The pandemic’s impact on the cybersecurity industry

Businesses around the world have had to quickly pivot to remote work and many have discovered that they do not have the cybersecurity conscious culture and practices in place to effectively transition in a safe way. There has been an increase in phishing attacks, and even a heightening of privacy standards for the remote tools that employees use for work - such as Zoom. I think that businesses and their employees have realized just how important, and vulnerable, internet use is without the proper protections.

Establishing a strong cybersecurity conscious culture and practices is the best way to effectively improve cybersecurity for employees during the outbreak. Best practices include maintaining strong passwords or preferably passphrases, staying vigilant for phishing emails, and making sure to remember to use software such as VPNs whenever possible. There’s no reason not to encrypt your internet traffic at all times - it protects you from potential snoopers on your own network, and also the known snoopers at your ISP. 

Considering how sudden the switch to remote work has been in some locations, businesses have dealt extraordinarily well with the move to remote work. Many companies will continue to allow their employees to work from home after the pandemic is over. 

The current trend has always been towards working away from  an office. What many companies needed was an impetus to test remote work and collect data on changes in productivity to make decisions on remote work in the future. For those companies that have measured a reduction in productivity, it’s worth noting that remote work that happens post pandemic won’t be burdened by the same workday childcare responsibilities which this pandemic has imposed on many employees. 

Businesses need to implement strict rules on how video conferences are used. Sound video conferencing practices include using a strong password to secure the video conference, only sending the video conference invite link to participants, not posting the link in public places, and using other built in features like screening participants before they’re added on the call or locking the call once all participants have arrived. 

Video conferencing tools, like any other software, are only as secure as the people using them. However, some video conferencing software has been discovered to have privacy or security flaws that are outside of the user’s control. All software used by businesses needs to be evaluated with their privacy and security history in mind before deployment.

Small businesses can participate in securing the internet connections of their employees by investing in a VPN solution. All small businesses should ensure that their employees access the internet using an encrypted connection, but not all small businesses will need site-to-site VPN functionality such as expensive solutions offered by companies like Cisco Systems and Juniper Networks. It is important to understand the differences between site-to-site VPN services and remote access VPN services. Site to site VPN services allow an employee to connect to a business’s servers using an encrypted connection and are generally pricier and more or less about security, not privacy. On the other hand, remote access VPN services such as Private Internet Access allow an employee to connect to the wider internet in a more secure and private way. 

Data center partners are chosen based on their jurisdiction, whether they have the hardware and connectivity that we require, and their historical privacy performance, among other things. Data center partners in jurisdictions that have laws on the books which are anti-privacy or require logging are not considered even if they have the capabilities we need. 

One factor that we look at in particular is the data center partner’s past actions and their respect for the rule of law. If a data center provider has been revealed to cooperate with authorities in a way that could compromise our no logging commitment, we drop them - this happened to our data center partnership with LeaseWeb in Germany, for instance. 

Private Internet Access is always evaluating new data center partners to be used in new exit gateway locations. The ten new server locations established recently as part of our VPN network expansion plan were just the beginning - and PIA is planning to expand its network further in both the short term and the long term.

WireGuard brings a kernel level VPN protocol to the available VPN connection options for Private Internet Access users. It uses newer encryption algorithms and improved cryptographic techniques such as cryptographic agility and provides a solid VPN connection using substantially fewer lines of code than OpenVPN. 

To protect the privacy of WireGuard specific connections, Private Internet Access has supplemented the core WireGuard software on our VPN servers with an RSA certificate protected RESTful API that allows us to implement the same server-client connection privacy-preserving best practices that are also present in OpenVPN and IPSec. Our VPN servers, all of which feature WireGuard, also have a daemon that deletes server-client connection data periodically whenever keepalives are no longer being sent for three minutes. 

The legacy of the COVID-19 pandemic on cybersecurity and data privacy will be two-fold. On one end, internet users around the world are waking up to the fact that cybersecurity and privacy are important. On the other side of the coin, we’re seeing governments grasping with both hands and security companies salivating to try and increase their ability to invade the privacy of the average user. It is our hope that the prior wins out over the latter, and the average internet user finally comes to grip with the fact that if they fail to actively protect their privacy rights, their government will eventually erode them. 

It is our fear that attitudes of individuals around the world will shift towards favoring the alleged public good over individual civil liberties. Now that governments have successfully convinced telecommunication companies to share supposedly anonymized location data with government agencies under the guise of contact tracing, the bar has been set for the kinds of crises that warrant an expansion of government surveillance powers involving ubiquitous phone location data. As time goes on, this bar will be set lower and lower and government tracing of location data may become the norm. The worst case scenario is that the public accepts this erosion of their privacy under the guise of “public safety” and lets it happen during crises and lets it remain afterward. 

Cybercriminals are likely having a field day with the amount of new vulnerable targets that have shown up on their doorsteps. I imagine that many cybercriminals have learned a lot about themselves and the depths of their depravity that they would sink to target the world during such a vulnerable time.