How to guarantee Cyber Security Resilience in the contingent pandemic scenario: new challenges for CISOs
Scenario
With the outbreak of the COVID-19 pandemic, Chief Information Security Officers (CISO)had to implement a remote working mode for their staff and consequently manage an enlarged corporate enviroment, which resulted to be more vulnerable to cyber-attacks.
Although we cannot predict whether remote working is going to stay in the long-run or become a permanent solution, CISOs will need to be able to face the contingencies and security issues that come with this new work mode.
The contingent situation
As workplaces and offices start re-opening, organizations need to review their 'return to work' procedures, especially those concerning cyber security. Furthermore, new technologies (i.e. touchless solutions, remote thermal screenings, integrated visitor flow management systems and cloud solutions) are going to become more common within organizations. Although these new tools simplify and ensure that organizations are compliant with post-pandemic measures, they are also more vulnerable to cyber security threats. Therefore, CISOs will need to find new strategies to guarantee cyber security within their organization.
Cyber security perimeter must be redefined
Remote working has increased the level of responsibility of CISOs, who are dealing with new threats as cyber criminals have found new ways to exploit the pandemic.
According to a recent survey conducted by Deloitte, 69% of CISOs expect an increase in the number and size of cyber-attacks over the next 12 months.
In addition, it is more likely that in the near future, that staff will also work from other places such as cafes, hotels, etc... For this reason, cyber security policies will need to be updated and able to face a wide spectrum of cyber-attacks and become more flexible in order to ensure cyber security both at country level and among geopolitical blocks.
Cyber security as lever to improve business
Cyber security should be considered a strategic lever to make companies safer and more competitive. To achieve this, CISOs will need to take a holistic and synergistic approach with all departments to ensure interaction and timely communication..
The ongoing digitalization process - due to COVID-19 - has introduced new vulnerabilities within organizations and CISOs are now urged to successfully ensure business continuity during cyber-attacks and adapt in an agile and flexible way to these erratic situations.
The pandemic and increased emphasis on security mean that CISOs are now seen not only as ’champions’ for cyber security, but also as ’strategic levers’ and innovation ’facilitators’.
CISOs - together with Risk & Business Continuity Managers - should report directly to the Board of Directors and increasingly collaborate with Top Management in order to have cyber security considered at strategical level.
CISOs should also become fundamental partners that can: contribute to business solutions; solve increasingly complex problems; provide product managers and developers with ad hoc support in terms of security by design solutions and products, in order to meet customers’ requirements in terms of privacy and security matters.
due to the digital transformation of entire sectors.
Their advice will be strategic to:
- Adapt products and services created for the post-lockdown phase to an omnichannel scenario.
- Implement security measures that are proactive, pragmatic, and strategic.
- Assessrisk and guarantee business continuity.
Cyber risks need to be carefully monitored. Thus, it is necessary to understand how to ensure security and establish a dialogue with colleagues, customers, and competitors from a continuity perspective. It will be also strategic to explain the to the Board and Top Management that a better management of cyber risk can become an important lever for competitive advantage.
Back to office: how to manage effectively cyber risk
Companies are slowly return to normal operations; however, the transition from remote working back to the office should not be treated lightly. CISOs must evaluate all cyber risks and implications that this phase entails.
During the lockdown phase, remote working has expanded the cyber-attack surface and hackers have exploited the vulnerabilities of home connections and remote working platforms - with an increase in phishing and malware attacks as well as data and credentials hacks.
The Security Operations Centers (SOC) - which were designed to monitor abnormal cyber activities - now operate with reduced visibility because everything looks like ‘abnormal’ cyber activity.
As private organizations have become more vulnerable to cyber-attacks, public sector organizations have been affected by new types of ransomware, such as DDoS aimed at disrupting connectivity.
New cyber security priorities
In the contingent scenario, it is important to define the new cyber security priorities for the months to come.
In the foreseeable future, –CISOs will need to take care of:
- the protection of remote-working employee endpoints through new security policies and by limiting permissions to mitigate cyber threat risks.
- an efficient reaction to network bugs, DDoS attacks, data breaches.
- the implementation of security tools that are instantly configured and prevent cyber threats more efficiently.
Hackers have reinvented their attack approaches during the pandemic. Phishing attacks related to COVID-19, disinformation campaigns, and websites able to launch malware have spread over the Internet to steal personal information. Furthermore cyber hackers have designed multiple websites related to Coronavirus information to trick users into clicking/downloading malicious applications; as a consequence the number of ransomware attacks has also increased, forcing companies to pay a high ransom in order to obtain decryption keys. The average corporate redemption payments increased by 33% in the first quarter of 2020 compared to the fourth quarter of 2019.
