Originally published in The Augusta Chronicle on April 24, 2020
Are you a critical employee or employer? The COVID-19 pandemic has caused all of us to reconsider the definition of the word “critical.” Consider the check-out clerks at our grocery stores or the pizza delivery person in our driveway. They have most likely risen in the scale of importance to our daily lives. And they are among the targets of a new global cyber threat.
If one of these employees receives an email this morning from a reputable hospital informing them that they have been in close contact with someone who has just tested positive for the COVID-19 virus, and that they need to immediately follow containment protocols as outlined in this CDC web link, most would click on it. Even an employee who has gone through corporate security awareness training would probably do so. This action could kickstart a ransomware attack that could make this actually-healthy employee feel quite cyber-sick.
If that person was instead working from home for a bank, or a trucking, power, chemical, agriculture, health or technology company, and that email wasn’t designed to simply ransom off their individual pictures and files, it could have been designed to use that employee as a gateway to infiltrate their employer – and from there disrupt part of a critical sector of our economy. Suddenly America, appropriately focused on COVID-19, is even more vulnerable to cyber-attacks than before.
That is the dangerous scenario in the works today. The FBI just highlighted a new malware campaign called Kwampirs that is now directly targeting critical employees of hospitals. The new National Counterintelligence Strategy tells us that there is a “complex and growing threat to strategically important U.S. economic sectors and critical infrastructure” which are amplified by the pandemic. In the past few weeks we have even seen targeted attacks on the World Health Organization (WHO)’s email servers. Our experience tells us that adversaries leveraging a global tragedy to attack is not unexpected, and the threat will continue to grow.
It would not be unexpected for some to click on a well-crafted COVID-19 link in these unprecedented days. But the employers of the world can help by having properly secured Work from Home (WFH) access for their employees. Companies need to remain resilient in the face of these stepped-up attacks on their employees – yet many are, understandably, focused on other things. Simplistic advice to ‘use the VPN’ misses the point that most companies’ Virtual Private Network (VPN) remote security systems have been designed to accommodate less than a quarter of their workforce and may shut down when overloaded with everyone working from home. In fact, to advise employees to simply use VPNs in some circumstances could have the unintended consequence of promoting less security in this mad dash to enable WFH.
Fortunately, newer technologies including Software as a Service (SaaS), cloud computing, zero trust models, micro-segmentation and others are readily available – and up to this task. While typically they have been implemented to improve efficiency, lower costs and boost resiliency, they are now proving to be a timely lifeline during the COVID-19 crisis.
Every CEO should be leading their own resilience charge. One great way to do this is by empowering their Chief Information Security Officer (CISO) as part of leadership meetings, and asking every CISO to consult with their peers on risk, remediation and resilience in the face of this common foe. CISOs should be getting advised by their industry’s Information Sharing and Analysis Centers (ISACs) and the Cyber and Infrastructure Security Agency (CISA) on global, national and sector-specific threats and countermeasures. CEOs and CISOs are not alone in this fight, and we need to ensure that our critical employees are not alone either.
CEOs and other executives around the world should ensure that our companies are resilient in the face of these threats, that the clients and industries we serve are resilient and that our society and economic well-being are not brought down by a single click. We must lead with resilience in mind. You are critical.