Welcome everybody, I am Emma Woollcott and I am your host today. This is the first Mishcon Academy Digital Session a series of online events videos and podcasts looking at the biggest issues faced by businesses and individuals today.
Today we are discussing the developing cyber threats that Covid-19 poses to businesses and individuals. As a reputation lawyer, I am particularly interested in how organisations and individuals and indeed governments and countries will be judged by their response to this unprecedented crisis situation including how prepared they are for cyberattacks and malicious interruptions. I am joined today by Joe Hancock a Partner and the Head of Cyber at MDR Cyber, Mark Tibbs is the Director of the Cyber Intelligence team at MDR Cyber, Simon Lambe is the European Regional Risk and Security Officer for Compass Group, Alex Guirakhoo is a Threat Research Analyst at Digital Shadows.
What are the cyber security challenges that businesses are facing from this rapid digital transformation in terms of remote working? And do you think that businesses are prepared to deal with cyberattacks remotely?
Joe Hancock:
Thanks Emma. I mean we are in unusual times, we have now all turned our businesses effectively inside out. Everyone who was in the office is at home, every kind of service we can push out there is in the cloud and everyone is now taking web conferencing much more seriously than they ever did before and this presents some interesting kind of challenges, I mean we are all seeing staffing issues at the moment across every business especially businesses who provide professional services so we are starting to see a bit of a reduction in managed service provision. For example, whether you outsource monitoring or detection capabilities, can that supplier at the moment really sustain those when their headcount is being reduced and can you sustain that internally but also there is now the move to the services that are speeding up everywhere. We have seen all of the problems that Zoom has publically had in the last few weeks and the irony is not lost to me that we are all on a zoom call, we have seen other video conference providers start to have issues and this is only going to continue and actually this stuff now pops up outside of the protective bubble so all of a sudden we have gone from having a few shadow IT services as we call them, things that we kind of knew people were using within the business but now everyone and every business is probably using Zoom, Webex Teams, Blue Jeans, House Party. Contemporary security strategy is all about rapid detection and effective response and often we find that response for our clients often relies on having the right people in the office to either be able to get on a call or do something quite quickly. It's really difficult remotely so we are starting to see organisations now think about actually do I really need forensic evidence for something or do I just get the information that I can get to prove that something has happened or not. We are seeing a lot more focus on remote forensics and remote instance response. So it's going to be interesting how both this digital transformation happens to businesses but also how we provide security services for the organisations we protect with less staff, less resources and also do it all remotely.
Emma Woollcott:
Alex, I wonder if I could ask you, now that people are spending more time at home behind screens, is there more cybercrime across the board? With less supervision from schools and parents are there more disruptive actors hacking just for the lols!
Alex Guirakhoo:
We saw cybercrime happen immediately after the virus started making global headlines and it started off with the typical things, phishing emails, misinformation but more recently it has grown to also include the sale of fragile and medical equipment and also more detailed scams. Cybercriminals have also been taking, like Joe said, taking advantage of these communication platforms that are now being used more than they ever have before so you have organisations like schools who don’t' have this ingrained remote work culture that have now had to strain to come up with these solutions to sustain their business while everyone is dealing with the fallout from the pandemic. One phenomenon that is pretty recent is 'Zoom bombing', so that is when uninvited participants join a meeting to eavesdrop or share inappropriate material and just generally to wreak havoc. You have dedicated forums that have crept up on the cybercriminal landscape like 'Zoom leaks' which is for people to join and share Zoom room codes for people to access as well as the passwords needed for those rooms if they are private and even more personal information like if they need a specific name that will make them have a greater chance of being able to join undetected those will also be shared there. So even though there is no overt criminal angle on this it's pretty much like you said, just for the lols! There could be some more serious ramifications if this is applied for more sensitive meetings, sensitive government communications, there is definitely an espionage angle that could be extended to it as well.
Emma Woollcott:
Mark, I wonder, how have cybercriminals and fraudsters responded to the pandemic? What are the main problems you are seeing?
Mark Tibbs:
Well, they never let a good crisis go to waste cybercriminals so they have responded as Alex said, really, really quickly. The ways that they have responded and the ways they are doing the attacks hasn’t really changed but the ways they are trying to entice people to interact with things so Alex mentioned phishing emails, we have seen the World Health Organisation and various different regional health bodies as well as tax bodies being impersonated and that started with the promotion 'click here', 'log in here', to steal information and to infect people with Malware and it is increasingly becoming more about using lures that will entice people to click on them by using things such as 'loans', 'business loans', 'personal loans' because people's economic situations have changed. We are also starting to see business email compromise attacks. So this is when attackers are gaining access to email accounts and then diverting funds away to their own criminal accounts. They are starting to use the lure of Covid-19 as well and I suppose what businesses will want to know is, what's next? We have started to see things like malicious apps and they are also using the lures of Covid-19 as well so the businesses will want to know what's next around the corner, what can they expect to tell, how can I tell my staff about what to look out for, those kind of things.
Emma Woollcott:
Simon, can I come to you now. So what are the unexpected effects on cybersecurity for UK business from the pandemic? Have there been any positive impacts? And do you think there will be a lasting impact from the pandemic on security practices for businesses?
Simon Lambe:
Hi Emma, thank you. So I think first of all companies are very much focusing on the availability and the confidentiality and integrity of their systems. I think security teams are having to take a more pragmatic view of security risks. For an example, printing at home, again the focus for the company is very much around the availability of their information. I think the other [impeachment] 6:56 we need to be careful of is the human impact of running campaigns such as phishing tests. We need to get the balance right between protecting our data and increasing the stress levels of very stressed employees already. I think there have been some positive impacts still in this. The amount of collaboration that we have seen across different companies has been really good. A great example of this is the MDR publication of the threat intelligence, indicators and third party security reports. From a lasting impact point of view, I think resourcing levels within the cyber security teams may be impacted by the current financial challenges. I think the longer term view of the companies being able to manage their cyber risk will very much depend on the approach that companies are taking. Are they taking a short term view of this or a longer term view?
