10 ways the pandemic made cybersecurity risks worse

The coronavirus outbreak has not only led to a global public health emergency and worldwide economic disaster, but has also increased cybersecurity risks. 2020 was the worst year in history for data breaches as more records were compromised in 12 months than in the previous 15 years combined.

In the latest Canalys research report, "Now & Next for the Cybersecurity Industry", my colleagues on the cybersecurity research team led by Matthew Ball have outlined many of the ways in which the pandemic has worsened the threat landscape.

1. Hasty shift to remote working opened security gaps

When organizations were forced to quickly implement business continuity measures or risk going out of business, cybersecurity was often a secondary consideration. Bypassing longstanding corporate policies left many exposed to exploitation by threat actors.

2. Digital-first for everything added risk to everyday activities

Digital accelerates both convenience and risk. In 2020, everything that could go digital did go digital. Zoom, Microsoft Teams, WebEx and Chime surged for business collaboration. Google Classroom for education. Shopping dominated by e-commerce. Online banking accelerated. Even social lives went digital as virtual pub quizzes replaced meeting friends face-to-face.

3. The rush to cloud created a complex environment that is difficult to secure

IT perimeters now span multiple public clouds as well as entering each worker's home. Data sprawl has increased. Critical information lives across multiple cloud services and data centers. Cloud infrastructure and software services will be targeted as more data is stored beyond the traditional IT perimeter.

4. The boom in PCs and peripherals provided an endpoint security nightmare

Notebook PC shipments had a record 2020, with shipments surging 17%. Peripherals too -- for example Logitech’s webcam business hit a record high, increasing 138% on a trailing four-quarter basis. Sales of home Wi-Fi routers grew more than 40%. Resellers sold out of home printers and consumables. This served to make traditional IT perimeters more porous. Throw into the mix workers' own unmanaged devices, which may not be running the latest updates and endpoint security.

5. Contact-tracing apps created new attack vectors

Governments around the world rolled out contact-tracing apps in a bid to stem infection rates. But these apps -- as well as mooted vaccine history passports -- create new vulnerabilities to compromise individuals’ personally identifiable information. Software vulnerabilities in hastily developed app raise concerns over security of personal data. For example, a vulnerability in Qatar’s COVID-19 app compromised more than a million national identification numbers and health statuses.

5. Digitization of government services opened up greater risk

Public sector bodies were pressed to make more of their services available online during the pandemic. But hasty digital transformation efforts can lead to security lapses. Breaches of government databases are nothing new. In the last four years, at least 80% of the adult population in Bulgaria, Chile, Ecuador, India, Panama, Philippines, Qatar and Turkey have been compromised in single but separate data breaches. Large proportions of populations in Brazil, Greece, Hong Kong, Israel, the Netherlands, Serbia, Sweden and the United States have also been affected in similar breaches over the last decade. The digitalization of electoral, tax and other government services was the issue in many of these cases.

6. Healthcare sector was under increased pressure from attackers

Telemedicine has never been in greater demand due to lockdown measures, social distancing and pressures on traditional walk-in facilities. This led to more production and storage of digital medical records, accessed more frequently across multiple touchpoints. This increases the risk of breaches. Health records are highly sensitive and highly lucrative datasets, which can command up to 50x more on dark web marketplaces than any other personally identifiable information.

7. Critical industries were more vulnerable to attack

One of the most depressing features of the cybersecurity landscape in 2020 was the rise of ransomware specifically aimed at sectors under the greatest pressure due to the pandemic. Healthcare and education were particularly hard hit. Hospitals were targeted, ambulances rerouted, operations delayed, labs left unable to process tests, medical data made inaccessible. In September, we witnessed the first death directly attributable to a hospital being hit by ransomware after a patient had to be diverted en route to Dusseldorf University Hospital in Germany. Education facilities -- both institutions and students -- were targeted as they increased dependence on digital technologies for operations.

8. Remote working made fraudsters harder to spot

Workers in office buildings typically need an ID card for access. If an imposter steals an ID and attempts to intrude, they will likely be recognized and removed. But a decentralized workforce creates new challenges in identifying who is actually accessing data. Verifying the identity of workers has become even more important in enforcing data access policies as IT goes perimeter-less. It has also become more complex.

9. WFH created fertile ground for phishing

Reports of ransomware delivered through phishing rose nearly 60% in 2020. Phishing campaigns targeted vulnerabilities of unsecured and poorly trained remote workers. Scams quickly targeted workers searching for information on COVID-19. This evolved to imitating cloud-based platforms, services and tools that have been critical in enabling business continuity and remote worker productivity. Then, campaigns began to target workers searching for information on COVID-19 vaccines, as well as arranging vaccination appointments.

10. The surge in online retail became ripe for abuse

Online retail had a bumper 2020. Amazon alone grew sales by 38%, an astonishing rise for a company with revenues already in the hundreds of billions. But scalper groups have also taken advantage of the growth in online retail. The highest-profile target was the launch of next-generation gaming consoles, such as Sony’s PlayStation 5 and Microsoft’s Xbox X and S series. Pre-orders for the launches were exclusively online. Large amounts of limited stock were captured by bots and resold on auction sites at a high mark-up. While not necessarily illegal in most countries, the proceeds could be funding other malicious cyber-activity.

Part 1 of the report was published this week and is available to download here for free. Find out more about Canalys Cybersecurity Analysis research.