IBM X-Force VP Wendi Whitmore: Cybersecurity in a time of crisis

While the world struggles with the devastating realities of COVID-19, cybercriminals are pouncing.  Capitalizing on the pandemic, they have launched attacks on corporate and remote users, using malware, spam attacks, phishing campaigns and ransomware.

“We are all in an environment where attackers essentially can take advantage of the chaos that’s going on—not only on the computer systems but throughout the world,” Wendi Whitmore, vice president for IBM X-Force Threat Intelligence, said during a Think Leadership livestream on April 7. “This may be the new normal for longer than expected. We need to manage through this disruption instead of improvising through chaos.”

Whitmore is a cybersecurity expert, with diverse experience in incident response, proactive and strategic information security services, intelligence and data breach investigations. As head of IBM X-Force, she works with clients to provide deep research expertise and global threat intelligence for enhanced enterprise security.

Here’s her guidance, based on the team’s recent work with clients dealing with COVID-19-related cybersecurity threats:

Q: From a cybersecurity perspective, what are the challenges posed by the COVID-19 crisis?

A: It’s changing every day. More systems are connected to the network. More devices are routing net traffic. There is a lot more infrastructure. All of these work to the advantage of the attacker. Right now we’re seeing a lot of new threat actors, some specializing in malware and others in spam, looking to take advantage of the chaos. And there is a much greater attack surface with people working from home. We’ve seen a 14,000% increase in spam campaigns that are related to COVID-19.

Q: How does this change the role of the security teams?

A: This is a big opportunity for us in the security response side to become more integrated with business leadership. Security has moved from being just a technical problem to one that critically impacts the business. It’s time for us to embrace these challenges in a disciplined manner. Those who take charge and make a difference during these months are going to be the leaders we look to in the upcoming years.

Q: What are some important things that security teams can do right away?

A: First and foremost, get visibility into your distributed workforce, particularly to the endpoint. As a responder you must know where your resources are, where the personnel is, and the security on the devices they’re using. Pair that with the ability to quickly make decisions.

We’ve trained hundreds of organizations over the last few years. The number one problem they have is not making the wrong decision in the event of a potential breach but not making any decision at all. Empower your employees to make decisions. Oftentimes that means managing outside of your normal chain of command. You must have the ability to rapidly get answers. Making decisions quickly to stop attacks is absolutely critical.

Q: How has life changed for your team.

A: Our incidence response teams have changed, for one. They’re used to jumping on a plane to go to a client environment where they work with subject matter experts on site to solve the problem. We’re still doing that to some degree. Many of us at IBM are working remotely, but not all our clients are. So, our incident response teams that move out are equipped differently. Their “Go Bags” will not just contain technical equipment and passports, but masks and protective gloves. We need to ensure the physical safety of our team members.

We’ve also stepped up our threat intelligence. The last three to four weeks has been absolute manic in terms of the number of hours our teams are engaged. We’re working around the clock to deliver the latest threat intelligence, which is changing every day.

Q: Do we have a sense of some of the geographic origins of attacks?

A: Earlier we were seeing a lot of attacks coming from China. But as that region became more impacted by the virus, that transitioned. The largest geographic area we’re seeing these attacks come from is Vietnam.

Q: Many organizations feel overwhelmed. What is your advice?  

A: The bad news is there are more attacks, and we’re all dealing with increased load on our networks. The good news though is that all of these attacks are ones we’ve previously seen, particularly with spam campaigns related to emails.

So, get back to basics. Break every problem and solution into manageable steps. And don’t forget the importance of prevention. For email, that means things like automated warnings identifying external emails in the subject line. Those are more likely to contain attacks. We can’t stop every attack, but we want to block as many of these attempts as possible. We want to make it much harder for the attackers to do their job.