Criminals quickly followed the spread of coronavirus, and Interpol’s Secretary-General Jürgen Stock has had to deal with the situation that he has never seen in his 40-year long police career.
Every day, more than 300 thousand variants of malicious software are released on the internet, he said during a Davos 2021 discussion about averting a cyber pandemic.
Other panelists also shared disturbing numbers. Co-founder and chief operating officer at Cloudflare Michelle Zatlyn said that her company, being relatively small, prevents around 76 billion attacks on behalf of their customers daily.
Even after the pandemic is over, cybercriminals will not back away. The silver lining, the panelists argued, is that technologically we are in a much better position to protect ourselves than we were ten or twenty years ago. And cybersecurity as a percentage of IT spending is increasing, added Fortinet’s CEO Ken Xie.
What policies, practices, and partnerships are needed to prevent a global cyber pandemic?
The need for better cyber hygiene and security by design
“A dynamic situation that I have never seen in my 40-year career within the police. A virus spreading around the world, and criminals quickly following. It seemed to me that what we are experiencing is a cybercrime pandemic, parallel to this biological pandemic. In these times, the world needs strong coordination to facilitate the cooperation that is needed,” Stock said.
As the world becomes more and more connected, criminals have more opportunities to attack systems anywhere in the world without ever leaving their apartments. This is why close global cooperation between governments, law enforcement, and businesses is necessary. He named the takedown of Emotet as an example of successful cooperation between law enforcement and the private sector. According to Stock, it is crucial to build bridges to the private sector 'because this is where a lot of information sits, this is where the expertise sits'.
Every day more than 300 thousand variants of malicious software are released on the internet, Stock said. This highlights the need to share intelligence on cybercrime on a global scale. For that purpose, Interpol formed the Global Cybercrime Expert Group, comprised of cybercrime experts from the police, private industry, and academia, as a platform for the exchange of cyber information and good practices to support law enforcement.
People, he said, are a critical factor in preventing cybercrime. Therefore staff training is crucial.
“We all have to apply better cyber hygiene,” Stock said.
Also, he pointed out the need for security by design: “Whatever product is developed and released into the market, security by design needs to be a feature from the beginning.”
VPNs fell over
Cloudflare’s president Michelle Zatlyn repeated the well-known fact that companies found themselves having the same number of offices as they do employees. Businesses have invested a lot of money into their office network security, but that kind of level of investment is not there when people work from home.
“Home networks became a weak link in a potential attack vector, and we saw attackers take advantage of that. A lot of IT teams had to scramble to hold that together and to find ways to patch solutions together,” she said.
Many companies used tools, such as VPNs, to solve this problem. But in many cases, VPNs were not designed for so much load at the same time.
“They didn’t have the capacity, and a lot of VPNs fell over, and so a lot of IT teams have had to strengthen that to ensure that in a post-COVID world, there’s more flexibility, and more employees are connecting outside of the office network,” she said.
Zatlyn believes that many people will continue working from home in the post-COVID world. Therefore, it is important to ensure that employees’ home networks are as secure as office networks. “This is not going away,” she said.
Even though the last months have exposed weaknesses, she sees a silver lining: “There are better solutions today than there were five years ago, and there will be even better solutions over the next five years. So if you are a corporation wanting to solve these problems, I think that there are much better solutions today than ten years ago.”
She called Cloudflare a relatively small company. But the company alone protects against 76 billion cyberattacks on behalf of their customers every day. That illustrates how big the problem of cybercrime is and that it is not going away anytime soon. Zatlyn also believes in staff training and thinks that everyone needs to become a better digital citizen for the whole world to become more resilient.
As for the companies, every enterprise should have a plan, know who they are and where they want to get to so that they could start making progress systematically.
“The most vulnerable organizations don’t have a plan. To be at the top, you need to start with a plan. If you have a pan, when things come up, you are in a better place to remediate or respond, which I think is important,” Zatlyn said.
Increasing the cybersecurity budget
Cybersecurity as a percentage of IT spending is increasing, said Ken Xie, Fortinet’s chairman of the board and chief executive officer.
“When I started Fortinet 21 years ago, probably only 1-2% of budgets were spent on cybersecurity, now it’s about 10%, so you can see it’s bigger money, bigger budgets,” he said.
Still, it is a long way to go as the attack surface increased immensely with so many people working at home, and data is scattered on different servers, clouds, and devices.
“It’s critical to protect data and its value. Also, it’s a long time investment, whether you invest in infrastructure, make sure they have the connectivity when working from home, they need to educate people, employees, make sure they understand the importance of cybersecurity”, he said.
Xie also pointed out joint efforts by law enforcement to bring down Emotet as a good example of fighting cybercrime.
“Partnership is very important to bring cybercriminals down, as Europol brought down Emotet. A lot of parties need to be working together to fight this cybersecurity issue,” he said.
Xie shares a thought that there is a need for more public training and that everyone using the internet should have basic cybersecurity training and understand the risks and how to protect themselves.