Protecting against Cyberthreats during a Global Covid 19 Pandemic

New Solutions to New Threat: Optimizing the Remote Work Environment during a Global COVID- Pandemic

Given the continuous political turmoil emanating from the nation’s capital for the past three and a half years, few observers would likely have regarded 2019 as “the good old days,” but the multiple crises of an ongoing global COVID-19 pandemic combined with a devastated economy, massive unemployment and growing unrest over racial disparities underscore just how fast things can change and how bad things can get without warning. Indeed, the “good old days” of 2019 appear golden by comparison, and there is currently no real end in sight. These trends have introduced new issues with respect to what types of information security education and maintenance and what protocols are necessary in the wake of the ongoing COVID-19 pandemic as well as comparable calamitous events in the future. The purpose of this research paper is to provide a review of the relevant literature concerning the optimal management of COVID-19 within the management sectors of a cybersecurity infrastructure, as well as address similar societal disasters that should be taken into consideration in the future. Finally, a summary of the research and important findings concerning information security education and maintenance are presented in the paper’s conclusion.

I. The Current Situation and How It Has Impacted Information Security and Cybersecurity

The number of cases and the death toll attributable to the COVID-19 virus have streadily increased across the country in recent months, and companies of all sizes and types have been hammered by a combination of a turbulent presidential election of unprecedented import, an unrelenting economic downturn, growing civil unrest and increasingly severe climate change-related events that have caused some of the worst unemployment rates in the country’s history. While the current situation is highly dynamic and global COVID-19 case numbers continue to swell by the hour, at the time of this writing more than 40 million people worldwide had been infected by the virus and more than 1.5 million had died from it based on the statistical data that is compiled by Johns Hopkins University each day. From a strictly pragmatic perspective, one of the few bright spots on the current economic horizon has been the growing demand for the accelerated domestic manufacture of personal protective equipment and therapeutic drugs by local, state and federal government agencies (Meredith, 2020).

Against this grim backdrop and as discussed further in the sections that follow below, it is not surprising that the current situation for cybersecurity has also been challenging and increasingly threatening. For example, according to Martinelli and Friedman (2020), “There have been several reports from the [information technology] community that there have been more attacks against cybersecurity infrastructures than in the past few years. Indeed, cybersecurity was a persistent threat before COVID-19, and not surprisingly, organizations continue to face increasing risks in this area” (p. 60). Unfortunately, although the risks that are associated with IT resources continue to accelerate, there has not generally been a corresponding response on the part of the information security community.

A growing body of research confirms that nature imbues many predators with the ability to detect fear, and the current situation is similar with respect to hackers “smelling blood” among their traditional prey today. This sense of opportunity may help account for the increased cyberattacks that have been experienced by the private and public sectors over the past several months, but the threat has always been there only now it has become more intensified. For instance, one mainstream newspaper warns its readers that:

The COVID-19 pandemic has changed our daily lives and routines dramatically. However, it seems that hackers remain undaunted and are still up to their old tricks, as the number of coronavirus-themed scams and security incidents related to it has been increasing steadily since January [2020]. Hackers are preying on people's fears by spreading disinformation and monetizing panic (emphasis added). (COVID-19 pandemic has hackers working OT, 2020, p. 13)

Given the enormous mental health burden that has been exacted by the ongoing pandemic, these cautions are well timed and on point, but hackers and other malevolent actors (commonly referred to as “advanced persistent threat actors”) are also specifically targeting essential workers. For example, national security authorities in the United Kingdom and United States have issued alerts that warn public and private sector leaders that, “Actors are actively targeting organizations involved in both national and international COVID-19 responses [including] healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments. Advanced persistent threat actors frequently target organizations to collect bulk personal information, intellectual property, and intelligence” (Martinelli & Friedman, 2020, p. 60).

Notwithstanding the current situation’s unclear outcome, what is known for certain at present is that IT risk managers are confronted with many of the same cyber threats that emerged in recent years together with some novel applications that are succeeding in preying on COVID-19-related fears and anxieties. In this regard, Martinelli and Friedman (2020) report that, “Despite the global pandemic, threat-actors continue to pose threats that require an internal audit to assess the organization's risk management program” (p. 60). Unfortunately, internal audits only represent part of the overall IT cyber threat strategies that are needed to counter the growing threat from hackers and other state- and non-state actors (Martinelli & Friedman, 2020).

