COVID-19 has presented several challenges to the ways businesses conduct their operations, resulting in fast-tracked change. However, the need for robust cyber security measures and a constant review of the threat landscape has not changed: it is arguably more important than ever.
Cyber risks arise in many ways, from opportunistic or organised threat actors through to inadvertent or accidental security failings. These risks are more acute at times of societal and organisational vulnerability.
Cyber criminals are looking to exploit newfound vulnerabilities. This can manifest itself in obvious ways (through phishing scams designed to capitalise on the demand for COVID-19 related content) or in ways that are much more difficult to detect (leveraging vulnerable operating models and/or inadequate technology solutions).
Organisations (and supply chains) are potentially, and unknowingly, exposed to cyber risks as they adjust to new ways of working.
By now, businesses may be several weeks into their remote working set ups. Many will have already navigated the challenges of employees connecting to work IT environments through home wifi and corporate VPNs. In some cases organisations have had to manage many thousands of employees.
It remains crucial to ensure VPN bandwidth can support an organisation’s business functions. Not only to ensure ongoing availability and functionality, but to avoid people potentially abandoning secure connections and sending potentially sensitive information through unsecure home networks or personal email addresses.
Implementing multi-factor authentication is also important, particularly when using cloud-based applications. As people may be working more flexibly (both in terms of location and time), cyber security teams, both internal and external, will need to be available around the clock to monitor anomalies.
In many respects, organisations have been managing this risk for a number of years, particularly as remote and flexible working arrangements become the norm. However, the incredible pace of change (in response to the COVID-19 measures) can leave some organisations ‘catching up’ at a challenging time.
Once critical remote setup considerations are addressed, it is appropriate to sense check changes to the organisation’s security landscape. Business continuity and incident response plans should be revisited and retested against the new operating environment.
Third party supply arrangements should also be stress tested, given outsourced arrangements are often inextricably linked with internal business support or customer delivery.
As management moves to a more ‘regular’ rhythm, it may be possible to reallocate resources to ensure this review occurs. Any review should include assessment of back-up plans for responding to single points of failure — be it people, processes or technology. Reviewing who has access (and whether they need it), as well as mapping the security architecture may be needed to identify operational gaps.
Regrettably, breach response plans may also become more important as time progresses, so response organisations can address contractual and regulatory obligations.
IT security teams must remain attuned to the new threats that are emerging during the pandemic.
Threat intelligence should be extended to include COVID-19 activity. In many respects, organisations need to rely on government and government agencies to facilitate. Threat intelligence sharing initiatives are likely to become increasingly important, and we expect renewed focus in this regard.
Importantly, communicate regularly — and effectively — with your workforce. Transparency and ongoing education about the nature, type and extent of threats can be incredibly valuable. While challenging, we need increased vigilance at a time when many organisations are distracted, stressed and adapting to change.
These are just some of the ways businesses can prepare, and stay on top of, a challenging and evolving risk landscape. As we move through these uncertain times, it is likely that new technology adoption (balancing increased mobility with increased security) will accelerate. Relatively simple steps now can create immeasurable and immediate benefits.
Here are a few key considerations to take as you navigate your business through the early stages of operating in the time of COVID-19.
© 2017 - 2022 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Liability limited by a scheme approved under Professional Standards Legislation.