Emma Woollcott:
It is interesting I think that the [gangs] 7:43 are seeming to respond to our activities and what we are focusing on now one of the questions that has come in from our attendees Leroy Stanford asks "Have you seen more cyber-attacks or spikes against online supermarkets?" We were discussing earlier on whether there were particular industries that were now more susceptible for example online gaming. So are there trends in where attacks are being focused?
Alex Guirakhoo:
You definitely have people talking about ways to exploit this increased internet traffic. You have more people doing business online, you have more people shopping online so the downside of that is that it could be easier to conduct criminal activity so things like hiding fraudulent transactions, if you're carding a supermarket then it could be easier to hide that fraudulent transaction in the wave of all of the new people that are now using these online shopping methods for their primary sources. Like you mentioned online gambling could be an attractive target for this. You have a couple of services that aren't necessarily use to operating online now that now have an online presence that could possibly have some security lapses associated with it. Things like streaming services – user credentials for those have been commonly shared for the past couple of years and traded on cybercriminal forums but because more people are now using these and often just sharing their accounts with friends and families, there is a danger they could be used to access other accounts that those credentials are shared with.
Mark Tibbs:
Because we are seeing more people using these services that are critical now for their lives , the cyber criminals are really quick to respond to that and I am sure that we will start to see that at some point soon: streaming services, gambling, retail. Those are all the things we kind of expect to see.
Joe Hancock:
It has been interesting as we have been monitoring the threat intelligence landscape during the pandemic. So we saw the first week or two weeks as, you know, if you just look at domain registrations some of which we know to be malicious, everything was either Covid or Corona related. Now we have then seen this move towards starting to target video conferencing applications, so we have seen lots of registrations that are trying to look like Zoom domains trying to look like Webex and I think if you project that forward, we will see two things happen. We will see services that people use at home so online shopping, Amazon, delivery services will probably, I would imagine be the next ones who the criminals will move on to as the lockdown starts to bed in and more people have time at home. The other thing that I think will happen, is people are now going to have more time on their hands as they are not going to be going out and so more people are going to gamble, more people are going to sign up for online services, more people are going to sign up for all sorts of websites, I think we will see another round of credential leaks so a whole load of people are going to have some more security problems, peoples passwords will be lost and then I think we will see a rise in what we call credential snuffing attacks against these services. As the lockdown beds in, you will see criminals start to target things that people are using every day and also some more of these credentials will most probably become available.
Emma Woollcott:
Keith Donald asks "If you think the regulatory authorities could do more to prevent cybercrime, which one step would each of you like to see the regulators take? Good question.
Alex Guirakhoo:
I think that just more international cooperation would probably do a lot of good in this realm. If you have countries that are just going forward and taking the initiative to take this on their own, others might follow suit. You have a lot of cooperation with the FBI, other _______11.19 countries, I just want to see that happen more and more frequently in terms of regulatory authorities really cracking down on the routes of cyber crime would do a lot of good.
Joe Hancock:
Security is still unfortunately viewed as a cost, it is viewed as an after-thought. We need both support and advice but also more punitive regime of regulation I think driving security change as we have seen with Data Protection change.
Mark Tibbs:
If we look at some of the financially motivated cybercrime the biggest losses at the moment come from business email compromise. So my efforts would be working on a way to mandate _______11:56 authentication on cloud based email because that is the one thing that seems to be the biggest problem and by default it tends to be off for most providers.
Emma Woollcott:
We have a couple of minutes before the session is due to end. I just wanted to wrap up by asking each of the panellists for a final comment and summarising what they want their key takeaways to be from this event.
Joe Hancock:
I think my two key takeaways are first of all just working out how you are going to deliver the level of security you need with potentially less people. So having a bit of a think about for an organisation, what do we do now to deliver the same security outcomes if certain things happen, how will we deal with them now? And, the second point, look how things are changing – it's becoming clearer what the look forward is, we can see some problems coming round the corner now is a good time to start preparing for those.
Simon Lambe:
The takeaway for me is very much that the world has not stood still when it comes to cyber criminals and that links to my second point which is just education awareness and just making sure that our user base really understands that the world has not stood still outside and we still need to be worried about this as well as everything else at the moment .
Alex Guirakhoo:
Yes, user awareness is probably one of the most important things that I want to highlight first for pretty much any organisation in any sector, not just for now but in general. My second thing is to use this as a learning experience as well. It is rather unfortunate that this is what has prompted a lot of companies to rethink some of their policies regarding security and work from home policies and such but try to figure out how you could apply that in a post-Covid world. What are the main takeaways you can use from that.
Mark Tibbs:
Mine was also around employees and not letting them forget that security isn't just something that happens in the office it is now something that happens at home as well. In terms of our own business we are making sure that people are aware of all the changing nature of the cyber threats and what they can expect to see so I think that is super important and around educating staff. For businesses, focusing on the priorities to your threat models, so working out who the attackers are that are going to attack you and has that changed because of the world changing and apply those controls proportionately.
Emma Woollcott:
Thank you all, to the audience for joining us today, to our speakers for their insight and their practical advice. For our latest guidance on online content related to Covid-19 you can visit the Mishcon Hub at Mishcon.com/covid19. Thank you so much for joining us and have a nice afternoon and stay safe.