The new cyber risk reality of COVID-19 operating mode
There’s little, if any, precedent for the time we’re experiencing right now with a pandemic changing the corporate landscape in profound ways. But while many are reacting in real-time to the workforce transitioning into the work-from-home-force, in many ways, cybersecurity experts were already developing potential responses despite not knowing the specific circumstances behind this unprecedented global crisis.
A CISO’s priority is to preemptively consider how a cyberattack could happen. And in that way, a new reality in which everyone is working from home isn’t all that different from other imagined scenarios. Obviously, the scope of it is much larger than any of us have had to deal with prior, but to an extent, our ideal is a focus on being prepared even if 40% of your workforce is working from home or if 100% of it is.
This is not to say, however, that while it is the cybersecurity officer’s objective to anticipate cyberthreats in most scenarios, there aren’t still some extra considerations we should be taking in a time in which the security demands are so widespread and disparate. And moreover, not every CISO is empowered to respond to the demands of this time, which isn’t a reflection of that CISO’s capabilities. The entire corporate landscape was caught by surprise in the speed at which the work-from-home transition happened and capabilities haven’t been relegated quickly enough.
When you have a workforce spread out as they are now, there are some new risks to consider. First, you have to set everyone up with equal, or similar, capabilities as if they had been sitting in their designated corporate environment. And that’s a lot of work, especially for job functions that you never imagined might need to perform their role remotely. Secondly, a CISO is dependent on the savvy of their co-workers to be front-line defenders to an extent we never have and in the face of dramatic increases in threat activity. There are a lot of variables when there are that many factors at play.
It’s also pertinent for us to acknowledge that there will be a higher frequency of cyber-attacks now during the COVID-19 pandemic. This isn’t an alarmist theory – it’s factual. But there’s no reason for us to respond to this potentiality as if Doomsday were approaching if we’re prepared for it. Threat data confirms that both nation state and criminal actors are increasing activity. For example, ransomware attacks have increased by 150% and DHS is alerting on continued nation state activity. But we can manage this.
Additionally, corporations need to consider that when so many people are working from home, and the workforce is as spread out as it is now, CISOs are also facing demands from all ends. Not just cybersecurity demands. There aren’t enough laptops, for example, or issues around inadequate VPN bandwidth, or access challenges to certain systems that were not designed for remote access. One CISO even lamented that, “laptops are our toilet paper. We just can’t get what we need right now.”
Last, and potentially most impactful, is the reality that many organizations, while acting with the best of intentions, prioritized speed of standing up remote operations and continuity of maintaining business activity over tried and true security protocols. That may have been prudent during week one or two or even three of the crisis, but where do things stand now? Do the right folks accidentally still have access to the wrong systems?
One of the things we are seeing right now is the importance of viewing cybersecurity in a business context. Job one is to sustain the activities and enable the organization to achieve its mission. That is not new, but many companies are getting a new perspective on the importance of cybersecurity as an enabler for the business. Security and risk leaders need to have the power to frame both cyber risk and cybersecurity controls in a business context. This allows for sound justification for spending and other priorities.
It also means focusing on new risk priorities stemming from our current operating mode, making sure we are optimizing our controls to address those risks, and achieving real-time risk visibility as the times require. Marking a departure for many organizations that traditionally have relied on periodic assessments that quickly go stale, security and risk leaders can now leverage software and methodology to dynamically evaluate the new cyber risk reality of this operating mode and build the needed capabilities to control it.
Some may think that we will never be able to do enough. Even for organizations that are early in their cybersecurity journey, framing the challenge and the priorities in business terms is perhaps now more critical than ever. But most importantly, what we should all be doing right now is listening to our CISOs because they’ll get us to the other side where our information and systems are safe despite growing threats.