Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our Employment newsletter
You must correct or enter the following before you can sign up:
Thank You!
Law360 (June 18, 2020, 4:56 PM EDT) --
 |
| Anthony Ferrante |
Further, cyberactors pounced on the opportunity to launch new attacks and scams[1] by exploiting workforces that shifted to remote environments, distributing mass phishing and malware campaigns, and leveraging vulnerabilities found in quickly established shadow IT systems.
With the world slowly starting to reopen and returning to life before COVID-19, it is essential to consider how cyberthreats will continue to evolve as the situation changes.
Taking a forward-thinking approach can assist in developing or updating incident response and business continuity plans to be more effective and can also help improve an organization's cyberresilience by taking proactive protective measures instead of waiting to see what happens.
Based on the attack methodologies we've already seen, combined with adjustments made by organizations that I anticipate remaining in place for the foreseeable future, here are my cybersecurity predictions for a post-COVID-19 world.
1. Data privacy noncompliance will increase.
With an increase in employees working remotely and using their personal devices to conduct business, organizations will increasingly fail to maintain compliance with data privacy regulation due to the lack of adherence to existing standards.
For example, employees may begin storing personally identifiable information on their personal devices out of ease instead of in a more secure organization database, exposing this information to cyberactors. It should not be expected that regulators will be willing to overlook the noncompliance and rather they will issue fines and other penalties for culprits.
Mitigation Steps
Organizations should stress the importance of using data privacy best practices to their employees. This includes not saving sensitive information to personal devices and only accessing it via a secured network or virtual private network.
2. Business continuity plans will become outdated.
With organizations potentially allowing employees to permanently work remotely, business continuity plans will need to be reviewed and adjusted. These protocols rely on each individual knowing their exact role in advance, reducing wasted time determining responsibilities while an incident is occurring.
With employees operating outside of the office, their specific roles will need to be adjusted to keep pace, as will corresponding procedures to account for less in-person interaction.
Mitigation Steps
Organizations should reexamine their existing business continuity plans and flag areas that need to be updated based on the changed work environment. Once updated, these plans should be tested for effectiveness and to determine unforeseen issues.
3. Security teams will more frequently operate remotely.
Cybersecurity teams will be expected to complete cyber risk assessments virtually versus performing onsite and in-person evaluations. Similarly, long-term projects involving security teams working in client sites will be replaced with shorter engagements. The concerns around the spread of COVID-19 through traveling, and the risk of exposing staff, will compel organizations to think twice about onsite assessments.
Mitigation Steps
Organizations uncomfortable with in-person interactions should start determining how they can facilitate a remote cyber risk assessment. Unfortunately, the pandemic does not mean that cyberattacks suddenly stop, and failing to identify and address new vulnerabilities is not an option.
Cyber risk assessments are an essential method for determining areas for improvement and organizations should continue to have them performed despite COVID-19 altering how they are conducted.
4. Cyberresilience will become a necessity.
As more traditional offline businesses move online due to the lasting effects of COVID-19, their cyberresilience will become increasingly important for viability. Brick-and-mortar shops who have closed and pivoted to e-commerce will rely on their websites remaining online.
Every second a website is inaccessible, like due to a ransomware attack, revenue is lost. Being able to withstand an attack and get operations back up and running quickly, will determine which companies survive and which fail.
Mitigation Steps
Cyber risk needs to be accounted for in the same way that financial, reputational and legal risks are by organization leaders — true even before COVID-19. Building cyberresilience requires taking a proactive approach[2] in formulating a detailed strategy that involves your people, your processes and your technology.
5. Unsecure home networks will cause breaches at organizations.
The work-from-home environment that many organizations pivoted to over the past few months meant less control over the security of their employees' devices. Instead of being able to oversee network protections, employees could have connected their work laptop to an unsecure Wi-Fi network, allowing easy access for hackers.
It's possible that the infiltration went unnoticed, and when the employee returns to the office and connects his or her compromised machine to the organization's network, the infection spreads.
