Restrictions, cybersecurity, and "the new normal"
I've heard the phrase "new normal" a lot in the last two months. I'm sure you have too. Everyone is trying to figure out what "normal" will look like in the future and none of us really knows exactly what will have changed when the dust settles.
Obviously as someone responsible for our company's cybersecurity posture I have been paying attention to what is happening on the internet, and I worry that people could get themselves into some trouble if they're not purposeful about cybersecurity in "the new normal".
I also don't think that this issue is exclusive to cybersecurity.
Relaxed Restrictions
I've noticed is that while society has imposed a lot of new restrictions on us, a number of existing restrictions have become more relaxed or even removed.
For example: in the last two months I've purchased an adult beverage a total of four times (though two of these times were because I needed a cork for a bottle rocket). I was not asked for my license during any of those purchases. One of those purchases was at the government-run ABC store, which is the last place I would expect to not be asked for my license. I'm sure I don't look like a teenager anymore, but I'm also not even 30 years old.
I'm not lambasting grocery stores or the ABC store for not verifying my age. In fact, if our goal is to try and slow the spread of COVID-19, it makes total sense that I wasn't carded. From their perspective, who knows where my license and wallet have been and if they've been contaminated? At this point in time, society (or at least where I live) has decided to prioritize the prevention of COVID-19 over the prevention of underage drinking.
If you're into social engineering, I'm sure this is an exciting time for you! There's a lot of stuff someone could get away with because of existing restrictions which have been relaxed. Another quick example: the tax filing deadline has been extended in many parts of the county. This means we don't have to be as timely when we file taxes this year - which is nice and convenient. It also means that our city/country/state may have a hard time balancing their budget and it also gives criminals more opportunity to file a fraudulent tax return in your name and collect your refund - neither of which is nice or convenient.
As I said, these relaxed restrictions might make sense right now, but my worry is that many of us will want to continue with some of these lax restrictions as part of our "new normal" - and I believe that could be a problem. There was a reason that existing rules and restrictions were in place and it is unlikely that being complacent is going to make anything better in the long term.
Relaxed Cybersecurity?
Protecting your online accounts, local networks, computers, etc doesn't have anything to do with preventing the spread of a virus, but many people have also been a little lax about their security in the rush to get their "work from home" setup going. Three months ago, I would have strong words for this "just get it done" mentality - but if you were not prepared to work from home before COVID-19 it makes sense that right now you may have temporarily relaxed your security controls in order to continue working.
If this is you or your company, it is absolutely paramount that this is TEMPORARY and that you have active plans to properly secure your stuff as soon as you are able. In a lot of ways, good cybersecurity comes at the cost of efficiency or ease-of-use and so I understand why you might not care for it right now - but if you make lax security controls a part of your "new normal" you are playing with fire. Criminals haven't stopped being criminals because of COVID-19 and they certainly aren't going to stop when the dust settles. In fact, some cybercriminals are actually leveraging COVID-19! Consider this:
- In early April, CISA (part of the Department of Homeland Security) sent out an alert about criminals leveraging COVID-19.
- By mid-April, the FBI reported that cybercrime complaints had quadrupled
- Ransomware continues to infect hospitals. Here's an example in Colorado. This is particularly rotten, even for cybercriminals.
Recommendations for working from home
It is likely that our "new normal" will include working from home more often. I'm sure you have already seen a million and a half recommendations about how to be secure as you work from home - this should tell you that it is important. Here are some specific resources that I recommend:
Interactive training from Microsoft:
These are good, informative, and relatively short. You need a Microsoft account, but if you use Office 365, that account will work.
From this blog:
- Phishing Training and Why 2FA isn't enough. This also has a link to one of SEM's phishing webinar's from last year.
- Managing Passwords Effectively. If you're reusing passwords and not using a password manager, your life is probably harder and definitely less secure than it should be.
For teachers and professors who use Zoom:
- Security tips every teacher and professor needs to know about Zoom, right now (posted April 2, 2020)