The perfect storm: pandemic psychology driving cyber threats
As 2020 changes the way we live and work, cybercriminals are adapting as well.
With a large proportion of the global workforce now operating outside the office for the foreseeable future, organizations worldwide are at a greater risk of cyber threats than ever.
Increased reliance on cloud systems, coupled with potential financial pressure, job insecurity, unfamiliar circumstances, and the general anxiety of a global pandemic, have created a perfect cyber storm – and cybercriminals are taking advantage of the situation.
Adapting to a new landscape
Any strong cyber defense must be adaptive, and nothing calls for greater adaptability than a global pandemic. But while upping defenses to cope with an increased attack surface may be familiar ground, accounting for a mass change in behavior and mindset is anything but.
Your employees are working outside of the office environment’s norms and formalities, and many are not used to this yet. They may be unsettled, distracted by chores and home life, and more prone to making basic mistakes.
The more relaxed home environment may also lend itself to potential bending and breaking of the security best practices expected in the office. This could mean using personal machines for convenience, using corporate machines for personal activity, writing down passwords, or failing to properly log in and out of corporate systems.
On top of policing potentially high-risk behavior, defense teams must also account for new behaviors that may once have raised an eyebrow, such as employees logging in at unusual hours to work around childcare. Almost overnight, the regular telemetry of your logs has completely changed. Adjusting to this change requires a keen eye and robust strategy capable of defending from the inside out.
Business Email Compromise
Since the start of the pandemic, Proofpoint has seen hundreds of COVID-19 related phishing attacks, imploring victims to click links, download attachments, and share credentials. It only takes one absent-minded employee to jeopardize the security of your entire organization.
Business Email Compromise (BEC) and Email Account Compromise (EAC) afflict businesses of all sizes across every industry: nearly 90% of organizations faced BEC and spear phishing attacks in 2019.
More money is lost to this type of attack than any other cybercriminal activity. The FBI reported that from June 2016 to June 2019, companies reported US$26.2B in losses. And in 2019 alone, BEC scams accounted for more than half of all cybercrime losses — an estimated US$1.77B. The average loss per BEC incident in 2019 was US$74,723.
An indication of how pervasive a problem BEC/EAC is: Proofpoint blocks over 15,000 BEC/imposter messages a day or nearly 4 million messages a year.
The sinister side of pandemic psychology
Organizations are also at a greater risk of insider threats than ever before, with reported incidents up 47% each year, according to a recent report commissioned by Proofpoint. And they are as damaging as they are prevalent.
The global cost of insider attacks rose to US$11.45M last year, up from US$8.75M in 2018. For the individual organizations behind those statistics, the financial implications are no less eye-watering, ranging from US$307,111 for a negligent incident to US$871,686 for credential theft, for a single incident.
Unfortunately, the increased potential for mistakes is not the only weak link on display to opportunistic cybercriminals. The psychological pressure of life under lockdown can give way to a more sinister threat — the malicious insider.
While malicious insiders are less common, they can be more damaging. Many use inside knowledge to evade internal defenses and actively take steps to cover their tracks, making them far more difficult to detect and contain. On average, a malicious incident costs US$755,760, more than double that of a negligent threat.
The risk of malicious insiders is nothing new. But with increasing numbers of employees furloughed, facing redundancy, and potentially under financial pressure, organizations must be on high alert. Even the least tech-savvy user is likely aware of the rewards on offer for leaking data and sensitive information. Decision-making can easily become clouded.
The same is true of employees with a grievance against your organization. With regular stories of data breaches hitting the headlines, the devastating consequences for those involved are common knowledge: punishment from regulators, reputational damage, and significant financial losses. Suddenly, a disgruntled employee could see themselves presented with a seemingly simple and effective method of revenge.
Building a people-centric cyber defense
Spotting the potential for cyber threats is never easy. Spotting them outside the office environment where there is less scrutiny or pressure to meet security standards is harder still. The only effective defense is a flexible, robust, multi-layered strategy that combines people, process, and technology.
Insider threats are unique because insiders already have legitimate, trusted access to your organization’s systems and data to do their job. This unique attack vector requires a unique defense. Though it is not possible to block access to those who need to work within your networks, you can ensure that access is strictly controlled and only afforded on a need-to-know basis.
Start by implementing a comprehensive privileged access management (PAM) solution to monitor network activity, limit access to sensitive data, and prohibit the transfer of this data outside company systems.
There should be zero trust between your technology and your people. There may be a good reason for an access request or out of hours log in, but this cannot be assumed. Controls must be watertight, flagging, and analyzing every log for signs of negligence or foul play.
Supplement this with clear and comprehensive processes that govern systems and network access, user privileges, unauthorized applications, external storage, data protection, and more.
Finally, defending against insider threats is not solely a technical discipline. As the biggest risk factor for insider incidents is your people, they must be at the heart of your defense strategy.
Creating a security culture through ongoing cybersecurity awareness training is critical: everyone in your organization must know how to spot and contain a potential threat, and, whether intentional or not, understand how their behavior can put your organization at risk.
This training must be thorough and adaptive to the current climate. While today’s working environment may feel more relaxed, security best practice still applies – perhaps now more than ever.
October marks Cybersecurity Awareness Month, and this year’s theme of “Do Your Part. #BeCyberSmart” encourages organizations and people to be proactive in battling cyber-attacks.
Proofpoint is proud to support this global effort and provide tools and resources for organizations to use this event and improve their awareness and preparedness for cybersecurity challenges. Learn more at the following link: https://www.proofpoint.com/uk/blog/security-awareness-training/game-changer-cybersecurity-awareness-month