In response to these and other emerging local, regional, national and global cyber threats, the United Kingdom’s National Cyber Security Centre (NCSC) and the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) collaborated to formulate an appropriate strategy. The joint CISA-NCSC Alert (hereinafter “the Alert”) was released in early April 2020 as increased reports of cybersecurity threats began to emerge following the onset of the COVID-19 pandemic. The Alert provides a series of timely guidance concerning current malicious cyber activity that specifically relates to the COVID-19 pandemic as follows:

· APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.

· Advanced persistent threat (APT) actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities.

· The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.

· CISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities. APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit. Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.

· These organizations’ global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.

· Recently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-1978 and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.

· CISA and NCSC are actively investigating large-scale password spraying campaigns conducted by APT groups. These actors are using this type of attack to target healthcare entities in a number of countries—including the United Kingdom and the United States—as well as international healthcare organizations.

· Previously, APT groups have used password spraying to target a range of organizations and companies across sectors—including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies (Alert AA20-126A, 2020).

Furthermore, there has also been a corresponding decrease in the number of IT employment opportunities that are available from American employers for prospective graduates and non-graduates alike. For example, a recent report from the editorial board of The Washington Post cautions that, “The most talented scientists and computer engineers of the next generation are choosing Canada, Australia, China — anywhere but Donald Trump’s America” (Trump’s America in 2024, 2020, para. 4).

Beyond the foregoing challenges, organizations with dedicated cybersecurity infrastructures are also scrambling to find ways to budget and pay for the increased costs of maintaining order within both the organization and its information security (InfoSec) employees. While every organization’s cybersecurity situation is unique in some fashion, many if not most have experienced various types of threats to their cybersecurity, including some that have only been recently deployed (Lanz & Sussman, 2020). In other words, public and private sector organizations at present are not only faced with conventional IT-related threats, these threats have expanded in scope and severity, thereby further exacerbating the current situation (Lanz & Sussman, 2020).

These trends also mean that there is no room for complacency and IT security professionals must not only remain vigilant for known threats, but also continuously survey the horizon for newly emerging threats that have direct implications for their operations. For example, according to Lanz and Sussman (2020). “This understandable change in focus must still consider an environment more conducive to computer-facilitated frauds and increased cyber-threats” (p. 28). This admonishment may leave some cybersecurity professionals frustrated given that they have already been trying to build the walls higher and the moats deeper, but the harsh reality is that the nature of cybersecurity threats has changed and expanded substantively in recent years and most especially in the months following the onset of the COVID-19 global pandemic.

In addition, cybersecurity experts also warn business and government IT professionals that computer-facilitated frauds and increased cyber-threats have also been facilitated due to the proliferation of unstructured data of all types (Schultz, 2009). Indeed, unstructured data can refer to virtually any type of digitized document, including video files, graphic presentations, blueprints, and images. Regardless of the type of electronic information is involved, these resources are highly vulnerable to unauthorized access, manipulation and even destruction by insidious actors (Schultz, 2009). This is an especially important issue since the vast majority (>85%) of all business information is stored in an unstructured data format. As Schultz (2009) concludes, “To make matters worse, the amount of unstructured data within companies is still growing. With email and file services being the biggest contributors, more and more information is becoming available electronically and easy to share” (p. 5). While unauthorized access to unstructured data and other sensitive data cannot always be prevented, there are some straightforward steps that can be taken to ensure that maximum cybersecurity controls are in place and these issues are discussed below.

II. The Basics of Cybersecurity Control

The requirement for basic cybersecurity controls depends on a number of organizational variables, so assessing the adequacy of existing cybersecurity controls represents the first step in ensuring that appropriate IT protocols are in place. While the precise steps that may be required for this type of assessment may include other factors, the general steps outlined in Table 1 below provide a useful framework for a cybersecurity control assessment.

Table 1

Assessing adequacy of existing cybersecurity controls

Step

Description

Assess the size of the organization

First, the size of the organization should be assessed. The details concerning interconnected systems, employee number, network size, etc., should be reviewed. Assessing the size of an organization will assist in decision making related to financial planning. The assessment will also help identify controls that should be implemented to mitigate existing challenges.

