Supplementary research undertaken in the months since the release of Verizon’s authoritative Data Breach Investigations Report has put a spotlight on what anecdotally we already knew too well – malicious global cyber activity has increased sharply in the months since the start of the pandemic.
While it will not come as a surprise to many that cyber criminals and other malicious actors would seek to take advantage in periods of turmoil and uncertainty, Verizon’s supplementary report underlines the nature of the increased activity.
Verizon Business Group Asia-Pacific regional vice-president Rob Le Busque says the spike in malicious activity reflects the dynamic changes to work life and the organisation of society more generally.
The criminal response to those dramatic changes was to become seriously more active, and in relation to phishing in particular, to quickly adapt language to create sophisticated COVID-related malicious emails.
The 2020 Data Breach Investigations Report (DBIR) was launched in May based on the anonymised breach data collected from global partners in 2019 – including the Australian Federal Police.
But Mr Le Busque said with the dramatic changes to business brought about by the response to the pandemic – the work from home stampede and the mass migration to VPN’s, the cloud and software as a service applications – the company took it upon itself to produce a supplementary document based on data collected for the three months from March.
Unlike the DBIR series, this study focuses on 36 confirmed data breaches which were identified as being related directly to the COVID-19 pandemic, and also reviews 474 data breach incidents from March to June 2020 based on contributor data and publicly disclosed incidents.
Mr Le Busque said Verizon has combined this data with the team’s observations drawn from collective years of experience to ascertain the cyber-trends that have most impacted businesses during this time.
The supplementary report reconfirms the broad trends identified in the DBIR 2020, but highlights a big jump in scale. This is particularly the case with data breaches that resulted from the broad category of “errors and misconfigurations”.
Mr Le Busque said this had already been an issue in the pre-COVID environment, in that IT departments have been under pressure to perform more tasks with fewer people.
“But now having to manage large-scale, change projects on compressed time-lines and with the added pressure to ensure availability and performance that has come with the pandemic response, that’s had an impact,” he said.
“In some cases, they have had to formulate strategy – like a cloud migration and software as a service – on the fly, and then implement that strategy very, very rapidly, which is not the way these businesses would normally operate.”
This has resulted in errors, and the available attack surface has “exponentially increased” as the response to the pandemic created huge demand for infrastructure that enabled staff to work from home.
The vast majority of data breach incidents are financially motivated, just as it was pre-pandemic. What is interesting is that the cyber criminals are using the same “tried and tested methods” that they used before COVID.
It goes without saying that if these tactics worked in a stable business environment, they have been working even better in an era of unprecedented volatility and change. The tactics have not changed, but with a much larger attack surface, the results are similarly much better. For the criminals.
Mr Le Busque says 80 per cent of breaches are the result of stolen or brute-forced credentials. This is a huge challenge in the work from home era where “worker distraction” has led to a surge in surge in successful phishing attacks, often where credentials are acquired.
“What we found during the COVID period is that in some cases three times as many people clicked on a malicious email than previously,” Mr Le Busque said.
“We also found an increase in click-through rate – modest but important – when the email included terminology that was COVID-related, and that was designed to act on emotion, or heightened awareness or anxiety.”
In a work from home environment where people are faced with uncertainty and fear – and where there is an active appetite for COVID-19 information updates, and you can understand how malicious emails with words like ‘COVID’, ‘coronavirus’, ‘masks’, ‘quarantine’ and ‘vaccine’ are getting higher click-through rates.
The bottom line is that at a time when the pandemic response has created conditions that have a negative impact on cyber resilience, the need to build cyber resilience into our business and government structures is greater than ever.
“The focus for governments, enterprises and service providers should be a dialogue on improving and bolstering cyber resilience and cyber defence,” Mr Le Busque said.
“There is a danger that this can get lost in the discussions when there are so many competing priorities, from citizen well-being and healthcare, to employment, industry sustainability and supply chains.”
“Cybersecurity and cyber resilience is one of those challenges, and our job is to ensure that adequate attention is paid to it,” he said. “It is up to us to ensure there is an adequate understanding of that relationship between cyber resilience, cyber security and our ability to keep our businesses and enterprises operating as they should.”