“Cybercriminals thrive on chaos. The chaos induced by the COVID-19 pandemic on societal behavior at all levels is creating conditions that are ripe for cybercriminals and other malicious actors to exploit,” explains our latest report. “While some of the biggest risks will be faced by the healthcare industry, whose services and systems and technologies are being stretched to breaking point in many territories, smart commercial buildings owners and operators, as well as enterprise operations and critical infrastructure operations, also face a heightened level risk.”
According to the new report The Internet of Things in Smart Commercial Buildings 2020 to 2025, the use of email spam, malware, ransomware, and malicious domains has increased for a variety of malicious campaigns during the COVID-19 pandemic. In our rush to maintain economic activity during the lockdown, we have neglected cybersecurity and left our systems more vulnerable. The cybersecurity for work-from-home, remote monitoring, access control for crisis management, and less-supervised automation takes thought, planning, and testing over months and years. When lockdowns were enforced, however, we tried to do it all in days and weeks.
“The rapid shift to remote working exposes new threats related to expanded and remote network access, for enterprise and IoT systems alike. Many property owners and operators have had to limit contractors’ onsite, putting more stress on poorly configured onsite building systems or unsecured remote access methods,” explains the 2020 report. Rushed projects to support remote or automated business operations may be rolled out without sufficient cybersecurity planning, due diligence or oversight, exposing enterprises to significant new threats.”
Enterprise security company Proofpoint has observed an increase in attacks ranging from credential phishing, malicious attachments and links, business email compromise (BEC), fake landing pages, downloaders, spam, and malware and ransomware strains, all using fear to try to convince potential victims to click. They have identified cyber-criminals sending over 200,000 emails per campaign, and the number of campaigns each day has increased from an average of one to three or four in the last five weeks.
“Approximately 70% of the emails Proofpoint’s threat team has uncovered deliver malware and a further 30% aim to steal the victim’s credentials,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. “The COVID-19 lures we’ve observed are truly social engineering at scale. They know people are looking for safety information and are more likely to click on potentially malicious links or download attachments. This increase underscores just how appealing global news can be for cyber-criminals.”
Onsite enterprise networks do catch some of these attacks but the most significant security benefit of being in the office is the mindset of the employees themselves. Due to corporate cybersecurity training initiatives, and a more formal business environment, makes us more vigilant in general. At home, however, we are more casual and that mindset extends to cybersecurity, including what we might trust and click on. And then there’s all the panic and confusion around coronavirus.
“Malicious actors will leverage the intense focus placed on the virus and the fear and panic it creates. In an environment where people are stressed and hungry for more information, there is a lack of commitment to security best practices,” explains Cyber Risk Implications of theCoronavirus Outbreak from AON. “This is the time for organizations to remind employees of the need for vigilance and the dangers of opening attachments and links from untrusted sources. Running a simulated spear-phishing campaign can also demonstrate the level of resilience to these attacks.”
Now is not the perfect time to redesign your cybersecurity but better now than later. For those unprepared to support a remote workforce cybersecurity must be challenging, but a quick migration to available Bring-Your-Own-Device (BYOD) standards presents a makeshift option. Another pragmatic approach to being unprepared is to anticipate problems, using Endpoint Detection and Response (EDR) software to quarantine workstations remotely, limiting the potential for malicious actors to move through the network. While rehearsing Business Continuity Plans (BCP) and senior management response through crisis simulations that focus on cyber scenarios offers an enterprise risk approach to avert catastrophe.
For facilities management, the evolution to smart buildings has brought all the benefits and vulnerabilities of connectivity to spaces and things via the BIoT, quickly making cybersecurity one of the leading barrier to IoT adoption. This resistance has gradually declined over the years as IoT benefits shone brighter, but as the BIoT continues to expand so does the attack surface and network vulnerability.
“Over time, more smart building systems and devices are progressively connecting to the internet, and interconnections between building systems for different building applications are increasing too, creating a multitude of new potential points of vulnerability,” explains our new BIoT market report.
“Customers and vendors alike must be diligent in best-practice cybersecurity protocols and establishing requirements for mitigating risks with new intelligent building investments. Every vendor will tell clients that they adhere to industry best-practice, but end-users need to do their own due diligence to establish the vendors’ cyber credentials.”