InfoSec Insider

What COVID-19 Taught Us: Prepping Cybersecurity for the Next Crisis

Sivan Tehila, cybersecurity strategist at Perimeter 81, discusses climate change and the cyber-resilience lessons companies should take away from dealing with the pandemic.

Few could have anticipated the impact COVID-19 has had on business. It spread from an isolated outbreak to a global pandemic seemingly overnight, and IT leaders across the planet have had mixed success adjusting to the changes and uncertainty it has brought.

While COVID-19 caught many businesses off guard, smart executives are already thinking about the next global crisis and what challenges it might present for IT security.

Climate Change: A Looming Crisis

It’s a good bet that climate change could bring forth the sequel to COVID-19. Global climate change is once again the top threat globally according to Pew Research (not surprisingly, cyberattacks are a close second), and it typically occupies top rankings on similar doomsday lists. The World Economic Forum did not include pandemic or contagious disease on its 2019 list of Top 10 Global Risks By Likelihood, but climate change dominated the top three — extreme weather events, failure of climate-change mitigation and adaptation, and major natural disasters like earthquakes or volcanoes.

Climate change is particularly problematic for IT because it affects confidentiality, integrity and availability — the three pillars of information security — and requires a holistic strategy.

Availability is threatened by the physical nature of climate change that forces people away from home or office and the spiraling demand for resources. Confidentiality and integrity become problematic when considering the newest technologies that organizations are implementing as part of digital transformation. Security concerns should be a leading factor when considering and deploying new technology solutions.

Pandemic Provides Sound Guidance for the Next Crisis

We’re all still learning the lessons of COVID-19, and going forward they must be held closely, as many potential climate-change outcomes could mirror what we’ve experienced since March 2020. Wildfires or flooding from supersized or rare storms, events that have intensified in recent years, would bring mass evacuations and services disruptions that drive employees to work from home and businesses to establish secure connections in order to maintain productivity.

Working from home and increased cloud adoption pose challenges and risks that must be faced proactively. Since fixed locations and the legacy hardware they’re connected to are increasingly vulnerable, a user-centric approach to security infrastructure, like a software-defined network, is required.

There is increasing chatter around the importance of data backup in 2021, and how automated backup and disaster recovery (BDR) will be an emerging mission-critical component of data security. Considering how working from home figures to continue driving the emergence of both multi-cloud and disaster recovery as-a-service (DRaaS) (expected to grow at 41.6 percent CAGR through 2027), it’s safe to say most organizations will be focused on BDR.

Expect the Worst Intentions of Bad Actors

Similarly, COVID-19 has given us a window into how hackers can exploit human vulnerabilities during a crisis, with healthcare and pandemic-related attacks prevalent in 2020. For example, phishing emails are designed to play on emotions, so it’s not surprising that the words COVID, CORONAVIRUS, masks, test, quarantine, and vaccine appeared widely in phishing emails this year.

A climate change-related crisis with widespread disruptions would likely provide bad actors similarly ideal conditions for deception. During the first weeks of shelter-in-place for many U.S. states last March, almost three times as many people clicked on a phishing link and provided their credentials to a simulated login page than in pre-COVID-19 phishing simulations conducted the previous year. Taking advantage of this heightened emotional response is how opportunistic hackers succeed.

This tells us that zero-trust identity and managed security solutions, can help organizations be ready for any situation that would test their workers’ vulnerabilities. The added layer of employee training and awareness could include proven methods of phishing prevention that can dramatically reduce user click rates.

Infrastructure Will Force Companies to Look Inward

The internet and climate change are intertwined in an anxiety-producing plot — the internet is at once a cause of climate change and one of its potential casualties.

Internet-of-things (IoT) devices, which are still largely unregulated, continue to see widespread adoption, and companies are now coming online with IoT-enabled smart factories and offices running entirely on automation. Existing operational technology (OT) networks that run most of our critical infrastructure are old and difficult to truly secure, so any disruption to the internet brought by climate change, or any related cyberattacks, must be accounted for in security planning.  With IoT specifically, endpoint security must be addressed.

It’s difficult to envision any company’s plan that does not seriously take into account its own environmental footprint. Increasingly, governments are applying more stringent standards for energy efficiency around data centers, storage and networking. This kind of effort ultimately requires global, industry-wide and company-wide cooperation, and organizations who buy in first will position themselves for success in the face of adversity.

True Resiliency Requires Vendor Independence

A climate change-related crisis would likely impact an organization’s systems in some way. That company’s vendors would be similarly impacted and possibly unable to provide service. More than anything, climate change will require companies to improve independency so they are not so reliant on existing legacy technology or other service providers for data, security or infrastructure.

Companies must meaningfully invest in disaster recovery and business continuity, and comprehensively assess all third-party risks in order to ensure independency. This effort also requires investment in new, scalable and integrated platforms to replace legacy architecture.

It might be impossible to plan for the next global crisis. But if COVID-19 has taught us anything, it’s that transformative change is possible even in the most trying circumstances. Taking threats like these seriously and making a plan is the first step to ensuring resiliency when the world changes on a dime.

Sivan Tehila is cybersecurity strategist at Perimeter 81 and an adjunct professor of cybersecurity at Yeshiva University.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.

Suggested articles