Timeline of the Pandemic Impact on Cybersecurity

Events happened fast in early 2020, and some of the resulting changes are now considered part of our everyday lives. A large percentage of the workforce will continue working from home well into 2021 and beyond. Some companies, in fact, have opted to shift their workforce to being all remote. Let's look at the pandemic timeline to see what transpired, including notable cybercrime events, and to understand how quickly hackers adapted and exploited the events. To distinguish from COVID‐related events, cyber events appear in bold. Watch as the pace and number of these cyber events builds:

• December 31, 2019: The first reported case to the World Health Organization (WHO) of an unknown pneumonia case is seen in Wuhan, China.
• January 7, 2020: Researchers in China announce a new (novel) coronavirus.
• January 10–20, 2020: The first phase of moving employees to work remotely begins, with about 10 percent working from home by late January.
• January 21, 2020: The first case of COVID‐19 is reported in the United States.
• January 29, 2020: A Japanese‐language spam email pretending to be a public health center is the first known instance of cybercriminals using COVID as a means to hack. The MUMMY SPIDER was distributed the Emotet malware, which was originally developed as a trojan for banks. This malware spreads like a computer worm infecting other systems in the network. MUMMY SPIDER is a criminal cyber gang linked to the development of Emotet.
• January 30, 2020: WHO declares that COVID‐19 is a public health emergency of international concern.
• February 2, 2020: Advanced Persistent Threat (APT) actors begin using COVID‐related lures in phishing campaigns.
• February 6, 2020: In China, two types of ransomware are distributed using a COVID‐19 theme to fool victims into downloading the malware.
• February 15, 2020: Cybercriminals send out phishing scam emails pretending to be from WHO.
• February 28, 2020: The RSA Conference is held despite many sponsors pulling out at the last minute. Many attendees later test positive for the virus.
• February 29, 2020: The first reported death occurs due to COVID‐19 in the United States.
• March 9, 2020: A “Coronavirus Map” application, which is actually malware that includes the AZORult, is released. This malware is a trojan virus designed to scoop up sensitive information.
• March 11, 2020: WHO declares COVID‐19 a global pandemic.
• March 20, 2020: An email extortion campaign is launched globally threatening to infect receivers unless they pay a bitcoin ransom.
• March 20, 2020: The U.S. FBI's Internet Crime Complaint Center issues a public warning on the rise in cyber fraud due to COVID‐19. Another variant of the attack in the U.K. offers the recipient free school lunch if they click on the link.
• March 24, 2020: U.S. and U.K. residents receive short message service (SMS) text messages informing them that they must take a “mandatory” COVID‐19 preparation test and points victims to a website that downloads malware.
• March 31, 2020: Thousands of Skype credentials are stolen using a pandemic‐themed phishing campaign.
• April 1, 2020: Microsoft sends out a warning to hospitals about the rise of ransomware attacks due to weak security surrounding virtual private network (VPN) use in that industry.
• April 3, 2020: Half of all working Americans are working from home.
• April 10, 2020: A successful phishing campaign in Spain uses a COVID‐19 remedy as bait.
• April 16, 2020: Google releases information reporting it has blocked over 18 million COVID‐related emails containing malware or phishing attempts in the week prior.
• April 19, 2020: In the United Kingdom, a fake email tells recipients they can receive job retention payments by clicking a link, which directs them to a malware download.
• April 30, 2020: Dozens of pandemic‐themed phishing and ransomware attacks are discovered in late April. Many leveraged the unknown and panic with emails concerning the Family and Medical Leave Act (FMLA), Paycheck Protection funds, and the delivery of parcels to the home.
• May 6, 2020: U.S. and U.K. cybersecurity agencies announce that APT state actors are attempting to hack into healthcare and medical research facilities that are fighting the virus or developing vaccines.
• July 15, 2020: Twitter accounts for Elon Musk, Bill Gates, Barack Obama, and others are hacked into using a social engineering technique.
• August 5, 2020: Interpol joins the chorus of global law enforcement declaring the increase in cybercrime is likely as a vaccine creation approaches.
• August 20, 2020: Cybercriminals posing as contact tracers for COVID‐19 scam credit card and bank account information from thousands of victims.
• October 21, 2020: The Canadian government warns of a new COVID‐19 scam incorporating phishing emails supposedly from the government that are intended to steal personal information from the recipients.
• November 9, 2020: The first effective COVID‐19 vaccine is announced.
• December 3, 2020: IBM warns it has seen evidence that companies and governments are being targeted by unknown attackers, prompting a rare warning by the Department of Homeland Security.
• December 8, 2020: FireEye's internal testing team is targeted by a sophisticated APT that is thought to be a state actor.
• December 13, 2020: FireEye makes public the details of the SolarWinds attack.
• December 14, 2020: The first COVID‐19 vaccines are administered to the U.S. public.