The "sanitization" of devices - In the post-lockdown phase, it is suitable to be cautious and protect organizations from possible cyber threats. Therefore, the principles of Risk Management & Business Continuity should be implemented to ensure corporate resilience.
Corporate computers may be targeted by malware, so risks need to be assessed and all necessary continuity measures must be implemented ad hoc. Devices should be checked to prove they are safe, before returning to offices. Furthermore, some employees have brought home corporate IT equipment and their use in a domestic environment could imply exposure to new risks.
In addition, during the ’sanitation’ of devices, it is advisable to:
- implement ad hoc processes and procedures to guarantee cyber security.
- reset passwords, since employees may have shared their laptops and credentials with family or friends.
- avoid the re-use of passwords on new devices at home since it can make them “unsafe”.
- restore the credentials for all the company's devices and software.
It will also be necessary to ensure the monitoring of networks to check for anomalies, plan periodic monitoring activities and increasingly spread the culture of cyber security among the organization.
Desperately looking for qualified personnel
The growing shortage of qualified cybersecurity professionals is another challenge CISOs have to face. It is estimated that the number of unfilled cybersecurity positions will grow to 3.5 million by 2021.
CISOs must remember that traditional technical skills, are just one aspect of cybersecurity, especially as it evolves into a more prominent position within organizations. CISOs should be ‘open minded’ in their recruitment efforts and look at a broad spectrum of backgrounds. Not every position requires a Certified Information Systems Security Professional with extensive accredited experience. Backgrounds in areas such as risk management, business continuity, legal, communications, accounting and other science, technology, engineering, arts and math (STEAM) can facilitate the creation of more well-diversified and inclusive teams that can function, alongside all departments of an organization.
Organizations should also refer to their current employee base to identify who may be ready for a change. Therefore, investment in reskilling employees - who already know the specific business, technology, and processes - could be strategic.
Conclusion
The large-scale adoption of remote working technologies, the exponentially increased use of cloud services and the “explosion” of connectivity have led to paradigm shifts largely impacting on cyber security. In this scenario, CISOs must guarantee a critical balance between security and privacy, uptime, and market, as well as costs and convenience.
Now more than ever Cyber security is a key component of the business model and culture. CISOs will have to work to ensure that:
- Cyber-skilled professionals are guaranteed.
- Resource roles and responsibilities are defined and communicated at all organizational levels.
- Top Management understands the cyber security risks that the company must manage.
- Technology solutions are designed, integrated and managed taking into account regulatory aspects in terms of security and privacy.
- The company encourages the adoption of safety and cyber security procedures and identification of ad hoc technologic tools to implement.
- Third-party risks are managed effectively.
It will also be crucial - in conjunction with Risk & Business Continuity Managers and other corporate security functions - to update and implement response and business continuity plans to ensure the transition to the "new normal".
By adopting a holistic approach, CISOs will be able to facilitate collaboration among the different departments and support the organization in managing cyber risks and guaranteeing security and business continuity, while meeting corporate stakeholders’ obligations. Therefore, organizations’ goal is resilience, conceived as a result of a calibrated process of prevention, adaptation and "metabolization" of past experiences.
More on
About the author
Federica Livelli
Business Continuity & Risk Management Consultant
She is a Business Continuity & Risk Management consultant and Training Center Director at BeDisruptive Consultant.
She carries out activities aiming at improving awarness and development of resilience culture at various institutions and universities in Italy and abroad (POLIMI-BOCCONI University, University of Cagliari, Environmental Master University of Padua, LIUC University at Castellanza, SUPSI Lugano, University of Genoa).
Member of BCI Italy Chapter and ANRA (Italian Association of Risk Manager& Insurance Manager) board; Scientific Committee of CLUSIT (Italian Association for Cyber Security), CLUSIT HEALTH Committee, CLUSIT Artificial Intelligence Commmittee ; FERMA (Federation of European Risk Management Associations) Digital Committee.
Speaker and moderator in various national and international seminars and conferences.
Author of numerous articles ref. various online magazines and publications in Italy and abroad.
"Organizations - to survive in the increasingly complex and erratic context arising from the pandemic and characterized by geopolitical and economic crises, ongoing conflicts, cyber-attacks and supply chain disruption must treasure the lessons learned. That is, they need to invest more in resilience, at all levels and create a more flexible and secure ecosystem, able to anticipate, resist and recover from adverse and unexpected events that can compromise the organization's operations.
In fact, it is a matter of building a resilient, "antifragile" business model that presupposes the adoption of strategic disciplines such as risk management, business continuity and cyber security in an increasingly data-driven world.
The scenarios in which we find ourselves living require a sudden response and structured resilience. We can no longer wait for the unexpected, it's time to be proactive and anticipate it!"
