Five Minute Focus: Building a Cyber-Resilient Organization

Adam Evans, RBC's Chief Information Security Officer, discusses the impact of the COVID-19 pandemic on cybersecurity and how organizations can build resilience into their security plans and systems to help protect against dark web and criminal threats.

1. What cybercriminal activities have emerged during COVID-19?

In COVID's very early days, there was a surge in fraud involving the provision of medical supplies with websites created to attract people to buy masks, bottled water, and hand sanitizers. Those websites would harvest private data and generate income for criminal activity. That lasted for two to three weeks followed by more targeted attack campaigns that leveraged the anxiety around COVID-19.

One campaign, for example, had people download mobile applications that claimed to be able to alert users where infections were in their communities. When downloaded, the app would encrypt the user's entire device and demand a ransom. Globally, mobile attacks were up 37 percent during the pandemic compared to the same period last year, which aligned with growth in the use of mobile devices for business interactions.1

2. How is the industry of cybercrime changing?

Cybercrime has become commoditized and highly lucrative. From a revenue point of view, it is outpacing every other form of traditional crime combined. Cybercriminals have built big businesses that are driving new revenue streams to finance more criminal activity. Information is being collected at scale from data breaches and being enriched in underground marketplaces. That information is then sold to other cybercriminals.

This is coinciding with the digitization occurring across legitimate global organizations. As organizations grow their technological footprint, this increases the threat surface that can be targeted. In this way, the digital economy is inadvertently assisting cybercrime through services like technical support and help desks.

Social media has also provided new platforms for cybercriminals to gather personal information. This information can be collected and used to create fake profiles that can ultimately shape people's behaviours. Another development in the last two years involves cybercrime taking on an increasing geopolitical angle. Nations are looking to gain political advantage through cybercrime or be placed in a more powerful position when it comes to negotiating contracts.

3. Are the long-term effects of COVID-19 still to play out in the cybercrime space?

At this time, many small and medium-sized organizations across the globe—and specifically in developing countries—are finding it challenging to remain in business. As a result, there will be a highly skilled workforce out of work. We may start to see the recruitment of some of these displaced workers into criminal organizations because of their skills.

I don't think we will feel the full brunt of COVID-19 from a cybercrime point of view for 6 to 18 months. At the moment, it's still in its infancy as threat actors re-tool and bring people in. But their objectives are consistent. They are all focused on making money and monetizing crime.

4. What cybersecurity challenges are organizations facing as they adjust operations during COVID-19?

Organizations now need to look at their security programs and understand what needs to change to accommodate a predominantly at-home workforce

In January this year, we started to see threat actors mounting targeted campaigns at work from home infrastructures. By moving people out of the office, organizations have created an alternate, and potentially critical, point of failure. Threat actors understand that if an organization's remote working capabilities are held for ransom or are unavailable, organizations may not be readily able to transition their workforce back into the office as a recovery mechanism.

Organizations now need to look at their security programs and understand what needs to change to accommodate a predominantly at-home workforce. This includes printing from home, data movement, and storage into remote locations, as well as collaboration platforms, regulation, and privacy. These are all areas organizations had to consider very early on to make sure they were shaping their employees' work from home behaviour.

Email also remains a major threat for most organizations, given that many cyberattacks begin as phishing scams. Social engineering tactics attached to emails are commonly used to evoke a response from employees, and cyber criminals are capitalizing on the high levels of anxiety resulting from COVID-19, which has improved overall success rates for attack campaigns.

5. Is observing regulatory requirements enough to ensure cyber resilience?

We are dealing in a business of trust. This means we are not only adhering to all of the regulatory requirements that are delivered to us, but also making sure we are investing in the right areas to protect our clients. What we don't necessarily want is a compliance-driven security program that is solely based on meeting regulatory obligations.

It is preferable to get out in front and start doing the right things according to best practices. This includes providing thought leadership in regard to how we protect an organization on a global scale. It's also about introducing security in a way that doesn't necessarily erode the client experience but introduces friction when friction is required.

6. How can organizations take a proactive approach to cyber resilience?

Traditionally, cybersecurity has been seen as a technology issue, but as technological footprints grow, it becomes a business challenge. Cybersecurity is not just about having a documented disaster recovery plan; it's also about mobilization in a time of crisis. When an incident unfolds, institutions need to continue to run.

Building cyber resilience starts with people. Organizations must understand that they cannot protect everything at the same time and have to decentralize some aspects of security to the people that operate in the company. This is where instilling a culture and awareness of cyber resilience among staff and executives is very important.

Cyber risk is another business risk that organizations and heads of business need to actively manage. To manage cyber risks intelligently, risk owners need access to information about the threat landscape, they need to establish a risk appetite, and identify where/what their “critical assets” are. Only then can a security program be created that will help them properly manage the cyber risks to their business.

Once companies have established their risk profile and understand what they are trying to protect they need to create a plan and test for the cyber crisis that will eventually impact them. The plan should include decision makers, crisis resources like breach responders and legal counsel, and be regularly tested to ensure they can respond effectively in a time of crisis.

You may also like