Determine the scope of IT infrastructure

A company must identify the IT components that are within the scope of cybersecurity controls. Considering all IT elements, regardless of whether they are contracted or owned, ensures the implementation of adequate controls. In this context, IT infrastructure consists of applications, information systems, network devices, servers, cloud applications, among others. An assessment would sufficiently guide a company to list all assets within the scope of cybersecurity controls.

Determine the security levels of IT assets and information systems

Companies need to identify information systems and IT elements requiring higher levels of security. They should also be able to assign value to various types of information and assets. For instance, personally identifiable information regarding employees or customers might need higher levels of protection. Besides, confidential information such as intellectual properties or competition strategies might need adequate security to prevent attempted breaches. In particular, assessing security levels should relate to integrity, availability, and confidentiality of critical IT systems and information.

A scale of very low, low, medium, and high, with high representing assets requiring highest security levels, can enable organizations to distribute cybersecurity controls as per need. This not only ensures efficiency in mitigating security challenges; it also assists in budget planning. More finances can be allocated in areas requiring more controls.

Confirm investments in cybersecurity

Before planning for the acquisition and implementation of cybersecurity controls, security managers and professionals should confirm the investment levels in cybersecurity. This is by assessing expenditures allocated to IT security and data protection. Additionally, a company should factor in financials to intangible controls such as training employees.

Source: Adapted from Mutune (2019)

The assessment of an organization’s existing cybersecurity controls should also be measured against the essential security control elements that are set forth in Table 2 below to determine their adequacy and to identify opportunities for improvement.

Table 2

Essential cybersecurity control elements

Element

Description

Maintain a comprehensive incidence response plan

Hacking and penetration methods have grown to unprecedented heights. Using available technology like artificial intelligence, cyber adversaries can commit stealth cybercrimes. As such, businesses should always expect attempted intrusions at any moment. For this reason, every organization should implement and continuously update a plan for responding to cyber incidences. The program should also consist of measures for recovering from the attack.

Patch management lifecycle

Some organizations are so reliant on IT support such that its absence would cause many losses. Due to this, companies implement varying technologies from different vendors, thus providing a criminal with increased points of entry. Besides, some items, either hardware or software, may contain security vulnerabilities. Hackers usually exploit the vulnerabilities to gain system access and to execute attacks. It is hence necessary for an organization to observe a strict patch management lifecycle.

Apply antivirus solutions

Antivirus solutions consist of one of the most readily available security controls. Almost all operating systems come installed with antivirus products. Antivirus products like Malwarebytes, McAfee, or Windows Security Center provide sufficient measures for detecting and eliminating malware threats. Cyber actors trick system users into installing different families of malware, including spyware, ransomware, worms, and trojan horses. All types of programs developed to harm a system fall into one of the various malware families.

Implement perimeter defense

Perimeter defenses allow an organization to protect networks from attacks executed through the internet. Conventional network security controls include firewalls. Firewalls identify suspicious traffic flowing into a network and blocks it from entering. Also, firewalls defend a network from external intrusions attempted through compromising network security. As such, to counter online threats, businesses should establish dedicated firewalls in the boundaries connecting a corporate network to the internet. The firewalls can be a combination of both hardware and software solutions.

Secure mobile devices

The Internet of Things and mobile devices enable organizations to enhance work processes and increase productivity. This has seen many organizations adopt them on large scales. The companies either own the devices, or they maintain policies that allow employees to use their own. Either way, a business must develop appropriate measures for safeguarding company data processed through or communicated the devices.

Emphasize employee training and awareness

Training employees on cybersecurity basics can protect organizations from disastrous attacks. It is one of the most crucial control since attackers use system user ignorance to execute attacks. For instance, the success of phishing attacks largely depends on a user’s inability to identify phishing emails. Employee security training provides the first line of defense since practical skills lead to enhanced security posture

Implement power user authentications

One of the leading causes of security incidences among organizations is insider threats. These are threats resulting from employees helping hackers achieve their malicious intents or users committing cybercrimes for their benefits. To accomplish these, malicious users may steal the login credentials of other users and use their accounts to facilitate cybercrimes to cover their traces and pin the crimes on innocent employees. An effective control for mitigating insider threats is implementing strong user authentications.

