COVID-19 has forced us to transform the way we work — projects which might have taken a year have been driven through in weeks. Pragmatism has become the rule, and if we’re frank, companies have taken security risks that they might never have accepted in other circumstances.
Organized crime groups have shown themselves ruthless and entrepreneurial in exploiting fear, uncertainty and doubt over COVID-19 — repurposing phishing and attack infrastructure to build out COVID-19 fake websites and scams. States themselves have adapted their own cyber espionage tactics. Any early promises the health sector and national responses to COVID-19 might be saved from such attacks have long since evaporated.
We already have evidence that ransomware is more likely on the network of US company employees working from home than on the normal (and rather better protected corporate systems). Ransomware was already shifting to more targeted and effective exploitation models, with double extortion attacks involving the stealing of data (for blackmail purposes) becoming more common. At the same time, attackers made greater efforts to locate and encrypt online backups.
The risk teams in financial firms have become increasingly concerned about just how many security waivers were granted in the rapid response to COVID-19. In particular, insider threats are worrying them — from call-center workers working from home stealing customer card details, to investment traders colluding absent the watchful eye of their supervisors, to a high level of churn and redundancies as firms come under stress and state support packages draw to a close.
For many firms, distress is on the horizon as demand declines, supply chains are disrupted and the cost of debt increases as existing corporate paper expires in challenging market conditions. For sectors such as aviation, oil and gas, conventional retail and hospitality — the impact may be extreme — leading to aggressive cost reduction, restructuring and liquidation. In others, business models are changing faster than expected to embrace digital channels, cloud services and embed home working — the latter with an eye to associated cost savings from property footprint reduction.
First of all, companies are playing catch up. That means re-establishing effective controls over new working models — and of course, a new hybrid home and office working model. This involves more effective email and web security, dealing with a backlog of patches, rolling out more robust (ideally two factor) authentication for remote access, checking our cloud security configurations and looking out for the shadow IT created in the crisis period. Basically, getting companies onto a stable model for the future.
Part of that catch up is reviewing security detection and fraud control algorithms, updating them to the new reality of working models. This includes thinking about how to implement alternative controls where necessary, for example monitoring call center worker access patterns more intently when working from home.
Second, comes the review of resilience. Do you know where your supply chains might fail and do you need to review the risk ratings for suppliers given that some sectors are under stress? Have you come to rely on your fallback systems (e.g., virtual desktops) as your primary infrastructure and has that introduced new points of failure? What if you have a cyber attack, technology outage or supply chain issue in the middle of dealing with the extended impact of COVID-19? What can you expect next from regulators, particularly in the financial sector?
There are some lessons around resilience from COVID-19. It has forced companies to rethink business models to deal with changes in working patterns, customer demand and supply arrangements. Companies have a clearer idea of who and what matters to their businesses, whether describes as critical business processes or key individuals. They’ve been forced to invoke (or create) crisis management arrangements and to do so with pace and agility. All of these lessons matter for the future, and we should take time to remember and embed them into future operating models.
Third, comes the challenge of securing a firm under stress. As government furlough and support schemes expire, companies may see considerable employee redundancies, restructuring, asset disposal and even liquidation in stressed sectors. They’ll need an effective leavers process; they’ll have to deal with a heightened insider threat from disgruntled employees; they’ll have to advise on secure disposal of assets. And they’ll have to try and maintain security when legacy system IT budgets are under pressure.
Many firms will likely move to a different workforce model, an extension of the so-called ‘gig’ economy, perhaps. That involves a more fluid mix of a smaller permanent employee core — augmented by contractors and temporary employees, more use of managed service models and a more complex ecosystem of suppliers. All of this pushes towards newer security models of federated identity and zero trust, which provide a measure of confidence when operating over untrusted networks and infrastructure.
Of course, the challenge of cost reduction may come the CISO’s way too, reducing the cost of security. Many firms are already looking for cost reductions across any functions seen as ‘overhead’. Is that really the right model for cyber security, and should they look at cyber security differently as a key enabler for corporate transformation? One which is integral to operating securely in the digital and cloud environment.
So the hunt will be on for cyber security orchestration opportunities, for robotic process automation around manual security processes, for more integration with IT key workflows, for new managed service and delivery models. There’s an opportunity to rethink cyber security and to look at embedding it into core processes such as the DevOps process around cloud application development. Third party security may also need new models for more dynamic risk management and scoring, including better tracking of supply chain stresses.
But amongst all of this, are opportunities. Firms may still find funding for the transformation programs they need to survive, and that may mean digital and e-commerce, cloud and automation. If security is an element of transformation, then we have a genuine opportunity to embed cyber security and privacy by design, creating that part of the future.
We have many months of uncertainty ahead, but I remain an optimist. The COVID-19 challenge has taught us one other lesson. It has shown us the power of community. The cyber security community has come together to deal with organized cyber crime during COVID-19. We’ve shown ourselves to be agile and pragmatic and we’ve adapted. Let’s not forget those achievements and embed those into a future where COVID-19 has hopefully become a distant memory.