2020 CYBERSECURITY, THE YEAR THAT WASSentinel Africa
2020 YEAR IN CYBERSECURITY REVIEW
2020 was a year like no other for all of us, and this especially for the cybersecurity space. It was the year whereby working from home became normal, and security controls for teleworking were tested immensely. 2020 also marked an increase in data privacy concerns and general uptake of data privacy regulations, as well as an increase in sophistication of cyberattacks. Some notable events that took place around the world in 2020 are highlighted herein:
Cyber attackers leveraged on cyber vishing to acquire credentials of employees with access to internal support tools. The accounts were used to gain access to 130 Twitter Accounts, from which fraudulent tweets were made about bitcoin. The targeted accounts included Apple and Uber company accounts, as well as those belonging to Elon Musk, Warren Buffett, Jeff Bezos, Floyd Mayweather, former president Barrack Obama, the then-presidential candidate Joe Biden and former New York Mayor Michael Bloomberg. In this attack, the cybercriminals requested bitcoin from followers, promising double in return. Even though the attack was detected in time, the attackers generated bitcoin worth the US $100,000, and the victims received nothing in return.
In the wake of COVID-19 and the subsequent rapid increase in remote working, Zoom became popular overnight, with revenue growth of 355% in Q2 2020. Following such dramatic growth, cyber attackers took advantage soon after, as approximately 500,000 user account credentials surfaced for sale on a dark web forum. Hackers were able to gain access to important personal and corporate details, as well as acquire zoom meeting codes (which were alleged, easy to generate) and could join meetings uninvited and interrupt them, sometimes sharing inappropriate materials (Zoom bombing). Zoom recovered from the attack quickly, as security updates were pushed to end users soon after.
One of the largest hotel brands with 7,300 hotel and resort properties in 134 countries, revealed a significant data breach that happened in January but was discovered in February 2020. The data breach affected approximately 5.2 Million hotel guests where, Personally Identifiable Information such as names, addresses, phone numbers, birth dates, and airline loyalty information was acquired.
Cyber attackers deployed a phishing attack to gain access to employee credentials that later gave access to a target server hosting medical records. Approximately 365,000 patients were impacted by the attack, and employee data such as treatment information, health insurance, email addresses, phone numbers, physical addresses, and Social Security numbers were acquired.
CYBER ATTACKS IN AFRICA
Compared to other continents that have made great progress in the adoption and implementation of cybersecurity, data protection frameworks, and legislation; Africa is still lagging in the fight against cybercrime. Even though many organizations suffered such attacks, there was little information shared on the nature of the attacks, and the remediation measures taken afterward. This practice makes a unified fight against cybercrime rather hard due to the lack of information on common attack vectors used against organizations in the region.
Organizations should not just pay attention to data privacy & security but have a deep dive into them. With a considerable shift in 2020 on data privacy, as a result of high-end breaches, consumers started placing an even higher value on their data rights. With the implementation of the General Data Protection Regulation (GDPR) in 2018 and subsequent fines levied for data protection violations, countries such as the US shortly followed in the passing of similar laws.
In Africa, one of the policy agenda is the central preoccupation of data privacy laws. The African Union Cyber Security and Data Protection Convention 2014, which was the first treaty across the globe to address data protection outside Europe, serves as an illustration of such interest. Additionally, data protection frameworks there are at regional levels. Similarly, laws on the protection of personal data are increasingly being adopted on a national plane.
Emphasis on employee training
As the consequences for data breaches and non-compliance become more serious, businesses are investing in more in-depth data privacy training for staff members. Due to non-compliance, businesses tend to lose millions and there is a need for stringent data privacy standards to be maintained. Data privacy isn’t limited to just financial services and IT professionals – these high standards for data stewardship must be followed by all departments in all industries which handle customer data.
Biggest Hack of 2020: SolarWinds’ Supply Chain Attack
Hackers managed to access a system that SolarWinds uses to put together updates to its Orion product. From there, they inserted malicious code into another wise legitimate software update. This is known as a supply-chain attack as it infects software under its assembly.
The approach was especially powerful and its effect far-reaching because thousands of companies and government agencies around the world reportedly use the Orion software. With the release of a tainted software update, SolarWinds’ vast customer list became potential hacking targets.
The hackers did this back in March and their activity was only discovered in December 2020. This implies that they had been inside the government, telecoms, and other company networks’ systems all these months stealing data and spying on activities.
Finally, the emergence of COVID-19 has resulted in a shift in how we view cybersecurity both at personal and organizational levels. With the growing concerns and legislation around data privacy, we have to re-think how we approach security and start implementing controls at granular levels where data sits. The fight against cyber-related crimes is not just one department’s role, rather, it boils down to employees and third-party vendors. It is our responsibility to ensure information assets entrusted to us by customers retain their confidentiality, integrity, and availability.