Observe strict access controls

Access control measures build on the security which the user authentication provides. Access control differs in that they are the strategies organizations use to provide authenticated users access to IT resources. A primary function of access controls determine which user can access which resource and at what level. There exist different control measures, and it is the company’s responsibility to choose one that meets its security concerns.

Source: Adapted from Mutune (2019)

In the event security-related threats are identified during the assessment process and solutions are implemented in response, it may be necessary to repeat the assessment to ensure that all potential threats that may be related to the discovered issue are also addressed. In sum, assessing the adequacy and appropriateness of cybersecurity controls is an ongoing, iterative process that is essential for restoring normalcy in the event of disruptions due to catastrophic events, and these issues are discussed further below.

III. Restoring Normalcy: A Discussion

In this context, returning to “normalcy” may be a highly subjective and relative goal. Therefore, tor the purposes of this discussion, normalcy will be regarded as operating levels that near 99% of their pre-catastrophe levels. Moreover, any type of catastrophic event will create multiple challenges to restoring normalcy to business operations, but the heavy reliance on IT resources for these purposes means that time is of the absolute essence (Lanz & Sussman, 2020). In addition, because it is impossible to predict when anthropogenic and natural disasters will occur that disrupt IT operations, it is essential for organizations of all sizes and types to develop resiliency to such disruptions. In this regard, Lanz and Sussman (2020) stress that:

COVID-19 amplifies existing risks and makes them more complicated to accept and manage. With the survival of some organizations questionable, risk and enterprise managers are focusing their efforts on continuity-related issues. Where information security and, in many cases, cybersecurity challenges reigned supreme in governance-related concerns, resiliency is now the primary area of focus. (p. 28).

Because the situation will differ in important ways depending on what type of disruptive event is involved, it is only possible to outline some general steps that enterprises should take in their efforts to restore normalcy to their operations. First and foremost, enterprises should ensure they have appropriate encryption and up-to-date data backups in place. For instance, according to Mutune (2019), “Data backups and encryption are useful controls that preserve the availability and integrity of data. Although organizations can implement the best security practices, cyberattacks still occur, leading to data theft or data corruption” (para. 7).

While the frequency of backups will depend on the organization and data type, backing data up on a daily basis is a common strategy. An important point made by Mutune (2019), however, concerns the fact that nefarious actors may also try to gain access to archived data. Therefore, it is important for data backups to be stored in different off-site locations and to ensure that appropriate encryption protocols and data prioritization algorithms are in place to protect backed-up data (Mutune, 2019). By prioritizing the importance of backed-up data, organizations can speed up the process by focusing on the most essential data while excluding otherwise-available backed-up public data (Mutune, 2019).

One of the overarching issues that must be taken into account when developing disaster recovery plans for IT resources today is the fact that nefarious actors of all ilk will continue to exploit the ongoing COVID-19 pandemic and these cyber threats are expected to severely hamper recovery efforts. As Lanz and Sussman (2020) conclude, “Threats from cyber-attacks, whether the motives include computer-facilitated financial fraud, corporate espionage, political/media embarrassment, or just nuisance--will continue to divert stakeholder attention from organizational objectives, including recovering from COVID-19 and preparing the organization for a new operational environment” (p. 28). Indeed, a recent Small Business Association survey determined that fully 88% of small business owners in the United States currently felt threatened by cyber attacks but were uncertain about how to protect their companies’ IT resources in the event of a catastrophic disruption (Lanz & Sussman, 2020).

Finally, despite the operational challenges resulting from COVID19, information security's prime objective remains enabling an organization to achieve its goals within its risk appetite. Today, organizations of all types are reconfiguring their service and product delivery strategies to both serve customers safely and obtain cost savings. Through this transition, SMEs must continue to mitigate the risks that existed before the arrival of COVID-19. For SMEs in regulated industries, this also includes the continued adherence to regulatory requirements. Those organizations accepting electronic payments, including credit cards, must also comply with applicable rules, including the Payment Card Industry Standard (Lanz & Sussman, 2020).