This list mentions just some of the notable cyber events; to list them all would take numerous pages. Thousands of other cyberattacks and schemes occurred from December 2019 and are still ongoing. The preceding timeline merely illustrates how quickly the cybercriminals and APTs adapted and pivoted to exploit new vulnerabilities and weaknesses caused by the pandemic.

In many cases the cybersecurity industry is still evolving and trying to catch up. However, it's much easier for the cybercriminals to simply alter their targets and tactics. Corporate and government information security personnel, processes, and systems are usually slower to evolve, which presents a unique challenge to post‐pandemic trends and changes.

Post‐Pandemic Changes and Trends

Will this level of cyber activity continue, or will it return to pre‐pandemic levels later in 2021 as more people are vaccinated and herd immunity occurs, enabling life to return to normal? It's likely there will be a new “normal,” and that life will not return to the pre‐pandemic normal. While cyber activity might not be at the level it was when full‐blown lockdowns were in force, many companies, consumers, and employees have altered their behaviors and won't return to the former. Many companies have shifted their workforces to all or a larger portion working remotely than before. Consumers have changed their habits permanently, opting more and more for online shopping than from traditional brick‐and‐mortars. All these habits, which before were performed in person, are now going to be performed virtually, enabling cyberattacks to continue as the attack surface increases.

As this increased cybercrime and hacking continues into the foreseeable future, combined with the damning statistics of how few companies perform proper due diligence and due care for their data and connectivity to vendors, we will continue to see the breaches and security incidents growing at the current pace. This necessitates the need to adopt a more aggressive and cybersecurity‐focused approach to third‐party risk.

Once the lockdowns end, our new normal will begin, creating new changes in many areas. The following descriptions are not predictions, but ideas built on the trends seen building toward the end of the pandemic. While these trends are not going to continue to grow at the same pace, the changes from COVID‐19 are widely thought to have moved much of life to where it would have been 10 years or more from now, had it not been for the pandemic. For example, prior to the pandemic, only 17 percent of the U.S. workforce was remote. During the pandemic, it was as high as 47 percent. This percentage will increase past the pre‐pandemic 17 percent. Changes to how lives are conducted post‐pandemic will shift from an in‐person lifestyle to less interaction and a more online, connected work and life presence. This increased amount of web and network traffic increases attack surface for the cybercriminals and APTs.

Work‐Life Changes  When the pandemic hit, millions of workers were sent home. Adobe, Aetna, Amazon, Ancestry.com, Capital One, Coinbase, Facebook, Gartner, Infosys, Mastercard, Microsoft, Nationwide Insurance, Nielsen, PayPal, Raytheon, Salesforce, Shopify, Siemens, Slack, Smartsheet, Square, Twitter, Upwork, and Zillow have all changed to work‐from‐home permanently, or for at least much of 2020 and into 2021. Working from home will continue as employees realize its benefits and some employers decide that the risks of the once popular open floor plan are not ideal for the future.

Gaining popularity in the 1980s, these large open commercial spaces were believed to foster teamwork and better communication. The layout flexibility gave companies the ability to modify as their company size changed. Lastly, these were very cost‐effective solutions for businesses as long tables took up less space and housed more workers, and cubicles cost thousands of dollars each. By 2017, 70 percent of offices had adopted this open design.

However, this open office plan adoption had its downsides—noise levels grew and privacy was nonexistent. Now the problem is the inadequacy of the ventilation systems against disease. For example, on February 25, 2021, in a Korean call center, one of its 216 employees had flu symptoms. The Korean CDC performed a trace contact for the center's workers and found that nearly half the employees had become infected. The contact tracing further indicated that the virus jumped across the office to cause 94 of the 216 workers to become COVID‐19 positive.

