Cybersecurity considerations amidst a global pandemic

We live through unprecedented times. Globally, the coordinated response to the COVID-19 pandemic has led to a large volume of from-home workers that use IT to communicate with colleagues and undertake their work from home.

With many companies implementing national guidance and protecting their workforce during the COVID-19 outbreak, the increased use of Bring Your Own Device (BYOD) and connectivity through shared home-environments is presenting additional risks to the cyber security of these organisations.

We are talking to Dr Surya Nepal, Group Leader and Senior Principal Research Scientist, Distributed Systems Security group, to understand what organisations need to consider when preparing for the majority of their workforce to work from home.

“There are three elements to cybersecurity that need to be considered in order to safeguard IT environments,” he says.

The first is the human element, a behavioural one. “The human is the weakest link in cybersecurity,” he adds.

The COVID-19 pandemic has not only required people to work from home, but social distancing and self-isolation has increased stress levels and anxiety and therefore has made people more vulnerable. This increases the risk of falling victim to phishing attacks or social engineering attacks.

On the other hand, cyber criminals will be looking to exploit people’s fears and we have already seen a rise of Coronavirus-related phishing attacks and hacking campaigns. In fact, the World Health Organization (WHO) already issued a warning to be vigilant about criminals pretending to be the WHO in an attempt to steal money or sensitive information.

Thus, being able to detect those scams and phishing emails is becoming increasingly important in the working from home environment.

“The Human Centric Security team in my group focuses their research efforts in understanding humans and their behaviour in the cyber space”, Dr Nepal says. “For example, if people know that phishing is a cyber threat with the potential to steal their identity and money, why do people still click on those links?”

The team’s research, in collaboration with government agencies, aims to make the governance, management and understanding of cybersecurity more accessible to the Australian audience and making them more resilient. One of their projects, for example, is  ‘Gaming With Cyber Security’, a toolkit of cyber security game experiences aimed to raise awareness and educate a variety of audiences.

But ultimately, it’s up to organisations to help employees stay up to date on the risks and opportunities of this cyber age. In addition, they need to take the time to educate their employees on “cyber hygiene” practices, such as never sharing personal information, credentials of financial information via email.

The second element to ensuring tighter cybersecurity is the technical aspect.

The larger amount of people working from home, the more risk of lesser secure connections being established in these home organisations’ networks. There is also a risk of mishandling sensitive data, such as credentials and password by trying to log in from potentially unsecure personal devices we use at home.

VPN solutions on their own can be risky and research shows that not all VPN solutions are as secure as we think so. Organisations need to be picky when choosing their VPN technology. They also need to offer a multi-factor authentication (MFA) solution to protect VPN accounts from unauthorized access.

However, that may still not be enough, according to Dr Nepal. “Without following a  security-by-design principles, developers might design and implement vulnerable software As a result, many software that we use in our daily life are vulnerable to attacks”

To help developers with designing and implementing software correctly and securely,  Dr Nepal’s team exploits various vulnerabilities and reports mitigating strategies. The team also explores several automated tools targeting those vulnerabilities. One such tool is Smart Shield, a collaboration with Cyber Security CRC, which aims to detect phishing attacks by using advanced Artificial Intelligence and Machine Learning algorithms.

The third factor is establishing proper data and network security governance and policy and making sure employees are well informed and well educated when it comes to connecting to their network or using teleconferencing.

Several different approaches to cybersecurity governance exist, however, they are often generic without the in-depth insight needed to ensure organisations are adequately prepared to mitigate cyber risks or incidents.

Data61’s Human Centric Cyber Security team is focusing their efforts on identifying cybersecurity governance needs and remedies, thus transforming cybersecurity governance.

“The challenge the team is tackling is designing and developing a cybersecurity governance framework that is flexible enough to evolve with a changing threat landscape, replicateable amongst different organisation, but also tailored to each organisation’s needs, taking into account the unique set of attributes that make up each entity,” adds Dr Nepal.

“These are the three fundamental principles of cybersecurity – user, usage and usability – and everything in cybersecurity revolves around those three elements. They should not be looked individually but holistically,” he concludes. Only once all three have been taken into account and implemented can we safeguard our home environments. Going through a global pandemic has the potential to fundamentally change the way we live and work, therefore it’s time to preparing for future workplace needs.