The Covid-19 coronavirus pandemic is likely to leave organisations exposed to higher risks of cyber attacks for months or years to come.
The number of attacks against organisations grew exponentially to reach a four-month high at the end April, as the virus spread.
But according to assessments by the World Economic Forum (WEF), hacking and phishing attacks are likely become the new norm for many companies, even as the virus infection rate begins to recede.
Employers are most worried firstly about Covid-19 provoking a prolonged recession in the economy, and secondly a surge in bankruptcies in companies of all sizes.
But in third place, companies are most concerned that the sudden surge in remote working will lead to increased pressure from cyber attacks and data fraud, according to the WEF’ Covid-19 risks outlook a preliminary mapping and its implications report.
The coronavirus outbreak has led companies and governments to roll out technologies at an unprecedented rate.
In the health service, IT projects that would normally take years have been rolled out in weeks, from the development of contact-tracing apps to systems that enable an army of workers and medical staff to trace contacts of people who have been infected with Covid-19.
Cyber gangsters and nation states have used the opportunity to attack organisations while they are distracted and at their most stretched.
“It is simply to do with the fact that organisations are more vulnerable, both in terms of their new modes of operation and the level of distraction of their personnel,” said Richard Smith-Bingham, one of the contributors to the WEF report.
Working from home
There has been an upsurge in phishing email attacks, malicious keylogger attacks and the distribution of password-stealing software, said Smith-Bingham.
Having a strong cyber security culture at work is one thing, but trying to replicate that for employees working from their living rooms is not straightforward.
That can lead to staff taking risks they would not consider taking when sitting in an office, perhaps without thinking.
Companies facing financial difficulties, that are forced to lay off or furlough staff, face additional pressures.
“That exposes businesses to cyber threats from their own employees, either from those who have malice against their organisation because of the way they they’re being treated, or indeed those who are somewhat more disaffected and disengaged and therefore slightly more casual in their behaviours,” he said.
Critical infrastructure under attack
Companies that provide critical services, such as the gas industry or those running power generation, and which are not used to their staff working remotely, are among the most vulnerable, said Smith-Bingham.
“There are smaller players the oil and gas industry within the supply chain that don’t necessarily have the advanced security capabilities of some of the bigger players,” he said.
Hackers are targeting them opportunistically, he said, to exploit security vulnerabilities in software.
The attacks not only put those businesses at risk, but other companies in the supply chain are also vulnerable.
The pandemic has exposed gaps in companies’ supply chains, and organisations have responded by shifting work to new suppliers or bring work back in-house at a rapid speed – creating further scope for cyber attacks.
“Anything that shifts the supply chain involves new counterparties, new relationships, new access points, and therefore inevitably creates new exposures,” said Smith-Bingham. “And that is going to continue.”
Research by cyber security company Check Point suggests that coronavirus-related attacks accelerated to a peak at the end of April 2020 and are now declining.
But cyber threats are likely to continue at heightened levels for some time. Once they have gained access to a network, hackers can install malware that they can choose to activate at any time.
It may be months or years before a company realises it has been infiltrated.
At the same time, companies are financially stretched, with many only just surviving the downturn.
“It is inevitable that in many companies, cyber security budgets will be cut – many would say they were never quite enough anyway – and everyone will have to do the same with less, or more with less,” he said.
That will mean projects to upgrade IT systems and software to the latest most secure versions will either be deferred or may not happen with the same level of rigour.
Add to that the growing shortage of experienced cyber security professionals, and companies will need to focus their efforts on the most business-critical IT systems.
Those working from home should be constantly reminded of the risks, said Smith-Bingham, perhaps through a weekly email that warns of the latest suspicious phishing emails.
There are wider questions too that have yet to play out, not least of which is whether world governments will be willing to collaborate to tackle the existential threat of climate change or whether a resurgence in nationalism will make collaboration impossible.