Why COVID-19 will trigger faster, wider adoption of cyber hygiene principles

Byron Acohido 1 May 2020

We have the security tools, frameworks and even regulations to implement robust data security – for companies and consumers

Long before COVID-19, some notable behind-the-scenes forces were in motion to elevate cybersecurity to a much higher level.

Over the past couple of decades, meaningful initiatives to improve online privacy and security, for both companies and consumers, incrementally gained traction in the tech sector and among key regulatory agencies across Europe, the Middle East and North America. These developments would have, over the next decade or so, steadily and materially reduced society’s general exposure to cybercrime and online privacy abuses. 

Then COVID-19 came along and obliterated societal norms and standard business practices. A sweeping overhaul of the status quo – foreshadowed by the sudden and acute shift to a predominantly work-from-home workforce – lies ahead. 

One thing is certain, as this global reset plays out, cyber criminals will seize upon fresh opportunities to breach company and home networks, and to steal, defraud and disrupt, which they’ve already commenced doing.

Yet there are a few threads of a silver lining I’d like to point out. It is possible, if not probable, that we are about to witness an accelerated rate of adoption of cyber hygiene best practices, as well as more intensive use of leading-edge security tools and services. And this positive upswing could be reinforced by stricter adherence to, not just the letter, but the spirit of data security laws already on the books in several nations.

There is an urgency in the air to do the right thing. Several key variables happen to be tilting in an advantageous direction. Here’s a primer about how cyber hygiene best practices – and supporting security tools and services – could gain significant steam in the months ahead, thanks to COVID-19.

Regulatory baselines

For companies, cyber hygiene has never been rocket science. There is, in fact, deep consensus about how to protect sensitive data and ensure the overall security of corporate networks. This body of knowledge has been thoroughly vetted across the global cybersecurity community over the past two-plus decades. A prime example is the National Institute of Standards and Technology’s (NIST) cybersecurity frameworks, a comprehensive cyber hygiene roadmap applicable to businesses of all sizes and in all industries 

The trouble is the NIST guidelines are voluntary. Still, over time, they’ve been woven into baseline data security regulations far and wide. NIST specs are echoed in the data loss disclosure and data privacy laws that have cropped up in many U.S. states, for instance. And they inform the EU’s detailed General Data Privacy Regulation (GDPR), as well as the prescriptive cybersecurity regulations pioneered by the Middle East. 

It’s notable that leadership for implementing prescriptive data security regulations came from federal regulators in the Middle East. Somewhat quietly since about 2012 or so, nation states in that region, led by Saudi Arabia and the United Arab Emirates, commenced a quiet surge to the forefront of implementing comprehensive cybersecurity regulations. An unanticipated negative force spurred them to take action: wave upon wave of deep, egregious breaches of their industrial infrastructure, especially oil refineries and power plants.

The Shamoon “wiper” virus, for instance, devastated Saudi oil company Aramaco, destroying the hard drives of more than 30,000 Aramaco computers and forcing a weeklong shutdown of the company’s internal network. Shamoon motivated the Saudis to seriously ramp up the work of its National Cyber Security Center.

In May 2017, the Saudi Arabian Monetary Authority (SAMA) rolled out its Cyber Security Framework mandating detailed data security rules, including a requirement to encrypt and containerize business data in all computing formats. A few months later the UAE stood up its National Electronic Security Authority (NESA) which proceeded to do much the same thing.

Rules with teeth

This fast-tracking of Middle East cybersecurity regulations unfolded as the European Union was putting the finishing touches on its tough new data privacy and data handling rules, with enforcement teeth, set forth in GDPR, which took effect in May 2018. One consensus tenant that emerged from this whirlwind of rule-making in the ME and EU was the requirement to “containerize” business data, that is keep data encrypted at all times, in servers on premises, in cloud storage, on PCs and on all mobile devices.

After their industrial infrastructure got heavily breached and infected, the Middle East suddenly got religious about encrypting and containerizing all business data. It took US regulators until January 2020 to essentially followed the Middle East’s and Europe’s lead --  by implementing sweeping new data handling rules for government contractors -- referred to as Cybersecurity Maturity Model Certification (CMMC.)  So as of a few months ago, the US now requires data containerization along much the same lines as Saudi Arabia and the UAE first mandated in 2017.

The implementation of CMMC represents a sea change from past U.S. federal data handling rules for contractors, for which compliance was by-and-large voluntary. CMMC almost certainly will result in better protection of our national security. Perhaps more importantly, CMMC is likely to spur improvements throughout the private sector. The practices of government contractors typically get adapted universally, over time. COVID-19 should scale up the adoption curve for robust data security.

Consumers’ burden

For individual consumers, staying safe online has never been rocket science. Since the earliest iterations of email spam and predatory pop-up advertisements, consumers have been bombarded with common-sense advice to keep their anti-virus software updated, use strong passwords and be very cautious about clicking on email attachments and webpage links.

That basic advice continues to hold very true today, even more so. Add to that widespread warnings to use social media circumspectly. Everyone, by now, ought to be cognizant of the fact that blithely sharing details about one’s preferences and contacts plays directly into the hands of criminal operatives: personal details fuel targeted phishing campaigns.

Digital commerce evolved in such a way that individual consumers bear the brunt of burden for protecting their own digital footprints. And yet, it remains true today that most folks do not take that responsibility seriously enough.

That shortfall can be seen in windfall of criminal profits. Ransomware hacking groups extorted at least $144.35 million from U.S. organizations between January 2013 and July 2019. That’s the precise figure recently disclosed by the FBI -- the true damage is almost certainly a lot steeper, given only a portion of cyber crimes ever get reported to law enforcement.

What’s more the FBI reports that Business Email Compromise (BEC) accounted for an estimated $26 billion in cybercrime-related losses over a three year period. In a typical BEC scam, an imposter carries out a con to persuade a subordinate employee to wire funds directly into a bank account controlled by the fraudsters.

Ransomware and BEC attacks pivot off social engineering that begins with criminals using search engines and haunting social media sites to gather intelligence about a specific employee at a targeted company. Our lackadaisical attitude about guarding our digital footprints and our propensity to overshare stand out in high relief. COVID-19 related phishing attacks and cyber scams that run the gamut have been scaling up since the beginning of the year – and this is only the beginning. The dramatic shift to work-from-home scenarios has opened up myriad new opportunities for hackers and scammers.

Post-COVID-19 reset

Let’s face it, the line between using computing devices for personal vs. work activities has now been blown out of the water. Pre-COVID-19 security regimes aren't valid anymore. We know from the way the BYOD craze has played out that companies will respond methodically, i.e. much too slowly. And that means any near term mitigation of flaring post-COVID-19 exposures  has to originate with individual users.

More so than ever, individual employees must shoulder the burden; each one of us must emphatically embrace cyber hygiene, starting with jealously guarding one’s digital footprint. This is doubly true for workers sliding into the expanded work-from-home workforce. 

The good news is that we are well-positioned to do this. All of the vetting best cyber hygiene practices; all of the advances made to security tools and services; all of the implementations of data security regulations over the past 20 years can be brought to bear on the post-COVID-19 reset. 

Two meaningful steps every person can take, right now, is to begin routinely using a password manager and encrypted browsers. Beyond that, use social media judiciously and exercise extreme caution clicking on any email attachments or any webpage link sent your way.

Cyber hygiene isn’t difficult. If we are to flatten post-COVID-19 cyber attacks, these online habits need to become as routine as washing hands and social distancing.

--> -->