2020 wasn’t the first year where a virus emerged causing large-scale disruption and opportunities for cybercrime. It was, however, the first time that the virus in question wasn’t created by cyber criminals. But that certainly didn’t stop them from exploiting it.
Our cyber security review of 2020, therefore, has to start with how the COVID-19 pandemic impacted cyber crime and how the NCSC responded. We also include some of our content on the risks to homeworkers and SMEs, covering the creation of the National Cyber Force, of interest to the defence sector, and share new research on easy-to-guess passwords and data breaches. Different year, same old mistakes.
How quickly the landscape changed
We all returned to our offices in January as a new decade began. In early February we started to hear more about a virus from a city in China that might be getting out of hand. We found the videos of the Chinese avoiding handshakes and doing the ‘Wuhan shuffle’ mildly amusing. And then all hell let loose.
March saw huge numbers of daily fatalities as the virus spread to Europe and the UK was soon in lockdown, or ‘Lockdown #1’ as we now call it. As we became homeworkers almost overnight a new term ‘furloughing’ entered our vocabulary. But no one furloughed the cyber criminals.
Homeworkers – a new gateway to your data
While many organisations had already embraced the flexibility of home working, the impact of COVID-19 meant others were faced with quickly making it work – and without warning. In the rush to enable businesses to function remotely, it was inevitable that the security risks would increase. Where there’s confusion, there’s usually a cyber scam ready to exploit it.
As reported by The Guardian, the proportion of attacks targeting home workers increased from 12% of malicious email traffic before the UK’s lockdown began in March to more than 60% six weeks later.
Attacks on homeworkers grappling with unfamiliar IT systems engaged all the usual suspects. Email scams, fake requests to reset virtual private network (VPN) accounts, spoof emails mimicking IT departments asking workers to download ‘new software’ they’d need to work from home. Fake furlough websites – the list went on.
Ascentor has often stated that humans are the biggest threat to cyber security – the pandemic has only reinforced that. If ever there was a case for building a cyber-resilient workforce where it’s understood that cyber security is everyone’s responsibility, 2020 provided all the evidence we could need.
As employers have now realised, home working is here for the long run. According to itproportal.com (Nov 2020), as much as 95% of the UK workforce now logs on from home. To be effective, our cyber security has to meet the needs of the new remote era of work.
Ascentor’s remote working content
The impact of home working on cyber risk led to several blogs across the year – all equally valid now.
In July we covered Managing good cyber security when working from home – what employers need to know. In September we focused on another area of risk, the Cyber security myths home workers fall for and we carried on the myths theme in October with Cyber security myths putting SMEs at risk.
How the NCSC responded to the pandemic
As their annual report states, “Much of the NCSC’s work this year revolved around the COVID-19 outbreak, which required a government-wide response. The NCSC’s multi-faceted role included giving advice to an increasingly digitally active and dependent public, fixing vulnerabilities and responding to threats emanating from the pandemic.”
More than 200 of the 723 incidents the NCSC handled this year related to COVID-19. Many of the 22,000 malicious URLs taken down as a result of the NCSC’s ’Suspicious Email Reporting Service’ related to scams, such as pretending to sell PPE equipment to hide a cyber attack.
Protecting healthcare and the NHS was the NCSC’s top priority, more than one million NHS IP addresses were supported, over 160 high-risk and critical vulnerabilities were identified and shared, and threat hunting performed on 1.4 million endpoints. Not surprisingly, the NCSC identified a variety of tools and techniques aimed at pharmaceutical companies, including spear-phishing and custom malware attempting to steal valuable IP.
As we write, reports are emerging of the international vaccine supply chain being targeted by cyber-espionage, according to IBM who believe the sophistication of the attacks suggest a nation state. The attack demonstrates that as well as working to protect others, when it comes to cyber threats, pharmaceutical companies also need to protect themselves.
Creation of the National Cyber Force
November saw the announcement of a £16.5bn increase to defence spending with £1.5bn of this being an investment in the country’s cyber security defences and offensive capabilities. The creation of a National Cyber Force will bolster the UK’s ability to fight cyber criminals on a large scale. It will counter threats from terrorists, criminals and hostile states.
The establishment of a National Cyber Force is essentially a practical ‘next step’ in a world of uncertainty. Understandably, not all details have been released but, as reported by the BBC, it will see MI6 officers working alongside both GCHQ and the military as part of a new unified command. The ambition is to grow the force to about 3,000 in the next decade.
A £1.5 bn investment in UK cyber security is substantial – but it may take some time before that investment trickles down to private enterprise. What’s more, while the UK may be ramping up investment to tackle global threats from nation states, businesses shouldn’t deter from managing their own cyber security. There are still many hackers who are not associated with governments and pose an equal threat to businesses. Cyber criminals are opportunists, they don’t care where the money comes from. The threat to businesses of all sizes remains very real.
The worst passwords of 2020 – is it time to change yours?
Would you share your password with thousands, even millions? Of course, you wouldn’t want to, but, according to research by NordPress, a shocking number of us do. They found that the top five passwords have over 4.5 million users among them and they account for more than 38 million combined exposures in data breaches. Moreover, all of these passwords, except “picture1”, could be cracked in less than a second.
Seven out of the top ten worst passwords were made up of various numerical combinations, with “123456” in top place. Last year’s winner ’password’ fell to number 4 this year. Old favourites like ‘qwerty’ and ‘iloveyou’ still made it into the top 20. It confirms that, for far too many of us, our passwords are as useful as a chocolate fireguard.
Ascentor has written guidelines to make passwords really difficult to crack. It’s always worth a read.
2021 – what’s on the horizon?
So farewell 2020. As for 2021, what lies ahead? Well, there’s that small issue of the end of the transition period towards Brexit for starters. As we write, an exit deal is still in negotiation but, even though cyber security may not be in the headlines, the impact of Brexit on the UK’s cyber defences has already started. We’ll be back in January covering some of the issues we think will shape cyber security in the coming year.