The emerging cyber threat landscape

The coronavirus pandemic has transformed the way we work. And while half the UK population is able to work from home, this doesn’t come without its challenges, including an increase in cyber security threats. Cyber criminals will be capitalising on confusion and uncertainty as we all adjust to new ways of doing business. In this episode, cyber experts Sean Sutton and Rachel Mullan join host, Rowena Morris, to discuss how you can protect your organisation and your people.

Listen on: iTunes Spotify

cyber security podcast

Rowena Morris (RM): Welcome to the latest episode in COVID-19 business in focus, where we explore the business impacts of coronavirus. I’m Rowena Morris, a director at PwC, and I’ll be your host for this series.

Coronavirus has transformed the way we work, and while half the UK population is able to work from home, this doesn’t come without its challenges, including an increase in cybersecurity threats. Similarly, cyber criminals will be capitalising on confusion and uncertainty as we all adjust to new ways of doing business. In this episode, we’ll be looking at the potential risks, and discussing how you can protect your organisation and your people. I’m delighted to be joined by my colleagues from our cybersecurity business today, Sean Sutton and Rachel Mullan.

Sean Sutton (SS): Hi Rowena.

Rachel Mullon (RaM): Hi, thanks for inviting us today.

RM: No problem, welcome to our virtual studio. So, if we kick off first of all by thinking about what does the cyber threat landscape look like right now?

RaM: Well, overall for us, what we’ve been seeing is almost business-as-usual for cyber attackers in terms of the tactics that they are using and who they are targeting. So they’re using the same kind of malware that they would ordinarily be using, and they’re still using spear phishing as a way to get into networks, but what has been shifting has been the increase in the malicious activity that’s themed around COVID-19, which is perhaps unsurprising and it’s certainly very clear that criminals are exploiting the situation.

One of the things they’ve been doing is mimicking legitimate organisations, such as government departments or health bodies that you might be expecting them to mimic. We’re all expecting information updates from those kinds of organisations, and so cyber attackers using those kind of themes is perhaps not unusual as it increases the likelihood that we might click on a link or open an attachment, so it’s really highlighting that social engineering is a particular risk at the moment, so very much leaning into that human factor.

We get asked a little bit about targeting focusing on particular regions, and I think one of the things to remember is that quite a lot of cyber attacks can be border agnostic, and global targeting is a large part of what we’re seeing, particularly if you’re thinking in that cybercriminal space where some of the really low-hanging fruit would be wide-ranging spam campaigns, and that’s continuing.

Overall, the sophistication of what we’re seeing is varied, but one of the areas we’ve been particularly concerned about has been ransomware. Over the last year it’s been a big trend in any case, and it certainly doesn’t seem to be dying down, and at a time when it’s really critical for certain sectors to be available and to be operating, ransomware could be a particularly effective way for cyber criminals to meet their objectives. Cyber criminals started exploiting COVID-19 early in the piece, at as early as January 2020.

RM: Thanks Rachel, very helpful summary. So Sean, moving on to you, can we talk a little bit around what the main security threats are that are emerging?

SS: Yeah, there have certainly been a few different threats that have emerged but just to pick up on a couple that we’ve really seen quite consistently with a lot of our clients. Clearly there has been a lot of disruption to workforce, and also supply chains as well, and the risk there is increasing vulnerability to some of the old threats and exposures that might exist. So for example, vulnerabilities can quite easily start to creep back into an environment if security basics like patching are neglected or slowed down.

And all organisations might not be able to detect cyber attacks if their security teams are really stretched, or if in fact they’re going off unwell during this period. And I think going forward, we’ll probably see a real change in organisations’ cyber risk landscape. Obviously there’s been a lot of changes in the last few weeks with organisations moving to remote working, but the decisions and the moves that have been made over the last few weeks has tactical changes quite possibly will become the strategic position going forward – it’s quite hard to reverse some of those changes once they’re in place and once people have got used to them, so I think the threat landscape around some of those changes will also really refocus what security needs to think about over the next few months.

