Covid-19 Has Further Evolved The New Security Risk Management Paradigm

Courtney Adante, President, Risk Advisory and Brendan Johannsen, Vice President, Teneo
Originally published in the April | May 2020 issue
  • An extract from Teneo’s Vision 2020 publication

In 2019, when we set out to identify the most poignant security challenges confronting businesses for 2020, we could not have envisioned the unprecedented impact that the novel coronavirus (Covid-19) pandemic would have on every facet of modern life. This chapter was originally written as part of Teneo’s Vision 2020 publication, but we would be remiss not to recast our viewpoint through the lens of the Covid-19 pandemic. As businesses rush to establish new protocols in this environment, the sheer amount of information and situations to consider have forced many companies into a reactionary position that challenges them to consider the full range of impacts that Covid-19 will have on both current and future operations. 

While companies are understandably focused on how the disease will impact their office environments and operating models, less obvious are the ways Covid-19 has irreparably changed or exacerbated the range of security challenges confronting businesses today. To survive and thrive, it is imperative that businesses understand that the threat landscape today is evolving at an extraordinary pace. 

The proliferation of emerging technologies and heavy reliance on social media as a primary news and information source – accelerated by Covid-19 – have created unforeseen and increasingly complex security challenges in both the cyber and physical domain. Organizations will need to address this dynamic by implementing a new security risk management model that replaces the traditional reactive, one-size-fits-all approach with a more targeted, proactive and anticipatory methodology; this new approach should focus instead on ensuring an organization’s ability to identify and mitigate potential threats as well as quickly respond to and recover from events as they materialize. 

Scammers are using deepfake audio to convince employees to transfer funds or make payments to erroneous accounts following what appear to be real and urgent requests from their managers.

What we’re up against

  • Concerns regarding a potential second wave of Covid-19 infections and resulting reinstatement of stay-at-home orders require businesses to maintain robust crisis management and business continuity plans, with resilience as a cornerstone and guiding principle of planning.
  • Insider threat, whether unwitting or malicious, is one of the biggest threats to business today, and social engineering has become a primary tactic to reach insiders as pawns in criminal schemes. 
  • The growth of and real-time nature of social media as a tool for information dissemination has inadvertently created a new threat domain and new channel for organizations to manage and monitor for reputation risk. 
  • The Internet of Things (IoT) and an estimated 25 billion connected devices by 2021 confirms that physical and cyber security are becoming inextricably linked.
  • Workplace violence has challenged businesses to think differently about prevention, training and means to identify ‘pre-attack’ behaviors. 

Breaking it down

Bracing for future disaster
With more than 75% of businesses reporting disruption because of the ongoing Covid-19 pandemic, the only certainty is that the virus will continue to disrupt traditional operating models. Companies were universally ill-prepared to handle the pandemic as it unfolded into a full-fledged crisis, and employees and customers will uniformly look for leaders to address head-on the potential for future infections.

Good business continuity planning and crisis management frameworks enable resilience and will be central to maintaining stakeholder confidence in dealing with crises. Key components of good continuity of operations and crisis management plans include:

  • a thorough understanding of the critical assets of the company and the risks to the enterprise;
  • mitigation strategies in place to address enterprise risks;
  • an inventory of core business processes and “keep the lights on” operations and technology, as well as the people who manage those functions and their locations;
  • designation of backup operations facilities if applicable and plans for remote access; and
  • assignment of a crisis management and crisis communications team with relevant policies, procedures and training in advance of disaster.

Mitigating insider threats
As Covid-19 has forced millions of people around the world into extended “work from home” environments, it has placed unprecedented stresses on workers, many of whom are now expected to meet the daily demands of their jobs while balancing responsibilities at home and the unique stress of isolation. Unwitting insiders, rushed and distracted, may inadvertently click on a bad link, send the wrong file or download harmful software from a ‘phishing’ attack. Alternatively, disgruntled employees motivated to cause harm or achieve financial gain may use inside information and privileged or unauthorized access to disrupt operations, steal money or leak valuable data. In either case, ‘insider threat’ has become one of the biggest concerns for businesses grappling with cyber security risk amid the Covid-19 outbreak. The 2019 Verizon Data Breach Investigations Report found that 34% of all breaches happened as a result of insider threat, disproportionately impacting businesses in healthcare, IT and financial services due to issues like sheer processing error, misconfigurations, theft and phishing attacks. We think the new WFH model and the challenges and stresses that brings automatically extends this further across a wider range of industries. With Google having detected more than 18 million malware and phishing Gmail messages per day related to Covid-19, companies must assume that their workers – and their systems – may become victims of these attacks.

34%

The 2019 Verizon Data Breach Investigations Report found that 34% of all breaches happened as a result of insider threat

Compounding this risk, bad actors are increasingly using ‘social engineering’ to infiltrate organizations to gain access to systems and critical information by impersonating something or someone familiar to the target. Attackers analyze behavior patterns of targeted individuals and then set up social media profiles or email accounts to generate direct messages that appear genuine to engage with individuals in the target’s network. Given the unending dissemination of new information related to Covid-19, bad actors are increasingly masquerading as either government, medical or charity organizations. By convincing the user that the message contains critical information regarding the virus, users can be coaxed into clicking on a bad link, sending confidential information or downloading a file. Malware or ransomware have become commonplace tools by which attackers can take control of or steal information from such unwitting employees. The result can be as simple as stolen login credentials or as damaging as loss of millions of private records.

