Chronicles of the New Normal: Cybersecurity
Let us imagine we are in 2021, and the world has left behind the worst of the Covid-19 pandemic. No doubt, life has changed, and governments, companies and individuals are adapting to a “new normal.”
Our Chronicles series will help readers understand what is likely to be different in a post-Covid-19 world. We will also look at how players in the payments ecosystem are already adapting today to successfully emerge from this unprecedented shock to the economy and our daily lives.
This week we’re looking at cybersecurity. Consider the word “resilience.” It describes someone or something that comes back stronger after a setback. In 2020, that setback is Covid-19.
While human resilience is remarkable, the information technology (IT) systems that connect us are still built on a patchwork of tools, technology, software and us, the humans—the glue that hold it together.
As much as Covid-19 has impacted humankind, it has also impacted IT. With the shift to the new norm, it will be critical that cyber leaders understand how the world has changed and where it is headed.
A key cyber tenet has always been to reduce the attack surface. With the second wave of the virus in several countries, more companies have no option but to accelerate their digital transformations to serve their clients and employees. Many of the services employees had access to in their offices are now getting them through new channels. In the new normal there is no end to the enterprise’s “four-walls,” and thus a much larger attack surface.
While Covid-19 has changed daily lives and habits, from a cybersecurity perspective, the landscape has not changed. The attackers are more varied, attack in higher numbers and use various channels, but their objectives remain disruption of services and economic damage or financial gain.
Cyber risk needs to be identified, quantified and mitigation strategies need to be developed. In our experience, we have seen an average of 47 distinct cyber products in a corporate environment, and the challenge is how to extend them to the much larger attack surface. Most products were not meant for this scale.
Good cyber hygiene leads to reductions in viruses and infections and protects against cyber attacks. Companies need to:
Protect data assets by quantifying cyber risks
Prioritize cybersecurity initiatives based on a risk/return calculation
Practice for the breach – because it will likely happen
Prevent the attack by enabling employees and contractors to become the first line of defense
These concepts are not new, and most organizations have adopted elements of them. The agility with which organizations implement these 4 p's will allow them to accurately measure, forecast and manage risk. This is the difference between those that overcome cyber attacks and become resilient, versus those that are overcome by them.
Protect your Data Assets
Organizations need data to function and have been amassing terabytes of data about everything, often not knowing whether they actually need it. Companies rely on various technologies and processes to manage the data, although they're limited and not uniform. As organizations have begun to recognize the value of data, so too have the cyber attackers.
Organizations have tapped into several controls, developed policies for privacy and reported their regulatory compliance in data protection. But the controls don’t define the value of what is being protected. As a result, the configuration of those controls is mostly ineffective.
As organizations adapt to the new norm, understanding a business’ critical processes is required to update or establish their data strategies. A data strategy identifies how data should be used in responsible ways to achieve operational outcomes. Classification, collection, storage, user access, rights and privileges should be revised to fit the new consumption model.
Data stewards should also evaluate data access for their predominately remote workforce and how it can be more role-based, time-based and purposeful with proper data leakage monitoring and prevention capabilities. Sensitive data needs to be stored in approved and monitored locations – especially when remote locations are not as secure as an office.
The new normal requires a clear definition of governance and review processes to ensure proper checks are in place through the data’s lifecycle. This will protect it physically (storage, backups, portability) and virtually (access, usage, encryption). The new normal requires companies to reevaluate how they classify and access data—it must be readily available to maintain business as normal but with greater controls to ensure responsible and governed use. Keeping in mind that businesses must function while also protecting their data and ensuring they don’t risk long-term viability for short term convenience.
The updated strategy should be adapted sequentially and periodically to ensure the functions of data governance, privacy and data management remain aligned and tied to new requirements in technology and needed controls.
Proper data stewardship leads to fewer cyber breaches, cost efficiencies and opportunities to optimize responsible data usage for new business opportunities or improved monetization. Richer data enables analytics, automation and enhances the business’ operations and services.
Prioritize Cybersecurity Initiatives
Cyber incidents and crimes may continue to climb for two reasons: cybercrime has traditionally increased in economic downturns, and cyber incidents and crimes rise when there is a shift in technology. Cyber leaders should understand their business’ risks by understanding five elements:
Which cyber threats are most relevant given the existing defensive landscape, as defined by the current and new technologies protecting business assets?
Do the third parties that support the business have security practices in line with the organization’s requirements?
Are the deployed controls (prevent, detect and response) effective given the business’s changing needs?
Are the employees, contractors and supply-chain partners adequately prepared to identify threats and attacks and understand good cyber hygiene?
For each control deployed, what is the return on investment on how many viruses are detected and risk reduction?
Cyber practitioners will need to make difficult choices about resource allocation. Keeping the business and its users secure and maintaining client trust should be key principles that drive their security program’s structure, vision and mission.
Cybersecurity and IT programs will need to shift their focus from longer-term, multi-year projects to tactically reviewing operational performance based on managing cyber risk. Enabling a secure, remote workforce will be a primary area of focus. Using more laptops versus office-based desktops, extending virtual private network (VPN) capacity and enabling collaboration capabilities have become a higher priority. Cost reductions driven by automation, SaaS solutions and business process outsourcing are being reconsidered. This is happening as chief security officers, especially in mid- to small-tier businesses, expect their budgets to be impacted by business cycles and revenue changes.
As budgets and staff are cut, companies often de-prioritize cyber-hygiene tasks such as hardening, patching, removing old technologies and clean-up activities (users, rules). For the rest of 2020, and going into 2021 and 2022, cybersecurity leaders need to stay focused on managing their cyber risk. These elements are not static, so cyber practitioners also need to review these periodically, make adjustments and communicate changes so resources can be allocated for peak effectiveness.
Practice for the Breach
Cyber incidents and data breaches will happen. It’s always been important to have a cyber incident and breach response program, but in the new normal, it has become even more important. The flurry of changes could result in gaps due to resources, timeline, integration constraints and location. Cyber criminals are anxiously waiting and aggressively pursuing opportunities to exploit weaknesses during this tumultuous and uncertain period. Practicing responses to breaches is more important now because of the increased likelihood of events. Exposure is higher because of a much larger attack surface and the impact on the business.
Recognizing that organizations cannot be ever vigilant, businesses need to identify potential scenarios to prepare and then actively practice the tasks that drive a rapid and coordinated response.
Identification and quantification of cyber risk are foundational to mounting an effective response. Integration of threat intelligence, threat and vulnerability data and human resource preparedness will help define what risks are the highest priority, which can be mitigated and require active preparation for response.
Transferring cyber risk through cyber insurance is growing and an important mechanism to ensure business continuity, especially for small and medium-sized businesses. Without this coverage, many SMBs could fail because of the exorbitant costs of a breach. The economic impact of cyber crime is larger than the world’s third-largest economy, and business failure is one of the contributors to that stat.
The incident and crisis response plan traditionally covers not only the technical response but also the management components. In the case of an attack, the IT and cyber teams will be consumed with stopping the attack and restoring service. Customer communication is critical, especially now as digital services have become the norm. During a crisis, documented processes and roles need to be practiced. A botched response could damage trust and turn off customers.
Incident response or crisis management are some of the most difficult functions to launch. They’re now even more challenging with remote workforces. Having documented processes, clearly defined roles and responsibilities, and pre-developed messaging tied to different scenarios can result in a much more coordinated response. The process should be regularly tested, drilled and refined as risk exposures and profiles are updated.
Prevent the Attack Through your People
Errors occur when people don’t know good cyber practices, aren’t aware of the impact of their actions, and are asked to take on new processes while working in remote, non-standardized environments.
With the corporate attack surface now intermingling with home wi-fi networks and devices, previously overlooked security gaps need to be addressed by corporate security teams, and proper guidance needs to be provided to employees. Organizations are also responsible for informing their customers about good security practices when accessing their services.
The first step for businesses is to educate their workforces on cybersecurity basics. This includes understanding the company’s assets and how they are protected, the role employees play in protecting the business, as well as their roles and responsibilities. Most companies deliver cybersecurity awareness training as part of their new employee onboarding, and once a year to re-certify the user. The challenge with this approach is after the training, staff will revert to practices that enable them to work with as few restrictions as possible.
Good cyber behavior comes from continuous feedback and personalization of training content because all users think, function and act independently. Personalization, based on automated and timely feedback, helps employees retain more information. Cyber awareness programs need to provide in-the-moment feedback, tied to corporate policy, and based on the individual’s behavior.
When an organization trains its workforce to think securely before acting, this human factor, often seen as a security weak point, can be turned into a defensive asset.
While much has changed in how we work, basic cybersecurity tenets remain the same. Organizations need to follow good cyber hygiene as they adopt digital transformation and adapt to new norms. Here are key takeaways to stay ahead:
Businesses can manage the attack surface and prevent their assets from being exposed by understanding and managing the data.
By prioritizing cybersecurity projects based on the dynamic threat landscape, companies can reduce business risks.
Organizations can reduce the recovery time and associated costs when they practice how to handle a cyber incident and breach.
By training employees to be cyber aware, companies can prevent attacks.
Of course, these recommendations are broad, and every challenge and every organization is different. For more guidance on adapting to the evolution of cybersecurity needs within your business, reach out to Fabrizio Burlando or Raul Escribano. Have a question or suggestion for the Chronicles from the New Normal team? Send us a note.