RaM: I think also to pick up on some of that changing behaviour, the shift to remote working and the potential prioritisation of business operations is really starting to bring about immediate risks, and if you look at some of the malicious activity that we’ve already been seeing, it’s targeting technology that we would be using for remote working, particularly if you consider that there’s a lot of tools or applications that we might be using that might be unfamiliar to a lot of us, so collaboration platforms are an obvious one, as are the virtual private network in terms of being able to reach back into your internal network from your home.

A simple, smaller attack that might occur on the capacity of your virtual private network, so a denial-of-service, might have a potential greater impact than it would ordinarily when that kind of availability is a key part of what we need to do to keep operating as businesses. We’ve also seen a bit of an uptick in the malicious activity at the same time that there’s been a reduction in visibility for security teams, so if you think about the move to different ways of working, or even just the different endpoints, so even bring-your-own-device type systems, there may be potential gaps for security operations teams for what they’re able to see, therefore to prevent and respond to.

RM: So lots of things to consider. How should businesses reduce the risks of home working? Sean, if you could take that one.

SS: There’s a number of things that different organisations can do. Clearly with a big shift to remote working, one of the main areas of focus has certainly been around extending secure remote access, whether that’s by standing up additional VPN capacity or looking to third parties to provide that additional secure connection. I think monitoring the remote access as well is really important, looking for unusual behaviour or different login activity, perhaps an inactive directory or at the boundary, gives you another way of potentially identifying if something’s starting to happen within your environment.

I would say also, looking at protections in and around distributed denial-of-service, there’s tools and mechanisms to implement a denial-of-service attack and at the moment that could have a real detrimental impact on an organisation, especially if they are already stretched as we touched on before. I think it’s important as best you can to maintain some of those strong authentication controls – certainly with some of the clients we’ve spoken to over the last few weeks they’ve had to almost detune or remove some of the multi-factor authentication to allow users to connect to the business systems. That’s OK if it’s the only decision that you can make that will enable the business to continue to operate, but the flipside then is to make sure you’re putting some additional security control in place. Maybe that’s monitoring or maybe it’s something else. But also I think it’s important not to forget it’s not just the connection to the corporate systems that’s important, you need to consider what data is on the end user’s device, how is the end user’s machine set up from a security perspective, and don’t underestimate the need for reinforcing end user awareness as well, perhaps through phishing campaigns or certainly identifying some of the threats that are out there and helping users understand that being vigilant now is really important.

RM: And building on what we were talking about earlier, but it feels like there’s so many different things for businesses to be considering at the moment, and with everyone having to react really quickly on a day-to-day basis, everyone’s on high alert all the time, but what risks does that create for people and for businesses?

RaM: Well if you think about the fact that COVID-19 is part of all our lives, whether that is our business life or our personal life, I know certainly from my perspective, I’m always looking for more information, I’m expecting a lot of information around that, so threats are more likely to be socially engineered, taking advantage of that particular climate, so there’s a really human element to the kind of risk that we’re seeing. And as people, we’re more likely to click on links and attachments that look like they come from organisations that are legitimate organisations, so the malicious activity looks and feels like it is coming from something that we are expecting, or it looks very much like the graphic that we’re expecting to see, the more likely it is that we click on something potentially malicious. That’s certainly been something that we’ve seen a shift in terms of the malicious lures that we’re seeing are starting to look a bit more convincing and authentic.

And you’re talking to organisations, just to pick up on Sean’s point around the self-awareness training, that’s certainly been one area that I think has been a discussion point for a lot of organisations. We’re all experiencing a really high tempo of alerts and there’s a really high volume of communication, so it becomes this consideration of, do you pause the programmes you have in place to provide self-awareness or to test the phishing, or do you bring it back into place knowing there’s potentially a broader risk around, and there’s a bit of a balance to be struck in terms of that to avoid people becoming blasé about what they’re seeing and what’s coming through on their emails or their phones or other devices.

RM: It definitely feels like a very careful balance to be struck, so how can businesses protect themselves against these new threats?