Beyond Covid-19, attackers are using these types of social engineering tactics to target or emulate CEOs for financial gain, primarily because they typically hold or have access to valuable and confidential information, dubbed in cybersecurity circles as “whaling”. Colleagues and direct reports to the CEOs receive what appear to be legitimate or urgent requests to open accounts, wire money or provide credit card information or confidential login credentials. And normally, when the CEO asks, you answer.

So how can businesses mitigate risks resulting from these seemingly authentic stunts? Although ensuring VPNs, email filtering and antimalware software are up to date is critical, the answer lies beyond just technology. Instead, regular employee training aligned to the current threat environment, diligence in identifying and reporting suspicious behavior and a commitment to building a security-focused culture that encourages employees to surface issues can help protect the organization. Forward thinking organizations build insider threat training into their onboarding programs and regularly message the importance of cybersecurity risk management from the CEO down within the organization.

Authenticating deepfakes
One of the latest and particularly troubling threats to emerge is the use of ‘deepfakes’, which are fake videos or audio clips that look and sound as though they are legitimate. Scammers are using deepfake audio to convince employees to transfer funds or make payments to erroneous accounts following what appear to be real and urgent requests from their managers. Other nefarious actors are using deepfake videos to spread ‘fake news’ on social media or create embarrassing videos to harm the reputations of public figures. With social media use up more than 50% as a result of the virus, the implications of these events can quickly morph into damaging events. 

Notable deepfakes in the last year include altered videos of former President Barack Obama, Mark Zuckerberg, Nancy Pelosi and Kim Kardashian, all of which were real enough to garner viral attention before experts pointed out the key differences and glitches in the video feed which clarified that the videos were in fact, fake. In August 2019, a UK energy company was the victim of a cybercrime when a deepfake audio recording was used to trick the CEO into wiring over $200,000 to a fraudulent account at the direction of his German parent company CEO. The audio had perfected his German accent and the lilt of his voice, making the forged audio literally undetectable.

Extremist organizations have used uncertainty regarding the Covid-19 pandemic to advance xenophobic positions, raising the potential for discriminatory behavior and even violence.

Deepfakes are created using what are called ‘generative adversarial networks’ (GANs). GANs work as follows: two machine learning (ML) models work in parallel with the goal of creating a believable enough deepfake video. One model trains itself using massive data sets, in this case, real videos of e.g. a celebrity, to create an imitation. The job of the second model is to detect the imitation. The cycle continues until the second model can no longer detect a fake, and thus, a deepfake is born. These models work particularly well for recognizable, public figures like politicians and celebrities due to the sheer volume and availability of video and audio clips online to serve as the training set.

In the lead up to the 2020 election, we expected lawmakers to intensify scrutiny on social media platforms and pursue policies to protect consumers from disinformation; with Capitol Hill squarely focused on Covid-19 fallout, however, this may no longer be the case – highlighting the need for heightened diligence. The challenge remains that the technology is developing faster than the solutions to mitigate or even detect deepfakes before they hit social media and go viral. While the problem searches for a solution, businesses and the public at large must remain vigilant and maintain a healthy skepticism related to “fake news”.

Embracing security convergence
On the internet, futuristic use cases include Jetson-esque refrigerators with direct online access to delivery services to reorder your milk, or, watches that text biometric data to physicians for real-time health monitoring. In these examples, the convenience factors are obvious. Now, Covid-19 has only accelerated the convergence between the physical and cyber domains, with individuals relying on the internet for everything from grocery shopping to fitness classes, education and confidential meetings including interviews and business deals. However, this heightened ‘connectedness’ implies a new and unexpected playground for cyber-attack in the form of machines, appliances and personal accessories. One of the most unanticipated and unfortunate outcomes from an increased use of video communication technologies is “Zoombombing”, a nod to the live streaming service, Zoom. Even at this publication, reports of bad actors hijacking virtual meeting services and posting lewd content and hate speech are hitting the news cycle daily. 

Stay-at-home orders have forced every business to connect to the Internet, with most relying on digital platforms to conduct their core operations; indeed, many commentators have already declared the demise of the traditional office space. While these proclamations are hyperbolic, since the 90’s, we’ve grown accustomed to ‘information technology’ and associated cyber-attacks on computers and network infrastructure through the Internet, including phishing, malware, and, now with the rise of crypto-currency, ransomware. The Internet of Things, which has largely enabled more efficient and automated processing of ‘operations technology’ through Internet connectivity, such as machines found in manufacturing facility assembly lines or office building infrastructure like elevators, escalators, turnstiles and doors, has also created an unintended new attack surface for malicious actors. Who could have imagined that an employee’s refrigerator, a watch or even an elevator could serve as an open door for a cyber-attack? The 2013 Target breach proved this is indeed possible – the company was hacked after the attackers stole network credentials from one of Target’s HVAC vendors who had remote access to heating, cooling and refrigeration systems for maintenance. Hackers successfully tunneled in via the vendor’s network credentials and famously uploaded card-stealing software to cash registers.

