I’ve been doing a bit of a check in with clients, contemporaries, colleagues as well as the team here at Mercury on the effects of COVID 19 on the cyber security industry. Whilst there’s a lot of direct things we’re all thinking about and seeing unfold, there are a few thoughts and ideas I had around the present and what’s about to happen that I’d be keen to share.
Situation no change: phishing & targeted attacks related to COVID-19
Phishing scams have been a part of cyber security for years and the tactics employed are no different to Christmas, Easter, tax time and your birthday. Whilst we are seeing more scams, more phishing domains and targeted attacks than we normally would, I really don’t think this is a complete change from business as usual. What we are seeing is our own mental and emotional exhaustion, combined with every scammer chasing an easy to hit topic like its a 6 year olds soccer match. The tactics employed and responses remain the same, however it’s just far more visible to us all.
Operations first, security second
Security has often been a focal point to protect investment and reputation, now the capacity for businesses to simply function is the priority and we’re seeing security take a back seat. This was evident with the sudden (alleged) rise in the past few weeks of Remote Desktop Protocol as the default working from home solution, as well as the Zoom issues that were identified, which realistically wont stop people from using Zoom (albeit, for anything that isn’t too sensitive). Whilst technology can never be assured completely, it is better than nothing and time will start to see the layering in of security controls. We forget that our role as cyber security practitioners is to support the plan and not believe our job is simply telling someone “don’t do that.”
Everyone is a cyber expert now (or will soon become one)
We have already been seeing over the past 8 years the new and improved cyber security expert who with no technical grounding, prior operational or technological experience as well as a lack of empathy. This new breed of thought leader will multiply with the spreading of COVID-19 and, the contribution of a 1 week online course during isolation consisting entirely of powerpoint decks and no understanding of technology beyond ownership of a TV, phone or a bedside clock still flashing 12, will see a new breed of cyber expertise sprouting “don’t do X because I told you so and have certifications.”
I hate to sound cynical on this point or the one prior, but there is an Australian quality to suddenly become an expert at a subject without having taken several years to master, and I assess with the volatility of other fantastic Australian industries, cybersecurity will be one of many disciplines that start to attract new participants who are looking to change their careers from social media influencing to cyber social media influencing, in a similar manner to medical social media influencers that are little more than anti-vaxers. Whilst education during this period of down time will be important, I am weary of the quality of individual it will produce if the education is little more than answering multiple choice questions or registering a bunch of domains as an “internet investigator with 25 years expertise.”
Having stated this, I am also hopeful that a few individuals will reorientate and enhance their skills meaningfully not just in cybersecurity but in all industries, I sincerely hope we get some fantastic innovation out of throughout the country but this will come back to reliable training activities as well as individual motivation to undertake self improvement. If you are looking at professional development, I’d suggest pentester lab, OSCP or even a few over the wire challenges.
An increase in insider threats
Australians are not good at saving and our levels of household debt are reflective of this. Amplify this to several personality types throughout Australia whose lifestyles are financed by banks and AMEX, who have a dependency on the annual bonus just to keep their debt at reasonable levels and who are typically in high profile (or notionally high profile) professional roles trying to emulate a lifestyle that they cannot afford. Many of these individuals will no longer have the existence they once had and will be looking for means to sustain their lifestyle. We have a new insider threat that can be readily exploited and, if you’re a certain type of business with access to classified information or information of value, you’re now a fantastic candidate for a “side hustle” financed by corporate or foreign espionage. Hopefully protocols and insider threat management will kick in and quickly eradicate these individuals and if not, I’d suggest brushing up and testing these aspects in the time of COVID-19.
I also suspect we will see this issue amplify in “top heavy” organisations, businesses with a disproportionate number of salespeople, or places that are dependent on professional services and advisory services with no annuities.
Rationalisation of costs, customer side
Customers are quickly rationalising costs and cyber security is on the chopping block. A first principles approach on the necessity of a lot of services will start to take place, and further to my operations point above, if an activity isn’t enabling operations or providing value, it is likely to be removed. The real issue here is many companies may have installed items which are technically costly to remove and may hinder remote access capability or cause significant down time?
Rationalisation of costs, vendor side
I previously wrote a blog post on “Running lean” and the necessity of a cyber security startup to maintain costs. As the customers will reduce and rationalise costs, so will a lot of vendors. Commensurately, underperforming or superfluous staff will be moved on over time and I’m already seeing a few friends given redundancy. I just hope we don’t have a scenario where front line staff were made redundant and support staff are retained to drive the few remaining competent individuals to burn out.
A drop in vendor sales and what this means for the sales cycle
Leading into the above points, we’re starting to see vendors push more cold calling in what is becoming a contested market. I’ve already received a few pitches and products pushed for the sake of making a quick buck. In a market where trusted relationships are paramount, cold calling and aggressive sales does not create trust, which may hopefully lead to the death-throes of poor quality sales activities.
To offshore or not offshore
I was a little annoyed recently to have received one such cold call message last week from a firm financed by an Australian incubator for the Australian startup scene (no staff are onshore) advocating the offshoring of work including assessment activities. My own opinion on this is informed by incident responses as a result of poorly executed penetration tests originating from overseas as well as the following report: https://it.toolbox.com/blogs/chiefmonkey/the-worlds-worst-penetration-test-report-by-scumbagpentester-012814. Automated assessments and offshoring are A race to the bottom drives away quality. In a world where VA’s are being sold as Red Teams, low quality automated work doesn’t find custom vulnerabilities or educate and inform staff. When your clients are writing or implementing vastly different code, it takes a novel approach to identify and exploit.
However I can see Australia in this climate taking a nationalistic approach which will onshore work to sure up Australian jobs and assure our supply chain. However I could be wrong and we could very well see the continuation of work being passed overseas as a cost rationalisation… this I dare say will be an interesting space to observe.
If you have any other thoughts I’d be happy to hear your comments.