Each country’s leadership has created the economic environment we are going to inherit during this period, which will include both the opportunities and the threats for businesses in the world economy. Most importantly, leaders must be held accountable for the deaths of ordinary people through their lack of response.

Review and update

So, as security businesses, what should we be doing? In some respects, it is ensuring that we prioritise some of the things that we were or should have already been doing before the pandemic.

We must review our approaches to People, Processes, Technology and Culture to learn from this pandemic – not just in how it affects people and corporate buildings but also our supply chains, and how the business can adapt to play a more active positive role in reducing the impacts of working from home. Also, in how we are protecting our staff who have no choice but to have to work from the empty offices. The protection is not like the protection that we have become accustomed to in security in years gone past, but in terms of mental health and wellbeing. If we don’t consider protecting our staff, why should we expect others to?

Review and update our Business Continuity and Disaster Recover strategies and plans – they will not be the same again. I’ve known many businesses to have pandemic plans but none that allowed for the possibility where most staff would be working from home and allowed for all the implications that came with it.

Working from home policies can now eventually change, but they will have to add in the additional controls that may have been absent during the lockdown on protecting business data and mental wellbeing.

Finally, and very importantly, user awareness advice on fact-checking social media may need to become something for businesses to insist upon.

We must make sure that even given the current economic climate of pending layoffs, we still treat people with respect and care. One day they may need to come back, and how we treat them now will determine whether they are a good or bad advert for us as employers.

I’ve heard some organisations have encouraged their staff to take holidays as and when they want, but also to be able to carry over holidays over to the next year rather than being forced to stay at home. How we care for our staff now will determine how secure we are tomorrow, not just in physical security terms, but also with regards to cyber security – don’t let people become the biggest casualty of the pandemic due to negligence!

Our sister title, SHP Online, has put together a useful resource for those looking to support their colleagues in the transition to home working.  

Download the Intruder Alarm Report 2020

Download this report, produced in conjunction with Texecom, to discover how increasing processing power, accelerating broadband speeds, cloud-managed solutions and the internet of things and transforming the intruder alarm market, and whether firms are adopting these innovative new technologies.

AlarmReport-Main-19

Related Topics

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments