The COVID-19 outbreak has stricken communities across the globe. The coronavirus’ rapid geographical spread has caught the world off-guard, with major implications on personal health, business continuity and the world economic order. But at the same time, it has spurred businesses to new heights of technological innovation, compelling organisations to be more reliant on technology than ever. Behind the headlines, several fundamental shifts have occurred, one of the most primary areas being cybersecurity, whose implications extend far beyond the crisis.
With a large percentage of the population having transitioned to remote working set-ups, the attack surface areas have expanded drastically, exposing technical vulnerabilities and risks that threaten to hinder an organisation’s security. The abrupt shut down of security monitoring centres in affected areas has crippled the situation further with many businesses being hit by cyberattacks, compromising sensitive data.
EY’s cybersecurity team anchored a series of in-depth virtual sessions with over 1,200+ Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), Chief Risk Officers (CROs), and Chief Data Officers (CDOs) from across the country, to mainly understand the critical challenges faced by them in responding to the crisis while maintaining a cyber-secure posture. It was observed that technology placated the gaps of ‘the new remote-working culture’ coupled with the gradual transition of work-life-balance to work-life-integration. Furthermore, enabling safe remote working environments for employees has been a critical shift for most organisations since the time the pandemic began.
While most CIOs have a clear foresight on how their organisation will settle into the new normal, they are also coping with safeguarding every perimeter from being attacked. Organisations are facing multiple challenges: from ensuring business continuity while containing the crisis to institutionalising novel ways of working and using the learnings from the disaster to enable technology transformation.
Given the current situation, here are a few questions that CIOs or key decision-makers must ask themselves in order to strengthen their organisation’s cybersecurity posture and navigate through these uncertain times.
As the reliance on digital continues to proliferate, how can organisations adequately address emerging cybersecurity and privacy risks?
It is prudent to revisit the security challenges and make it a continuous process to monitor the risk and keep tweaking every process of innovation to bring operational efficacies for working from home. It is also important to inculcate a thorough sense of responsibility and ownership among employees to stay vigilant and be alert while working remotely as they settle into the new normal. Be accountable and responsible for every action, as safety and security is everyone’s responsibility by particularly enhancing robust control on BYOD and remote working policies and make intelligent and sensible technology investments that give a better ROI and TCO.
What are the leading practices in ensuring cybersecurity and resilience in the context of a converged IT environment?
The new normal is to build innovative, buoyant infrastructure, with resilient processes, and support mechanisms of remote crisis management workers, who will continue to do business, as usual, no matter what circumstances may dwell for the next and beyond. Organisations will make use of advanced models of machine learning (ML) and artificial intelligence (AI) as a new reasonable standard to measure WFH and BYOD security with better productivity and usage efficiencies.
Meticulous, just-in-time, role-based, situational awareness training will allow seamless progression of business-as-usual, with appropriate risk measurements that safeguard restricted controls for data pilferage, data theft and data leakages that ensure visibility, micro-segmentation and zero-trust in the new normal work culture and its cyber hygiene. If there was a time in history when executive leadership was required to manage this potent threat of a converged IT environment was needed, it is now.
Does your organisation have the mechanisms to detect and report cyber risks to the C-suite and the board?
Every CXO should express senior leadership’s unwavering commitment to maintaining a cyber-resilient enterprise by upholding the precepts of the cyber-risk appetite statement and consistently reinforcing on the importance of cyber-risk governance. Introducing cybersecurity awareness programs for senior executives should be regularly considered and assessed as part of the organisation’s phishing campaigns or by conducting various social engineering tests.
The introduction of proactive bug bounty programs can lead to a much shorter turn-around time in detecting and reporting any known anomalies in remote working set-ups. Senior leaders should actively participate in significant cybersecurity drills. Doing so will keep them informed of their cybersecurity preparedness, as well as send a powerful message to staff that they are putting their money where their mouth is. To inspire sustained transformation, senior business officers must practice what they preach, and they need to commit to cybersecurity programs fully and wholeheartedly.
In summary, the pandemic has brought the CIO’s principal capability to the center stage; allowing them to create ‘business value’ and enhance ‘business enablement’ efforts adequately. As organisations move to the beyond phase, its important to prioritise speed of delivery, customer experience while building agility and embedding the new normal of work from home (WFH) to be Productive from Home (PFH).
—Burgess Cooper, Partner – Cybersecurity, EY. Burzin Bharucha, Manager – Cybersecurity, EY also contributed to the article. The views expressed are personal