In light of the COVID-19 pandemic, organisations are developing strategies to protect staff and vulnerable members of our community.
As more staff may work from home, and the use of remote access technology increases, adversaries may attempt to take advantage.
Ensuring good cyber security measures now is the best way to address the cyber threat.
Consider incorporating the following proactive strategies:
- Review your business continuity plans and procedures.
- Ensure that your systems, including Virtual Private Networks and firewalls, are up to date with the most recent security patches (see guidance for Windows and Apple products).
- Increase your cyber security measures in anticipation of the higher demand on remote access technologies, and test them ahead of time.
- If you use a remote desktop client, ensure it is secure.
- Ensure your work devices, such as laptops and mobile phones, are secure.
- Implement multi-factor authentication for remote access systems and resources (including cloud services).
- Ensure that you are protected against Denial of Service (DoS) threats.
- Ensure that your staff and stakeholders are informed and educated in cyber security practices, such as detecting socially-engineered messages.
- Ensure that staff working from home have physical security measures in place. This minimises the risk that information may be accessed, used, modified or removed from the premises without authorisation.
Together we can ensure Greece is the safest place to work online.
Malicious cyber actors are actively targeting individuals and Hellenic organisations with COVID-19 related scams and phishing emails. These incidents are likely to increase in frequency and severity over the coming weeks and months. This is due, in part, to the ease in which existing scam emails and texts can be modified with a COVID-19 theme.
Opportunistic malicious actors are exploiting people’s concerns and desire for information about the COVID-19 pandemic by directing them towards websites designed to either install malicious software or steal personal information. While the majority of these websites are legitimate, many are being created by malicious cyber actors seeking to exploit Greeks during this difficult time.
The malicious COVID-19 websites are designed to look legitimate or impersonate well-known organisations, making it difficult for individuals to detect. Cybercriminals use them to install computer viruses onto people’s devices, such as banking Trojans or different variants of ransomware, in order to generate profit. In other cases, they seek to harvest user credentials, such as personal identification, passwords and bank details, which are then used to gain access to the user’s networks, devices or online financial accounts.
Those engaged in cybercrime activity are not constrained by geographic borders and their actions can have far-reaching consequences. The Hellenic Computer Security Incident Response Team is aware of reports that malicious actors based in Eastern and Western Europe, Asia and Africa have been responsible for launching COVID-19 themed malicious cyber activity, including against Greeks.
All organisations should consider cyber supply chain risk management. If another organisation is involved in the delivery of a product or service to your organisation, there will be a cyber supply chain risk originating from that organisation. Likewise, your organisation will transfer any cyber supply chain risk you hold to your customers.
Effective cyber supply chain risk management ensures, as much as possible, the secure supply of products and services for systems throughout their lifetime. For products, this includes their design, manufacture, delivery, maintenance and disposal. As such, cyber supply chain risk management forms a significant component of any organisation’s overall cyber security strategy.
Cyber supply chain risk management can be undertaken by identifying the cyber supply chain, understanding cyber supply chain risk, setting cyber security expectations with suppliers, auditing suppliers for compliance, and continual monitoring and improvement of cyber supply chain security practices.
Identify the cyber supply chain
The first step in cyber supply chain risk management is to identify the cyber supply chain. This includes all suppliers, such as software and hardware vendors, managed services providers, and where possible, their sub-contractors. Furthermore, it is important to know the value of information that your systems process, store and communicate, as well as the value of any information that may be entrusted to suppliers.
As a starting point, organisations should establish a list of suppliers they have business arrangements with. While an exhaustive list of all suppliers, especially their sub-contractors, may not be possible, the identification of those responsible for products or services with security enforcing functions, privileged access or handling particularly sensitive information should be prioritised.
Understand cyber supply chain risk
Following the establishment of a list of suppliers, organisations should seek to understand the cyber supply chain risk that those suppliers pose through established risk management practices within their organisation. In some cases, cyber supply chain risk relating to suppliers may be a result of poor security practices within a supplier, security vulnerabilities within a supplier’s product or service offerings, or due to a supplier’s exposure to extrajudicial control, extrajudicial influence or foreign interference.
In determining the cyber supply chain risk that suppliers pose, organisations can seek to understand the security posture of their suppliers in a number of ways. This may involve speaking to suppliers about their existing cyber security arrangements, determining whether suppliers hold any security certifications, looking at the track record of security vulnerabilities in a supplier’s product or service offerings and their responsiveness to resolving them, and whether the supplier has a vulnerability disclosure policy.
While the determination of cyber supply chain risk will often be the responsibility of individual organisations, in some cases the Government may deem a particular supplier, or one of their products or services, to be a national security concern. In such cases, there may be a specific direction issued in relation to managing the associated cyber supply chain risk. In particular, for critical infrastructure providers, the Security of Critical Infrastructure Act 2018 grants provision for specific direction to be issued by the Government where national security concerns exist.
As a result of understanding their cyber supply chain risk, organisations should be able to develop both a prioritised list of suppliers that present a high risk to their organisation along with an associated cyber supply chain risk management plan. It is important to note though that organisations should not only consider the cyber supply chain risk posed by their suppliers but also the cyber supply chain risk that they pose to their customers.
Set cyber security expectations with suppliers
Regardless of which suppliers are deemed a high risk at any given time, organisations should seek to establish cyber security expectations with all of their suppliers. As part of this, cyber security expectations should be clearly documented in contracts or memorandum of understandings in order to ensure that suppliers are appropriately managing their own security posture, including their cyber supply chain risk. Furthermore, it is critical that such agreements stipulate the requirement for any cyber security incidents to be openly and transparently reported to their customers and appropriate authorities in a timely manner.
In many cases, cyber security expectations set out in contracts or memorandum of understandings should not be excessively restrictive; except where suppliers are involved in the provision or support to highly classified systems. Rather, cyber security expectations should be justifiable, achievable and proportional to the information being entrusted to suppliers or the role that their products or services play in an organisation’s systems.
Finally, organisations should seek to ensure that any cyber security expectations set out in contracts or memorandum of understandings with suppliers are passed through in turn to their suppliers.
Audit suppliers for compliance
Once cyber security expectations have been established with suppliers, it is important that organisations have confidence that those expectations are being met. One way to achieve such assurances is through routine audits or other forms of technical assessments. Provisions for such activities should be stipulated within contracts or memorandum of understandings (often referred to as a ‘right to audit’ clause) and can serve as a way to gain independent assurances of the security posture of suppliers.
Ultimately, effective cyber supply chain risk management is based upon trusting partnerships between suppliers and customers. Such partnerships can be strengthened through common cyber security goals and information sharing arrangements, such as sharing best practices and threat intelligence, as well as assisting each other with responding to cyber security incidents and involving each other in any cyber security exercises.