Companies are most likely to adapt such open spaces not with a major remodel, but by making tweaks. The first goal will be to reduce density, reducing the work area from 10 workers to a table to 5 or less, as increased space between employees is the social‐distancing goal. Clients will not be placed into a conference room deep in the office space but nearer to the entrance or in another space away from staff. All‐hands meetings will not occur in person but using a combination of remote and in‐person attendance. Elevators that once held 15 people will be counted full at 5 people. This reduced occupancy can result in more employees working from home or a reduced occupancy rate that will require companies to not have all employees returning to work.

Long before the pandemic, many high‐tech companies, like Yahoo, had embraced working from home, and had pushed for some employees to work remotely. (Prior to the pandemic, 17 percent of the tech workforce was remote, rising to 40 percent during it.) However, in 2013, Yahoo CEO Marissa Mayer banned working from home, going so far as to tell those who wouldn't make the adjustment that they should find other work. There was an impression among many, outside Yahoo as well, that remote working is not conducive to collaboration or good management.

Yet, the trends during COVID paint a different picture as companies and employees deal with the inevitability of working remotely for a long time. Studies indicated that of the workers new to working remotely, roughly 40 percent wanted to return to the office. However, the other 60 percent wanted to stay full‐time or part‐time working remotely. The workers new to remote work have had a difficult time adjusting to the distractions of home: needy pets barking, children requiring help with schooling, and no designated office space.

Some of these distractions will lessen over time. Children will return to school and daycare. Pets over time become used to the sounds of working from home as well. Designated work space may continue to be a challenge, but with the schools reopening it will be a lesser problem. New remote personnel will overwhelmingly enjoy their increased family time, flexibility, and work‐life balance advantages. On the downside, 15 percent of new remote workers reported a greater sense of well‐being, and 32 percent reported being frustrated with remote work due to burnout.

This remote work trend also provides another increased attack surface: collaboration tools. The increased use of WebEx, Zoom, Microsoft Teams, and other video conferencing tools gives attackers more targets. In the pandemic's early days, malicious actors were “Zoom‐bombing” meetings due to Zoom's lack of meeting access passwords and easy‐to‐guess meeting links. The results were predictable: Strangers, often with bad intent, “bombed” a meeting and yelled obscenities or spied on the conversations. Expect this area to be a target for cybercriminals going forward.

Shopping Changes  Changes in shopping behavior will likely be more significant and permanent than remote work. Trends that began before the pandemic accelerated in 2020 are now viewed as having more staying power according to continued consumer behavior. Touch‐free shopping and the dying of malls both are opportunities for cybercriminals.

Touch‐free shopping sharply contrasts to pre‐pandemic shopping. Previously, you could walk into a big‐box or grocery store and sample everything from food to cologne. Checking out meant swiping a debit card and punching in your personal identification (PIN) code. Changes made to shopping are near permanent. Touchless payments, either via a smartphone or with a smart debit card, are being rolled out by card issuers and the retailers themselves. Retailers are expanding this as well. For example, Price Chopper, a smartphone application that allows shoppers to scan and go, is now used by several grocery chains. Walmart is pushing its Scan & Go mobile app, enabling customers to ring up purchases on their smartphones.

Gone are the samples of lipstick at the makeup counter or the meatballs as you roam the aisles at the grocery store. Lowe's Home Improvement stores are installing lockers where online shoppers can retrieve their purchases without even interacting with an employee. Numerous grocery stores are pushing parking‐lot delivery services, which end in‐store interactions. Curbside pickup has become the new normal for many retail and restaurant customers. GlobalData reports that 68 percent of U.S. shoppers will use curbside pickup and another 60 percent indicated they will collect online purchases from inside stores in the future.