RaM: I think really, it’s probably worth bearing in mind that I guess many of the changes we’re making now are going to affect organisations, the risk landscape, going forward, and Sean’s already mentioned that earlier. So one of the things with rapid IT change is that you can start to bring in systems or devices where controls may have been relaxed or removed to ensure that they can do what they need to do at the time, so as you go forward, ensuring that those controls are either put back in place may become important, or doing something to check whether there are risks that you’ve introduced that maybe you didn’t have before. So that might need a potential adjustment in the detection and response methods that are in place. Particularly considering that our behaviours have changed, and we might start to rely on a lot of this new technology, so it becomes something we need to consider as we go forward that it has the same level of security we would ordinarily have anticipated it having if it wasn’t rolled out as rapidly. At the same time, that might require some sort of ‘find and fix’ activities, so testing to see if there are vulnerabilities that maybe we didn’t know about before it got put into place, and if there is, how can we mitigate that.

Touching I guess a little bit back on security teams that maybe have less visibility, but they may also be short-staffed or repurposed at this point, so they might have had their focus shifted a little bit to do other business activities and support the business in other ways. That could potentially be hindering effective detection and response. So this is probably a really good opportunity to consider whether there’s an augmentation that’s needed for teams or whether there’s some sort of surge support capability that organisations might have in place to support in such a situation.

I guess for me, what it really boils down to is that a lot of the short-term decisions that are being made now by businesses are going to be part of their long-term strategies, whether or not that’s what they want it to be at this point in time.

RM: That’s a really good point and definitely something we should all be keeping in mind. So going back and thinking about the long-term strategy, Sean, how should businesses be planning for the future?

SS: It’s a really interesting point I think. Obviously no one has a crystal ball at the moment and whilst we’re all hoping that things improve and that we can get back to normal, whatever ‘new normal’ might be, I think there’s quite a bit of planning that would need to go into where we are now and how things evolve and then how we start to perhaps remobilise into standard ways of working or new ways of working. I think perhaps there’s a couple of things that might be quite obvious, and so I would expect that we’ll see more acceleration or adoption of cloud – that’s clearly a way to build more resilience into an organisation. I do actually think that there might also be some redefinition of what a resilient organisation looks like. I think we’ve learned over the last few weeks that once we can have plans in place and great security built up around our organisation, the last few weeks have really demonstrated how those plans don’t quite address the need and therefore taking lessons learned out of the period we’ve just gone through, and really looking at those and considering what resilience means for an organisation will be an activity that lots of our clients will work through, the same as we are as well.

I think potentially expansion of ecosystem business models, so looking where suppliers have really been able to step up and help through security or provision of additional services, or whatever it might be, but I actually think embracing that ecosystem is perhaps also a key area to consider and really would link back to looking at what a resilient business actually is. I think one thing perhaps really evident in that security is definitely been able to step forward over the last few weeks and help businesses move quickly but in a secure way to embrace different technology and new ways of collaborating, I think that’s a real positive for security, so I think yet again, the role of security and certainly the role that security plays within a resilient organisation in the future is changing, and again, we’ve certainly seen that within our own firm.

So I would say that my final thoughts very much are that resilience and organisational change has happened very quickly over the last few weeks, there’s lots of positives in and around the challenges, and that security is absolutely knitted into the fabric of resilience and I think that will be key going forward.

RM: That’s a really helpful summary, thanks Sean, and thanks Rachel. Hopefully everyone has found that helpful, so thanks very much for listening. If you’d like to know more about the themes that we discussed in this episode, a range of our cybersecurity insights are available on our website, if you go to pwc.co.uk/covid19. We hope you’ll join us next time, where we’re going to be focusing on cashflow management and rapid cost reduction, so please do subscribe to keep up to date with all of our latest episodes. Thanks everyone, and until next time, please stay safe and look after yourselves and your families.

Participants

  • Rowena Morris, director, PwC
  • Rachel Mullan, PwC
  • Sean Sutton, PwC
Follow us
Hide