Mitigation Steps
It's not feasible to check every employee device for compromises upon their return to the office, so alternatively, organizations should provide their employees with guidance on how to protect themselves in a remote work environment.[3]
6. Organizations will consider permanent work-from-home environments.
Once given the green light for offices to open and employees to return to work, organizations will weigh their corresponding options. Those who choose to keep their workforces remote will face significant technical challenges. It's likely that temporary security solutions have been implemented in the short term (see point 9), but these band aids are not long-term fixtures.
In-house security teams cannot push updates and patches to employees' personal devices; the more entry points there are to a network, the more opportunities exist for cyberactors to gain access; and it's more difficult to ensure workforces are following best practices when operating outside of the office.
Mitigation Steps
Organizations with remote workforces will need to reassess their threat profile and determine what has changed, what risk they are willing to accept, and what additional protocols need to be implemented to protect their most valuable assets.
7. The origination and dissemination of information will be more important than ever.
With in-person conversations less likely to occur, determining the source of the information and how it was distributed will be critical. We're already seeing an increase in cyberactors exploiting this through business email compromise scams,[4] and it can expected to continue to rise with more employees working remotely for good.
Mitigation Steps
Any message requesting sensitive information, or especially the transfer of funds, should be confirmed using an alternate means. For example, if an employee receives an email from the CEO asking to wire money, the employee should call the CEO to confirm that the request is legitimate.
8. Data governance policies will need to be reexamined.
Due to the rapid nature with which COVID-19 forced organizations to change the way they operated, it's possible that proper data access policies were not followed in order to provide employees immediate access to data they required.
Going forward, this governance will need to be reassessed depending on the type of remote working environments that exist within the organization, to ensure that data is properly secured, regardless of how it is being accessed.
Mitigation Steps
Organizations should implement data access management controls or revisit them and adjust for new working environments. This ensures that only people who require access to sensitive information have it, and tracking features to identify who accessed what, when and if the data was moved elsewhere can also be enabled.
9. Shadow information technology systems will require analysis.
Shadow IT[5] has the potential to introduce significant long-term risk because it is an ad hoc solution designed to allow employees to accomplish the task at hand. Further, it is virtually impossible to determine whether employees are adhering to organizationwide policies regarding cybersecurity and what additional risk they are exposing to the enterprise by not using centrally deployed technology.
Mitigation Steps
Emphasize that security is a team sport and that everyone plays a critical role in protecting their organization. Employees should be extra vigilant about emails they are receiving, and if something suspicious is noticed, it should be reported.
When things return to normal and offices reopen, shadow IT should be dismantled. If you don't need it, it should not be running. These systems were spun up quickly and likely have vulnerabilities that organizations are not aware of or considering.
What's certain is that the world will overcome the COVID-19 pandemic and employees will flood back to offices. What's uncertain is the new cyberthreat landscape that we will all be facing. These predictions serve as a best guess at what's to come and provide steps organizations and individuals can take today in order to be better prepared to face the unknown.
Anthony Ferrante is senior managing director and global head of cybersecurity at FTI Consulting Inc.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] https://www.fticonsulting.com/~/media/Files/us-files/insights/articles/2020/mar/covid-19-new-cyber-threats.pdf.
[2] https://www.ftijournal.com/article/invest-now-save-later-the-best-business-strategy-against-cyber-attacks1.
[3] https://ftijournal.com/article/how-to-protect-yourself-and-your-workers-in-a-remote-work-environment.
[4] https://www.fbi.gov/news/pressrel/press-releases/fbi-anticipates-rise-in-business-email-compromise-schemes-related-to-the-covid-19-pandemic.
[5] https://www.webopedia.com/TERM/S/shadow-it.html#:~:text=Shadow%20IT%20is%20a%20term,of%20the%20enterprise's%20IT%20department.
For a reprint of this article, please contact reprints@law360.com.
