Cybersecurity During COVID-19
Q&A with Abnormal Security’s Evan Reiser and Greylock’s Saam Motamedi
The current COVID-19 crisis has shifted virtually every aspect of life to online. With that increased internet activity comes increased risk of cyberattacks. As large enterprise organizations rush to adjust to an all-digital business, it’s been a moment of reckoning: what technology is critical to ensure companies are prepared and protected from malicious activities?
Greylock general partner Saam Motamedi – who works with early-stage entrepreneurs operating in applied AI, machine learning infrastructure and cybersecurity – caught up with Abnormal Security CEO and Co-founder Evan Reiser, whose company provides ML-enabled email security to large enterprise organizations. They answered our questions on how new technology is rising up to meet the needs of an increasingly digital [and risky] world.
The current crisis is bringing technology — and its vulnerabilities — front and center to all business. How is this playing out?
Saam Motamedi: Digital transformation isn’t a gradual process anymore. With work moving remote, and the customer journey and experience to digital channels, enterprise organizations have to accelerate transformation in order to keep their employees safe and their businesses running. Since we’re now in an economic downturn, there is also a ruthless focus and strong orientation towards ROI-driving efforts. There’s no longer time to pursue the top 5-10 priorities. Enterprises are focused on identifying and prioritizing their top 1-2 highest impact projects in a given quarter, and right now anything that facilitates remote work, digital communication, and the integrity and security around those is a top priority.
Evan Reiser: As COVID-19 has shifted many companies to a remote workforce, all critical business communication is happening digitally. This significantly increases the number of emails that are high risk, as well as the surface area of potential attacks. Email has long been the preferred attack vector for threat actors, and now it’s more exposed than ever. It’s both the primary tool and the life-line to pretty much every other critical communication channel. For example, collaboration tools like Zoom are scheduled and shared via email.
Business email compromise [BEC] was the largest financial risk organizations faced from cyber-threats over the last several years. What is different about these kinds of attacks in the time of COVID-19?
ER: Attackers have always leveraged social engineering to engage their targets. Business Email Compromise (BEC) attacks often were impersonations of people familiar to the target. COVID-19 has introduced a massive opportunity for these same attackers. Abnormal Security tracks phishing attacks against our customer base and as an example, we saw a 90 percent increase in COVID-19 related attacks over the second week of April.
COVID-19 has become a leverage point in a few ways: First, the socially engineered techniques that these attackers leveraged for BEC can now be launched more broadly because of the huge portions of the workforce shifting to a work-from-home environment. Secondly, it’s created the opportunity for attackers to exploit our desire for information and updates. Just putting the term “COVID-19” in a subject line is an emotional and psychological pull. Employees (and frankly, most human beings) are all anxious to hear about the latest developments related to COVID-19.
What kind of technology can keep up with those increasingly sophisticated and pervasive threats?
SM: Distributed workforces heavily use digital communication and collaboration tools, which greatly increases the surface area of potential attacks. This fundamental shift in work combined with COVID-19 itself becoming an attack vector has led to significant increases in the volume of attacks and their sophistication — growing the need for automation and machine learning to assist security teams in effectively handling these attacks.
ER: There is a misconception that a lot of certain attacks can’t be stopped, because some of the most established and well-known security companies focus their efforts on training employees not to fall for phishing scams. Making people aware that attacks exist is not enough to stop the attacks from working, though. What you need is the equivalent of tons of security analysts going through millions of data points, checking those against what they know to be safe or suspicious, processing the nuances of language that has been carefully engineered to trick people, and applying human judgment to each and every situation. You can’t do that without machine learning and automation. Instead of essentially looking for a needle in a haystack, you need technology that clears all the hay out of the way in the first place.
The COVID19-induced downturn means a lot of companies have either drastically reduced their budgets for new technology or aren’t buying at all. How should they prioritize security?
ER: We’ve seen two priorities from our customers: reduce unnecessary costs to the business and enable the remote workforce. In the COVID-19 era, the importance of the security and integrity of employee communications is more important than ever. Employees are reasonably scared about a lot of things — losing jobs, losing customers, losing money – on top of the psychological toll of the pandemic. Naturally, disconnected employees are more susceptible to falling for social engineering attacks: i.e. a seemingly innocent email appearing to be a recognized vendor. We had one customer, for example, where we stopped a $700k invoice fraud that preyed on disconnected employees to steal money. Some of these attacks have direct financial costs, strategic security investments will actually save money for enterprises.
SM: Greylock’s CXO team works with an extensive network of CIOs, CISOs and other key decision-makers at large enterprise organizations. Vendors that can help drive C-level and board-level awareness of COVID-19 readiness and response particularly stand out to these execs. Across the board, we’re seeing CXOs increasingly prioritizing vendors who have a track record of high availability, reliability and customer success. Additionally, they need the ability to deliver value remotely with lightweight deployment.
Still, some companies just can’t afford to pull the trigger on new technology. How can they stay aware of the threats and understand what solutions are available?
SM: I’m glad to see a lot of compassion for customers from startups at this time. Many are prioritizing being helpful and engaging in new ways that don’t necessarily involve new partnerships or deals. Experts and knowledge are at the center of these startups, and companies like Abnormal are lending that knowledge to anyone who needs it.
ER: At Abnormal Security, we’ve introduced a COVID-19 Resources Center that is helping educate our customers on the current threat landscape. We share a lot about the changes in the threat landscape and are surfacing examples almost every day of the types of attacks that we’re seeing and catching. We’re hoping this serves as a helpful resource even for enterprises that are not customers of ours today.