Digital distraction: the diversionary tactics used by criminals during the pandemic
Distraction is one of the oldest tricks in the book, but the rush to digital has made it easier
Covid-19 has accelerated digital transformation across every sector. According to a McKinsey & Company study, businesses' digital offerings leapfrogged seven years of progress, on average, in a matter of months last year.
This acceleration shows no signs of stopping. Yet, all in all, the stage is set for not just great digital transformation progress but also maximum exploitation by criminals of an age-old manoeuvre: the distraction technique.
As businesses maintain momentum on their digital transformation initiatives post-pandemic, IT and security teams will find their attention continually focused on managing these large-scale projects. So how can they ensure this doesn't create a perfect smokescreen for criminals who have now honed the distraction technique to launch successful attacks?
Exploiting human vulnerabilities exacerbated by Covid-19
In the rush to get employees remote working quickly at the start of the pandemic, many organisations unconsciously sacrificed security and data protection procedures. In fact, Citrix's global Workquake survey of 7,500 office workers found that over a third (39 per cent) of staff have been using unsanctioned apps or even apps that were explicitly banned by their IT teams.
Computing's Cybersecurity Festival begins 16 June - Register today
Criminals have been quick to exploit not only these overlooked security vulnerabilities but also the human vulnerabilities exacerbated by the pandemic. Whether due to caring responsibilities, homeschooling or other pressures, individuals under stress are far more likely to be distracted into falling for a carefully crafted phishing email. Criminals recognise this and have taken advantage of the stress caused by the pandemic, including playing on people's health concerns by using the lure of a vaccine appointment or Covid information as bait to catch people out. In fact, the National Cyber Security Centre recently revealed that it had taken down more scams in the last year than in the previous three years combined, with coronavirus and NHS-themed cybercrime fuelling the increase.
Accelerated digital transformation: contributing to distraction
After a year of honing their attacks against individuals under stress, criminals are well aware of the benefits of targeting people when their attention is divided. Given the large-scale digital transformation expected to continue post-pandemic and today's well-documented digital skills gap, it's vital that organisations ensure their stretched IT teams don't fall victim to this same distraction technique.
Recent research from Deloitte revealed that more than three-quarters of business leaders globally expect their organisations will change more over the next five years than over the past five years. This rapid change will transcend technology alone.
Digital transformation involves adopting new working methods, such as agile and DevOps, as well as shifts in organisational responsibility and greater business expectations - along with consultants intervening throughout the process. Meanwhile, IT teams need to both roll out new digital technologies and keep existing systems running. For criminals, this can present a perfect, long-term opportunity to keep using the distraction technique they have been honing throughout the pandemic to successfully breach organisations.
Capitalising on diversionary tactics
Beyond the distraction of progressing a successful digital transformation programme, IT teams must also deal with the rise of ‘cover' attacks. In these instances, bad actors launch an obvious attack to distract from the quieter ‘real' high-impact attack they are stealthily conducting at the same time. An example might be launching a distributed denial-of-service (DDoS) attack on a public corporate website in order to mask a data exfiltration attempt.
Fending off both obvious and more subtle attacks requires IT and security teams to avoid treating obvious attacks as routine. It is also wise to ensure the team is prepared to detect and react to multiple attacks at once by rehearsing this situation as a security response exercise. Covid might have delayed some of these regular exercises, but they are important to keep corporate systems and data secure.
Key steps to avoid falling for the distraction technique
To tackle these new patterns of attack, businesses should lean on analytics, a powerful tool for quickly detecting a security anomaly. It might be as straightforward as spotting if a user is logging on from an unusual location. It could also be more complex, such as detecting an untypical pattern of work spanning multiple sensitive applications. If an anomaly is detected, the system can respond by, for example, requesting that a manager authorise access. Attacks on systems can be hard to notice, but they do follow predictable patterns. With analytics technology to quickly recognise these patterns, security staff can group anomalies together and process simultaneous threats in real time. This helps teams remain vigilant against attacks launched under cover or while attention is divided, such as during a pivotal moment in a digital transformation initiative.
Beyond smarter use of technology to help combat threats, an organisation's security culture is key. Staff should feel comfortable contacting IT with security concerns. IT teams should consider how available, visible and approachable they are to the workforce. To increase collaboration with IT, organisations could incorporate online communications tools within their new security controls or create a security chatbot to help users who receive a suspicious email get guidance quickly. It is also important that high-risk groups, including senior executives, finance staff and system administrators, receive regular security training and can access a dedicated support team.
With the entire organisation aware of tried-and-tested attack methods and able to quickly flag any concerns, the IT team will benefit from greater vigilance across departments. This will not only lessen the chances of criminals using a distracted employee as a way into the organisation but will also ensure more individuals are ready to spot unusual behaviour which might signal an attack.
Distraction is one of the oldest tricks in the book; it's as old as society. Digital technology just makes it easier. Given the increasing pressure on businesses to innovate and roll out new digital tools to emerge from the Covid-19 crisis ahead of their competitors, IT and security teams will need to ensure their divided attention does not make them an easier target for cybercriminals.
More broadly, organisations must deliver a work environment that actively encourages focus and guards against distractions. Not only will this help security teams, it will also boost employee engagement and encourage productivity. With multitasking or switching between tasks costing as much as 40 per cent of someone's productive time, organisations can't afford to have an unfocused or negligent workforce. Not at the expense of security, or the business' bottom line.
Chris Mayers is chief security architect at Citrix