How has Covid-19 changed the cybersecurity landscape?

22 Jun 2020

Robert McFeely of Octiga. Image: Andrew Downes/Xposure

The cybersecurity industry has had to shift focus massively in the wake of Covid-19. But what do those shifts look like and are companies making the right decisions?

Covid-19 has affected so many industries and cybersecurity is no exception. In fact, with so much upheaval across the global workforce, the security needs of companies have shifted and spiked.

A survey in April of this year claimed that almost half of cybersecurity professionals surveyed were repurposed during the Covid-19 pandemic as organisations moved to remote working arrangements and cybercriminals started taking advantage of the crisis.

Robert McFeely is the software director of Octiga, a Galway-based software company specialising in security apps. He spoke to about how the cybersecurity space has changed since Covid-19 began.

“With a change in processes, habits, usage patterns and new stresses, comes new weaknesses. Staff isolated at home are more likely to be a victim to phishing techniques, particularly credential harvesting. This has resulted in a significant rise in compromised accounts and data breaches,” he said.

“There have been recorded increases in the frequency and types of phishing and malware attacks, making use of people’s fears of Covid-19. There has been a similar increase in scams exploiting the rise in demand for video conferencing. It was interesting to watch Zoom’s meteoric rise in demand become a double-edged sword as their security lagged behind that of their more secure, but less modish, competitors.”

‘Unsecured mobile devices were a disaster waiting to happen for many companies even before Covid-19’

McFeely said that while threats such as these are fickle, they are generally addressable through tactical security tooling. However, the massive move to remote working in recent months has exposed other issues that are not so easy to address.

“Home networks are inconsistent in every aspect. Some old routers hold well-documented vulnerabilities, while the sudden move has left some companies allowing non-secure access to company networks,” he said.

“There has been a marked increase in attacks relating to mobile access. Unsecured mobile devices were a disaster waiting to happen for many companies even before Covid-19. The blurred line between the business and personal on our devices creates a demilitarised zone to which companies are turning a blind eye.

“I think many companies have had to get used to the idea that their organisation has no clear boundary. That boundary was always a facade. Take Office 365 as an example. Many employees never realised that their account could be accessed on the internet, outside of Outlook, given the correct credentials. So, they had a false sense of security and hence maybe weak credentials or were not risk-averse to clicking phishing links.

“Thankfully the changes have forced a shift in favour of employee freedoms. I feel that business should continue to embrace these flexibilities for both the good of business and society. With this comes awareness which is the first step on the road to security.”

Higher spend doesn’t equal higher security

According to a recent report from LearnBonds, almost 70pc of organisations plan to increase cybersecurity spending following Covid-19. But when it comes to cybersecurity budgets, bigger isn’t necessarily better.

“Unfortunately, there is no correlation between expensive and effective. Using a mature risk-based approach is how to achieve effective protection,” said McFeely.

“Firstly, identify your risks, and try to address them all in some fashion. It is better to address all risks somewhat than some well and others not at all. In doing so, consider each risk like a process that encompasses not only software and hardware, but also people and their interactions.”

McFeely added that going deeper into certain risks should be done only after all risks have been addressed in some fashion. “You need to assume that bad things will still happen, so you need some defence in depth. Depth does not have to mean expensive tools, however.

“A broad but shallow approach is much more effective than picking a few domains and drilling down in depth but neglecting other areas. The reality is your cybersecurity posture is based on your weakest link, not your most impressive or expensive tool.”

There is no magic pill

While increased budgets and redeploying cybersecurity teams seem to be largely reactionary efforts to solve issues that have cropped up during the crisis, McFeely said there is no “magic cybersecurity pill”, as much as the brochures might like to state.

However, he said he believes the most significant weakness is people and their inaction in addressing security risks.

“Don’t get me wrong. People aren’t stupid. Sure, there are some out there that fool themselves into thinking it will never happen to them – it will by the way. But then there are the others that fool themselves into inaction even though they know it possibly will. The latter do this by continually kicking the can down the road,” he said.

“We wake up each day and list our priorities. Security quickly falls down the list and gets kicked to tomorrow. Then the cycle repeats.”

Jenny Darmody is the editor of Silicon Republic