50%+

Social media use is up more than 50% as a result of the virus

This convergence of both the physical and cyber domains implies that security measures must also converge, else organizations are left exposed through increasingly unexpected entry points. No longer can organizations draw lines between their physical security and information security teams and expect that the two can achieve success while operating independently. Heretofore siloed security operations within companies have failed to accurately recognize patterns and emerging threats when not considering the totality of the attack surface within an organization. To effectively manage security risk in today’s environment, businesses are best served to centralize both physical and information technology security under the leadership of the Chief Security Officer, who is then responsible to build and drive a culture of security mindedness as the shared fate of the organization.

Detecting & preventing workplace violence
Covid-19 has created new fears regarding health and financial wellbeing that will endure upon return to the workplace, creating the potential for those concerns to manifest as aggressive behavior. There are reports of violence at big-box stores like Costco and Sam’s Club as the virus fuels concerns regarding personal space and the transmission of the virus. Staff members at hospitals and health clinics report being abused by frustrated people waiting in long lines.

Extremist organizations have also used uncertainty regarding the pandemic to advance xenophobic positions, raising the potential for discriminatory behavior and even violence. In the United States, white supremacist groups have touted theories blaming nonwhite and immigrant communities for spreading Covid-19 and encouraged violence against those communities. One white supremacist Telegram channel focused on Covid-19 messaging grew its user base from just 300 users to 2,700 in March month alone – a growth of 800%.

Companies are best served to implement policies, procedures, training and reporting mechanisms to protect employees and enable them to comfortably come forward if they notice unusual or suspicious behavior in and among colleagues. Some common steps include:

  • installation of safety measures like security cameras, alarm and lighting systems;
  • education and training on what to watch for, what to do and who to notify;
  • provision of clear policies and procedures related to zero tolerance and code of conduct; and
  • safe and, where applicable, anonymous reporting mechanisms to encourage employees to speak up without fear of retribution.

Overcoming traditional security structures

Since the outbreak of the Covid-19 pandemic, many companies have looked to their security teams to provide guidance and ensure business continuity. Organizations still operating under a traditional structure, however, have found themselves poorly positioned to confront an invisible target with little respect for boundaries. Traditional corporate security departments were created to protect physical assets, and their employees reflect a relatively narrow operational scope. Physical security based in access control and screening measures, uniformed guards and video surveillance, is generally characterized by defensive, or responsive measures. These programs fall far short – and in many instances, offer no protection at all – against the current state of security risks.

With public health experts anticipating a protracted lag time before effective Covid-19 treatments or a vaccine, continuing to rely on traditional security structures only creates more risk. Instead, it is critical that we evolve our understanding of what constitutes a security threat and shift our focus away from responding to crises towards adapting to mitigate and recover from them while maintaining core business functions. Given the fundamental personal health security needs for employees, customers and other business stakeholders which we’ve seen evolve during, and expect post pandemic, we will increasingly see the Chief Human Resources Officer (CHRO) and the Chief Security Officer working hand in hand.

Overcoming threats to security and business continuity requires shifting away from the traditional “protection” mindset and instead adopting a culture and governance structure focused on resilience.

Enabling resilience against disaster

As companies reimagine themselves for a post-Covid-19 world, ensuring they can overcome threats to security and business continuity requires shifting away from the traditional “protection” mindset and instead adopting a culture and governance structure focused on resilience. Unlike those that seek to merely prevent a traumatic event, resilient companies focus as well on effectively rebounding and recovering from any acute shock that may impact its infrastructure, operating environment, business model or personnel.

Adopting a resilience-focused culture requires that leadership create a culture of security awareness beginning with the company’s board to highlight the risk and consequences of specific security incidents. By building understanding and awareness of the risks faced, organizations can establish the appropriate governance and oversight of their security risk management programs. Having enabled a security risk management governance structure attuned to the current state threat environment, businesses can more easily reinforce and quicken deployment of saleable mitigation techniques across the organization. Collectively, proper security awareness and governance will prepare an organization to proactively address and recover from a multitude of emerging and future threats.

The bottom line

Even the most well-conceived and accurately executed security program will not protect against all threats; organizations must understand that they will never operate in a zero-risk environment. While no organization is immune to security risk, ensuring that all facets of the company understand and work to prevent those risks will be critical to promoting a proactive enterprise risk management structure that safeguards its personnel, property and business model against future uncertainty.

The best risk management strategy combines multidisciplinary security protocols, aligned to the threat environment and the creation of a corporate culture of security awareness. As threats in the physical and cyber domains increase and deepen during this age of extremism and decentralized attack tactics, mitigating the impact of an attack requires not only greater awareness, but the implementation of a new security model that replaces the antiquated reactive traditional security model.