The trend from mall and department store shopping to online shopping was already occurring well before the pandemic; lockdowns and behavior changes were just rushed forward by years due to it. Malls and department stores had already been struggling when they were forced to shutter in March 2020. Brooks Brothers, Lane Bryant, Ann Taylor, Chuck E. Cheese, Century 21 Stores, GNC, Guitar Center, J.C. Penny, J. Crew, Lord & Taylor, Neiman Marcus, Pier 1, Stein Mart, Men's Wearhouse, and Joseph A. Bank, among others, all filed for bankruptcy protection as the lockdowns during the pandemic sped up their decline. Many may not survive through Chapter 11 proceedings and will cease to exist. Some malls may reopen, but eating at a crowded food court or watching a movie at a theater will be impacted for a long period to come. Coresight Research predicts up to 1,000 U.S. malls will close within five years.

Who was the winner during the global pandemic? Online retailers, whose accelerating adoption is global. It's predicted that China's online sales will comprise over 27 percent of retails sales in 2021, with the United Kingdom at 19.9 percent, and the United States at 16.2 percent. eMarketer predicts sales online will increase over 32 percent in 2021, while traditional brick‐and‐mortar sales will shrink by 3.2 percent. Compare these numbers to 2019, when online commerce grew by 14.6 percent and brick‐and mortar grew by 1.5 percent. These trends will dip lower post‐pandemic, and it is not expected to see a 30‐percent growth year‐over‐year in online commerce for 2021; however, the trend accelerated greatly due to the pandemic and will not return to pre‐COVID levels. This increased amount of online shopping will increase the targets for cybercriminals.

School Instruction Changes  The way students learn has been forever changed from being in class to more remote learning style, also resulting in increased attack surface. The initial response for most primary and secondary schools was to close and perform remote instruction when possible. However, the technology divide became obvious very quickly as areas with low online adoption and limited broadband access prevented or slowed the ability to teach remotely.

Such changes for educational instruction are similar to those found in the workplace. Cramming a bunch of students into shared spaces like before will not be welcome, despite a vaccine being available. While the number of K‐12 students who remain remote will not be at the same level post‐pandemic, many trends point to some parents choosing private school or homeschooling at numbers greater than pre‐pandemic. Additional online students learning from home also increase the target surface area for cybercriminals.

Another likely trend to increase is the push to move broadband access into previously underserved areas. The rush to educate via remote learning demonstrated that several areas simply could not support the effort due to lacking infrastructure (i.e., broadband access, Wi‐Fi availability, and a lack of access to internet‐connected devices). Increasing internet access is a necessary and worthy goal, but more participants on the web also increase opportunities for cybercriminals.

One possible beneficial change is the increased demand in technical employment in areas such as cybersecurity. The cybercriminal and security incident uptick is driving this increased demand for these professionals. As current working professionals and students make career choices, this demand will drive up salaries and increase student draw to the field. Unfortunately, the time it takes to become a skilled security professional is not quick, so it's likely this will be a lagging indicator; changes in the tech workforce will unfortunately increase slowly over time. As a result, this lag will give cybercriminals more time to exploit this gap in resources.

Supply Chain Changes  The pandemic lockdown disrupted numerous supply chains. Shuttered factories, disrupted shipping routes, and remote work forces meant many companies struggled to fulfill orders. Many had to rethink and redesign their approach, which likely will impact how Cybersecurity Third‐Party Risk is managed. Changes in how supply chains are handled and enabled to grow will be slowly implemented.

Regionalization, where certain regions are self‐sufficient in terms of deliverable goods, will likely be a notable trend. Rather than relying on global supply chains to deliver goods globally, regions will be self‐sufficient in their particular area. Therefore, if there is an impact in an area due to another pandemic event, it will only affect that region. Others could continue operations without issue. Onshoring, where production is moved back from being overseas, likely will be another trend. Survey results from The Institute for Supply Management indicated almost 25 percent of companies would be bringing operations or manufacturing onshore. Changing these during a lockdown and travel bans is very difficult; however, the work to change the span and size of their supply chains has begun.

Cybersecurity's impact on these changes has yet to be seen, given that such changes have either not been completed, or even started, in some cases. Onshoring work and production to its home country can lessen the impact of performing due diligence on offshore vendors. However, splitting up the production for regionalization likely will increase the attack surface as production is farther spread out.

Lifestyle Changes  Lifestyle changes have become more digital than prior to COVID‐19 and will remain that way. How we cook and eat, view entertainment, and perform physical activities have all permanently changed in ways that add risk. These changes are not directly connected to a Cybersecurity Third‐Party Risk for all organizations, such as working from home or education. However, our increased online activity and changed behaviors create an increased attack surface.

