By Chris Kennedy, CISO & VP of Customer Success, AttackIQ
More than seven months into the onset of the novel coronavirus, it feels strange to look back on the things we previously took for granted in our day-to-day lives and accept the new reality— of working from home to celebrating events online to having a doctor’s appointment via Zoom.
We have adapted to life under the novel coronavirus by becoming ‘A Very Online People.’ Hostile actors have been busy looking for ways to exploit us when we’re vulnerable, impressionable, and dependent on the internet.
Our transition to remote work and increased digitization has opened us to a slew of threats: from phishing scams to botnets, from ransomware to the spread of disinformation. Cybercriminals and nation-states wasted no time in taking advantage of this pivot. Ransomware attacks are up seven-fold compared to last year, the Russian government is at it again with this year’s election, and the shift to online classes and teaching has made schools vulnerable.
Finally, the election results may not be known for weeks after election day due to the increase in mail-in voting, the safest but slowest way under the coronavirus to ensure a safe and secure electoral outcome; for this reason, November is likely to be a difficult month in America as the election results are likely to be contested, with a spike in disinformation and online extremism. It is as tense a period in American history as anyone can remember.
Timing the perfect storm
With all eyes currently on the election, the next logical target is the retail sector—namely the supply chain—during the coming holidays. We saw an increase of cyberattacks on retailers during the holidays previously and we should expect a similar trend this year. Attacks could expose customer financial information, hold company data hostage through ransomware (with a hefty price tag to boot), or disrupt business operations. Consumer spending is also tied directly to the health of our economy, and a hostile nation-state might take the chance to pounce on the United States and disrupt the flow of goods and services.
Especially when we’re so dependent on the internet. E-commerce sales have spiked by more than 31 percent during the pandemic and now 43 percent of all holiday shopping is expected to be done online. Ours is a fragile economy built on outsourcing and just-in-time inventory; the market is already vulnerable as supply chains have been disrupted with manufacturers and retailers struggling to keep goods in stock. The timing and potential scale of a retail-focused attack make this into an acute moment.
Planning and preparedness are crucial
We have a short window for effective security planning before the holiday season is fully upon us. American organizations have had several opportunities in the past to make good cybersecurity investments; the big, high-profile breaches of the past seven years should have triggered the impetus to invest. But too often organizations have failed to move fast enough. Let’s make this year different.
What should be done? The first and most important step is to exercise the security you already have. Verizon’s Data Breach Investigation Report estimates that 82% of enterprise breaches should have been stopped by existing security controls but weren’t. Why is that? You could buy the best cybersecurity tools on the market to meet your needs, from firewalls to internal security segmentation capabilities to endpoint monitoring, but cybersecurity controls fail, and when they do, they fail silently. There is no “check engine light” that comes on right now. Security controls fail for two reasons – user error or misconfiguration – and when they fail, the enemy slips past.
The best course between now and the rest of the holiday season is for security teams to exercise their cyber defenses against known threats. We have a free tool to help us do so. The Department of Homeland Security recently released an alert warning the health sector of the risk of escalating tensions and potential cyberspace operations from China. At the end of the alert, the government agency listed Chinese tactics under the MITRE ATT&CK framework of known adversary tactics, techniques, and procedures. The framework organizes known as hostile actors and their behavior. Organizations should use ATT&CK to prepare for known threats and exercise their security controls to defend customer data and ensure a safe holiday season.
We just had National Cybersecurity Awareness Month in October, which is always a timely reminder for companies that touch the supply chain to shore up their cyber defense effectiveness. Consumers need to be diligent about disinformation, about keeping their personal information secure, and enterprises need to be on guard.
The past year has left us rattled, and this month is likely to be difficult as politics and foreign influence operations put downward pressure on the American people—even after the election happens. December gives adversaries another opportunity to keep up the pace. It doesn’t need to be that way. Simple steps we take now can help ensure a safer and more secure end of the year and a positive transition into 2021. Preparation is the name of the game.
About the Author
Chris Kennedy is Chief Information Security Officer (CISO) and VP of Customer Success at AttackIQ where he is responsible for managing all aspects of customer relations and success, as well as the company’s internal information security strategy. He joined the company in January 2019 from Bridgewater Associates where he was head of security for infrastructure technology and controls engineering. Kennedy has more than 20 years of cybersecurity risk and operations practitioner experience and previously led the development of the U.S. Department of Treasury’s and the U.S. Marine Corps’ cybersecurity operations programs. A former Marine Corps Officer and Operation Iraqi Freedom veteran, Kennedy holds a Master of Science in Computer Information Systems from Boston University and a Bachelor of Mechanical Engineering from Vanderbilt University. Connect with him on LinkedIn.