Covid-19 has transformed the way we work in the Channel Islands — projects which might have taken a year have been driven through in weeks. Pragmatism has become the rule, and if we are frank, companies have taken security risks that they might never have accepted in other circumstances. For example, purchasing laptops to the Islands has been difficult and there are cases of employees being asked to use their devices for work.
On the other hand, organised crime groups have been ruthless and entrepreneurial in exploiting fear, uncertainty and doubt over Covid-19 — repurposing phishing and attack infrastructure to build out Covid-19 fake websites and scams. Nation states have adapted their own cyber espionage tactics. Any early promises the health sector and national responses to Covid-19 might be spared from such attacks have long since evaporated.
We already have evidence that ransomware is more likely on the network of employees working from home than on the normal (and rather better protected) corporate systems. Ransomware was already shifting to more targeted and effective exploitation models, with double extortion attacks involving the stealing of data (for blackmail purposes) becoming more common. At the same time, attackers made greater efforts to locate and encrypt online backups.
Cyber security risk has increased, at least in the short term
The risk teams in financial firms have become increasingly concerned about just how many security waivers were granted in the rapid response to Covid-19. Third parties given direct and unmonitored access to our systems to ensure rapid response in a case of another disaster, staff using their own devices with no firewalls or removing two-factor authentication are some of the examples we’ve seen in the CI. Thankfully, a lower level of Insider threats from lower levels of redundancies are a more positive sign for the islands.
How to catch up to the new reality?
First of all, businesses are playing catch up. That means re-establishing effective controls over new working models — and of course, a new hybrid home and office working model. This involves more effective email and web security, dealing with a backlog of patches, rolling out more robust (ideally two factor) authentication for remote access, checking our cloud security configurations, looking out for the shadow IT created in the crisis period and making sure the work can be carried over home broadband, especially in Guernsey where fibre is not yet an option. Basically, ensuring companies are on a stable footing for the future.
Part of that catch up is reviewing security detection and fraud control algorithms, updating them to the new reality of working models. This includes thinking about how to implement alternative controls where necessary, for example monitoring staff access patterns more intently when working from home.
Learning some hard lessons around resilience
Second, comes the review of resilience. Do you know where your service providers might fail and do you need to review their risk ratings given that some sectors are under stress? Have you come to rely on your fallback systems, such as virtual desktops, as your primary infrastructure and has that introduced new points of failure? What if you have a cyber attack, technology outage or supply chain issue in the middle of dealing with the extended impact of Covid-19?
Covid-19 has forced companies to rethink business models to deal with changes in working patterns, customer demand and supply arrangements. Companies have a clearer idea of who and what matters to their businesses whether described as critical business processes or key individuals. They have been forced to invoke (or create) crisis management arrangements and to do so with pace and agility. All of these lessons matter for the future, and we should take time to remember and embed them into future operating models.
Staying secure as stresses build
Third, comes the challenge of securing a firm under stress. As government support schemes expire, companies may unfortunately see employee redundancies, restructuring, and even liquidation in stressed sectors. They will need an effective leavers process; they will have to deal with a heightened insider threat from disgruntled employees and contractors; they will have to advise on the secure disposal of assets. And they will have to try and maintain security when legacy system IT budgets are under pressure.
Many firms will likely move to a different workforce model, an extension of the so-called ‘gig’ economy, perhaps. That involves a more fluid mix of a smaller permanent employee core — augmented by contractors and temporary employees, more use of managed service models and a more complex ecosystem of suppliers. All of this pushes towards newer security models of federated identity and zero trust, which provide a measure of confidence when operating over untrusted networks and infrastructure.
Cyber security teams will likely be under scrutiny too
Of course, the challenge of cost reduction will come the CISO’s (or COO) way too, reducing the cost of security. Many firms are already looking for cost reductions across any functions seen as ‘overhead’. In the CI economy, dominated by finance and supporting industries, considering security as an overhead could be damaging for us all. The GFSC seem to be supportive of this claim, considering the upcoming cyber regulation.
However, cost reductions will clearly be required. So the hunt will be on for:
— cyber security orchestration opportunities,
— robotic process automation around manual security processes,
— more integration with IT key workflows, and
— new managed service and delivery models.
There is an opportunity to rethink cyber security and to look at embedding it into core processes. Third-party security may also need new models for more dynamic risk management and scoring, including better tracking of supply chain stresses.
But amongst all of this, are opportunities. Firms may still find funding for the transformation programs they need to survive, and that may mean digital and e-commerce, cloud and automation. If security is an element of transformation, then we have a genuine opportunity to embed cyber security and privacy by design, creating that part of the future.
We have many months of uncertainty ahead, but we should remain optimistic. Each challenge is also an opportunity to learn and to grow. So far we’ve learned that we’re agile and pragmatic and that we can successfully adapt. Let’s not forget those achievements and embed those into a future where Covid-19 has hopefully become a distant memory.