Before the pandemic, telemedicine was barely a blip on the radar and mostly used for patients who had difficulty traveling or who were located far from medical personnel. The lockdown, however, necessitated remote medical appointments for those needing normal checkups and other issues besides the flu. Telemedicine use increased 154 percent in March of 2020, and its increase of use into the fall season from previous years approached 50 percent. This increase in telemedicine is not confined to doctor's visits but also includes an increase in online prescription orders and the monitoring of remote medical devices by a doctor or nurse over the internet. This online activity increase in the medical field increases risk as the healthcare field has had a high incidence of ransomware attacks. Healthcare has been a target of cybercriminals for a while, and this rise in activity will also provide more opportunities for bad actors.

Home‐delivered meals, which originate from online activity, have taken off since the pandemic began. Blue Apron, Hello Fresh, and Plated all started around 2012 in the United States, with their initial customer base being older millennials with disposable income. The pandemic, however, increased their user base as more people who were seeking convenience began cooking at home. This is not a huge growth area, but there has also been a rise in the use of restaurant and grocery store meal kits into this space. This activity all takes place online and shifted from previous dining out. The move to online transactions for meal kits is one more avenue for cybersecurity bad actors to exploit.

Streaming video was already on track to increase in popularity pre‐pandemic, and cinemas were seeing declining attendance as binge‐watching became the new normal. Many cinemas closed and have yet to reopen. Regal Cinemas filed for bankruptcy, and AMC is facing it but raising capital in the hope to avoid it. Even after the lockdowns have ended and a vaccine is fully implemented, there will be even fewer options to enjoy a theater experience. The big four streaming services (Netflix, YouTube, Hulu, and Amazon) saw huge increases during the pandemic, growing their subscription bases. This increased subscriber base opens up even more online areas for cybercriminals.

Another lockdown casualty were the local health clubs/gyms. Many either closed for months, went out of business, or continue to struggle. Large fitness chains began offering online streaming fitness classes. The sale of at‐home exercise equipment, such as Peloton, iFit, Mirror, and others, grew exponentially. This equipment is not cheap, and many require a monthly subscription. These online transactions for such fitness equipment and services are great targets for cybercriminals. First, the purchase of expensive equipment and continuing subscriptions are likely tempting for hackers seeking victims with deep pockets. Second, the equipment vendors themselves provide a great target, given they have a customer base that is generally affluent and online.

Although these changes may not directly relate to Cybersecurity Third‐Party Risk, they do offer an increased attack surface that will alter cybercriminal behavior. This altered behavior will focus on areas where data and money can be stolen. Whether it's working remotely, studying remotely, buying groceries for curbside pickup, or ordering meal kits for delivery, all these activities involve internet traffic that is subject to attack and will lead to more security incidents.

Regulated Industries

Several industries are highly regulated where Third‐Party Risk Management is a requirement. Financial sector requirements have been listed before, but both the Office of Comptrollerof the Currency (OCC) and the Federal Insurance Deposit Corporation (FDIC) have required regulated banks to follow their guidance on Third‐Party Risk Management. However, that's just a small sliver of the related regulatory and framework oversight. It includes, for example, the Federal Reserve Guidance on Managing Outsourcing Risk, Federal Financial Institutions Examination Council (FFIEC) Supervision of TSP, the Financial Industry Regulatory Authority (FINRA) Notice to Members 11‐14, and Gramm‐Leach‐Bliley Act (GLBA) Reg‐SP Privacy of Customer Information, just to name a few more. In the United States, healthcare is regulated by the Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996. This act prescribes both a privacy rule and security rule for protection of health data.

Other sectors have regulations specific to the third‐party risk around data privacy. However, as the number of data privacy laws and regulations have been promulgated worldwide in the last 10 years or more, what most companies haven't taken into account is that virtually every business worldwide that manages protected data for customers is subject to regulation. Except for much of Africa, a few countries in South America, and a similar amount in Central Asia, nearly every other country in the world has some form of data protection laws.

