In every crisis there is opportunity, as the old adage goes, even for unscrupulous people. This especially applies to the coronavirus pandemic, which has opened opportunities for hackers to prey on distracted peoples and organizations in many countries.
In fact, the World Health Organization has urged people to be vigilant about this as early as April, as cyberattacks have increased fivefold. Last year, Deloitte’s Cyber Intelligence Centre reported a spike in phishing attacks, malspams and ransomware assaults after their perpetrators took advantage of Covid-19 to pretend as legitimate brands and mislead employees and customers alike. In June, Swissinfo.ch cited figures from the National Cyber Security Center in reporting that the number of cyberattacks — phishing, fraudulent websites and direct attacks on companies, among others — in Switzerland reached 350, compared to the usual 100 to 150.
All the tell-tale signs were there at the onset of the pandemic. Employees under work-from-home arrangements did not enjoy the same data-protection measures a working environment has. Many individuals who lost their jobs were likely forced to turn to cybercrime. These have led to a global threat called a “cyber pandemic,” an organized cybersecurity attack on organizations that takes advantage of people’s vulnerabilities during the pandemic.
A 2020 yearend data-breach report by Risk Based Security said “there were 3,932 publicly reported breach events at the time of this report, a 48-percent decline [from those in] 2019.” However, “the total number of records compromised in 2020 exceeded 37 billion, a 141-percent increase [from the] 2019 [figure] and by far the most records exposed in a single year since we have been reporting on data breach activity.”
Another recent report, from security vendor Atlas VPN, revealed that “63 percent of cyberattacks last year were financially motivated,” and of this number, “81 percent were ransomware attacks.” Ransomware is a form of malware that encrypts a victim’s files and enables the attacker to demand ransom from him or her in exchange for restored access to those files. The average cost of a ransomware-caused breach in 2020 was $4.44 million, according to the report.
It noted that “one of the most significant ransomware attacks in 2020 was the Garmin breach; the company reportedly lost $10 million to its hackers.” Two more were CWT Global, “which paid $4.5 million to cybercriminals” and Travelex, “which [incurred] damages of $2.3 million due to a ransomware attack.”
In the Philippines, digital credit company Cashalo recently experienced a massive data breach that exposed 3.3.million customer records on the dark web.
Why is it that despite the huge amount of money spent on cybersecurity tools and technologies, we still see cyber breaches increasing, especially amid the pandemic? According to Canalys, cybersecurity spending worldwide is projected to reach $60 billion, up 10 percent from last year’s.
What is the cause of these breaches? External actors accounted for 77 percent of the total, and of those caused by insiders, the vast majority — 69 percent — were blamed on human error or oversight, according to the Risk Based Security report. In addition, the use of stolen credentials was attackers’ No. 1 confirmed method of entry.
Human error or the human element has been consistently reported as the cause of most cybersecurity breaches. This would become more obvious in the coming years, with people being so vulnerable during the pandemic.
In 2017, I wrote in an article that “more than 90 percent of all cybersecurity breaches are caused by human error! This is the stark reality, according to countless studies done by several technology and security companies and organizations. Yet, it was seldom, if not never, discussed in the cybersecurity events I attended in the last three years.”
This remains true. Conversations on cybersecurity are all about the hackers, tools and technologies pushed by vendors, and policies handed down by regulators, but not the human element.
“Many of the security breaches are caused by ignorant, careless or disgruntled employees who deliberately expose data — all behavioral in nature,” I wrote then.
That’s why I stressed that time that “policies, penalties, training and change management can only do so much to change the behavior of organization members.” I also wrote that “there needs to be a new-age organization development approach that plans and implements systematic change in attitudes, beliefs and values of the employees to make sure they are…conscious and deliberate with their actions [in] protecting company data and upholding cybersecurity.”
I added that “it should encompass structured activities such as enablement of adoption and behavior change on a broad scale, and promotion of good practices that reinforce the new behavior.”
In the end, to address the threats from the growing cyber pandemic, a holistic approach that considers people, processes, technology and policies should be adopted.
The author is the chief executive officer of Hungry Workhorse Consulting, a digital and culture transformation consulting firm. He is a fellow at the US-based Institute for Digital Transformation. He teaches strategic management in the MBA program of De La Salle University. The author may be reached at firstname.lastname@example.org.