Share with your friends

People’s homes and connected devices could become super-spreader environments for malware and vectors for cyberattacks in the post-COVID world, writes Dani Michaux, Head of Cyber Security, KPMG in Ireland.

There may be no evidence of an increase in the absolute level of cyber-crime during the COVID-19 pandemic but there has been a significant change in its nature. While many of us were struggling to make sense of the new world and challenges, the criminals have simply adapted their behaviour in agile fashion to exploit the new opportunities presented by the crisis.

Perhaps the most striking example of this is the more than 100,000 fake COVID-19 websites were set up since January 2020 aiding various COVID-19 related frauds. In some cases, these masquerade as official sites from health authorities such as the WHO or the HSE and trick people into divulging personal information, which can be used for fraudulent purposes. Other websites will entice people to click on a link, which can trigger the download of malware such as the COVIDLock ransomware.

Many of these fraudulent sites are basic unsophisticated scams which offer to sell PPE and other COVID-19 related supplies. Of course, those supplies never get delivered. In other cases, they offer treatments, antibody tests and even vaccines to gullible consumers whose critical faculties have been somewhat blunted by the anxiety generated by the pandemic.

That exploitation of people’s fears and uncertainty has been a recurrent theme. Other scams involve phishing emails and alerts claiming to provide information on the spread of infections in particular areas or countries, playing to people’s fears.

Electronic lock image overlaid with text: "exploitation of people’s fears and uncertainty has been a recurrent theme"

Sophisticated attacks

As the crisis developed and nations began the active search for vaccines, we have seen more sophisticated attacks being mounted against research institutions and universities, pharma and research and development organisations in an attempt to steal COVID-19 treatment and vaccine research data. For example, many life sciences companies have had their supply chains attacked. The reason behind this is intellectual property. The minute you see news about a new vaccine or treatment for COVID-19, that will attract criminals.

None of this should come as any surprise. It is the modus operandi of cybercriminals, and perhaps some States, to exploit any weakness that may arise as a result of any economic or social upheaval. It would be naïve to expect people without a moral compass to do otherwise.

The speed at which the pandemic took hold and the emotional turmoil it created presented near ideal conditions for the criminals to prosper. And the almost overnight switch to mass remote working opened up new vulnerabilities for them to exploit.

Many large companies were already well set up for remote working. They had clear policies and security measures in place. Others faced a real struggle in facilitating home working for large numbers of their people – overnight deployments for basic access to emails and collaborative platforms became the bare minimum requirement to allow businesses to continue to operate. In many cases security was an after-thought.

New targets for cyber criminals

The biggest challenge facing many companies in Ireland at present relates to remote working. The average score for maturity assessments (an in-depth review of an organisation’s ability to protect its information assets and its preparedness against cyber threats) is between 1.5 and 2.5. That’s not that high.

Controls which were enabled on premises or in the office have not been taken into the remote-working environment. That is a problem. The workplace is no longer in the office for many people, it is in their homes and for some it is in both. This has meant that homes have become far more attractive targets for the criminals.

The boundaries between people’s work and personal lives have become much more porous. The lines between acceptable and unacceptable behaviours have become blurred as well. Researching coronavirus information or looking for good value PPE deals during working hours and while connected to the employer’s network can come to be seen as entirely acceptable. It is very easy to click on an innocent looking link without thinking. The perception is that if you are behind the walls of your home, you are safe.

And it may not be the employee who is engaging in unsafe behaviour. They are likely to be sharing the home wifi network with their children who are playing games online, other family members who are streaming content from potentially risky sites, and others who may be inadvertently downloading content onto smartphones, tablets and other devices. The home networks have then become indirectly extended part of the corporate networks. 

SMEs – Pivot then Pause

Smaller businesses are least likely to have IT skills in-house. For this reason, it is really important for SME leaders to be cyber-aware.

Companies are pivoting and trying to use any and all tools to enable business, as they should be. But they are rarely thinking about the risks involved in doing that and some are rushing their decisions. Business owners need to ask if they have the same controls in the cloud as they did before. No is the usual answer. Don’t assume that just because you are using cloud-based services that you are automatically safer by default. A maturity assessment score can drop from a three to 1.5 as a result of a move to the cloud.

People think the digital world is better and it could be. Many cloud providers have capabilities which customers can utilise. SMEs may not even know security controls exist because the main concern has been to keep the business running.

The great migration online is complete and now is the time to take a step back and reassess what has happened. This reflection begins by asking the right security exposure questions.

Image of hacker with text overlaid: "The great migration online is complete and now is the time to take a step back and reassess what has happened."

Security exposures

One has to think about potential security exposures, which this new extended network brings. It is no exaggeration to say that is a potential super-spreader environment for malware and cyber breaches, and perhaps no worse time for a major corporate ransomware incident.

So as we begin to return to new normal and the future of work looks more hybrid and interconnected, there are potentially couple of considerations to be thought about:

  • Have you analysed the risk that hybrid home working / office environments bring?
  • Have you the security implications of putting information on the cloud?
  • Have you identified key areas of exposure and ensured relevant procedural and technology controls are in place?
  • As you allow employees to use their own devices and enable bring your own device (BYOD) solutions as quickly as possible, have you thought about the potential risks and mitigations?
  • Take stock of new applications and solutions acquired in haste since the onset of the pandemic – do they follow normal security baselines?
  • Have you reviewed cloud service security and the way you govern cloud security arrangements?
  • Have you discussed the amount of shadow IT applications created in the rush to switch to the new hybrid model and the potential security debt associated with it?
  • And, above all, are you keeping up security awareness and keeping employees engaged in relation to cybersecurity?

But this is just the beginning. If we take this experience as an example, we can quickly imagine how the whole of society is collapsing into a single digital environment. The world is being transformed into a completely connected society where everyone is being schooled, working, and living their lives digitally at home. Much of this is positive and many people are beginning to realise that it is possible to work safely and productively from home.

New rules for the post-COVID world

But we need to ask if the current rules are fit for purpose for the post-COVID world. The answer is that we may need to review what rules are truly needed to allow innovation and technology to lead in this new massively interconnected society, while also removing fear and uncertainty.

And these rules must be framed in a way that considers the possibility and systemic nature of risks in this interconnected world – it can be as simple as a small outbreak leading to potentially large cross-contamination across connected devices in schools, offices, homes and other environments and potentially across the world.

And, in the middle of this, COVID-19 has brought ethics and privacy questions to be answered: do organisations have a right across individual’s personal data, how about their families and extended families, what controls can be extended beyond individual buildings and countries?

COVID-19 has resulted in a great leap forward in terms of connectedness. Organisations should now pause and step back to examine the full implications, not just around the technological security issues, but also in relation to their obligations under GDPR and other legislation.

And there is the question of resilience. How are organisations and countries set up to withstand a large scale cyberattack in these new circumstances? How quickly can they get up and running again?

New systems and procedures will be required for the new hyperconnected world in which we find ourselves. Perhaps, as we make the step towards 5G, fresh thinking will be required around resilience in hyperconnectivity.

While the challenges are great, positive signs have emerged from the COVID-19 pandemic as well. We have seen an unexpected community being built as a result of collaboration between governments and corporates in seeking solutions to these new questions.

The cybercriminals and other malicious actors will continue their efforts to exploit the vulnerabilities created by COVID-19, but I do remain optimistic that new security solutions will be developed as result of the concerted efforts of that new community.

Get in touch

To find out more about how KPMG perspectives and fresh thinking on cyber issues can help your business or organisation thrive, contact Dani Michaux, EMA Cyber Leader.