The General Data Protection Regulation (GDPR) is a European Union (EU) law. This is considered one of the most robust and punitive data protection laws in the world and while the application is focused primarily on Europe, there is an extra‐territorial effect. A company that is not within the EU is subject to GDPR if it processes personal data of subjects who are in the EU. A formal payment transaction doesn't even have to take place but GDPR is in effect when goods or services are offered for sale.

In the United States, several data protection laws and regulations are in place that are sector‐specific and medium‐specific. The California Consumer Protection Act (CCPA) is the most well‐known, and due to the state's size and economy, it has an outsized impact on how data protection is done within the nation. On top of that, California has another two dozen state data protection laws. Other states are also writing their own data privacy laws. The Federal Trade Commission has the authority in the United States over a wide range of businesses on the data protection area. It is highly likely that if you're doing business in the United States, you have a myriad of agencies and enforcement abilities required of your organization if you process or store customer data.

In other international locations, it is far more likely that you will have some form of data protection requirements than not. Argentina has a very robust privacy clause built right into its Federal Constitution. Australia has the Federal Privacy Act of 1988 and the Australian Privacy Principles. There are also several more regulations specific to the territory (New South Wales, Queensland, Tasmania, Victoria, Northern Territory, and the Capital Territory). Canada has over two dozen federal territorial and provincial privacy statutes and is considered a very robust program.

Many businesses and entities in those sectors that are not highly regulated may have thought they could relax. However, as the list of data privacy protection laws and regulations are shown to be applicable to nearly every company that retains customer‐protected data, they're subject to regulatory requirements. While the list of required business practices doesn't go into great detail in the finance or biotech industries, the penalties and fines for failing to follow them can be enough to prevent a business from being a “going concern” (an accounting term for a company that has the resources needed to continue operating indefinitely until it provides evidence to the contrary). Every company that has customer PII or PHI, no matter the sector or location, must perform due care and due diligence for securing that data.

An Inside Look: P&N Bank

In mid‐January 2020, P&N Bank disclosed that it had been involved in a data breach involving detailed and sensitive financial information for potentially all its 96,000 customers. The data involved included their names, mailing addresses, email addresses, phone numbers, ages, and account numbers and balances. This breach occurred in mid‐December 2019 during a server upgrade at the third party hosting P&N Bank's servers.

Upon becoming aware of the attack, we immediately shut down the source of the vulnerability and have since been working closely with WAPOL, other federal authorities, our third‐party IT provider involved, regulators, and independent expert advisers to investigate and protect customers from any further risk. The safety and security of our members' information and funds is our highest priority. Data protection continues to be a focus around the world, and financial systems will always present some degree of risk, so it is important to stress that in line with best practice, we have highly sophisticated security measures and controls in place to protect our customers' accounts.

—Andrew Hadley, CEO of P&N Bank

Formerly known as the Police & Nurses Credit Society, most of the customers of P&N Bank are first responders. Luckily, no direct loss of customer funds, credit card details, or bank passwords occurred, and the customer relational management (CRM) database did not contain any passport, Social Security, or health data.

One of the first missteps made by P&N was to send a letter out to the affected customers, stating that “non‐sensitive” data was exposed. This statement was incorrect because names, addresses, emails, phone numbers, ages, and account numbers and balances are considered non‐public when combined. It resulted in many customers becoming even more disappointed in their breach response.

The customer information was leaked by a social media vendor for P&N named Deep Social. Described as a “freemium” influencer ranking, discovering, and AI‐driven analytics platform, Deep Social's server was left vulnerable while undergoing an upgrade. In late 2018, Deep Social stopped providing its service and wound down the company, and its license to use the Instagram platform was revoked by Facebook because it had been found to violate Facebook's policies.

This breach demonstrated how vulnerable a company can become due to a third‐party hosting service not taking proper due care and due diligence. What P&N Bank should be ensuring is how its hosting provider secures their instance. We will discuss specifics of what to ask in later chapters, but most hosting providers should provide what is often called a Security Configuration or Security Audit printout. In Amazon Web Services (AWS), it's called a Trusted Advisor Report (TAR), which details important items and flags variances from best practices, such as multi‐factor authentication (MFA) for privileged accounts, items left unencrypted, or firewalls not configured properly.