Vigilance is critical

While companies are focussing on the unprecedented challenges presented by COVID-19, we are seeing opportunistic cyber-attacks around the world taking advantage of vulnerabilities and striking while attention is diverted to more pressing matters.

Cyber criminals will never play by the rule book – It’s simply not in their DNA. Their hacking is almost always driven by the opportunity to make money whenever that presents itself, and they have a callous disregard for plain decency in pursuing that goal.

Among the more disturbing hacking attempts in recent weeks have been attacks on the World Health Organisation, the US Health and Human Services Department, and a hospital in the Czech Republic.

Companies should take no comfort in an alleged pledge from some hackers that they’ll stop attacks on healthcare facilities while the world struggles to manage the current coronavirus outbreak. I almost guarantee healthcare facilities, like all institutions, will remain a target. Remember, if you’re online, you’re vulnerable.

That is why, in times of crisis, maintaining cyber vigilance is absolutely critical. Unfortunately, when you are under pressure and your guard is lowered, you can suddenly find yourself falling into an avoidable trap.

In New Zealand we are already seeing the emergence of sophisticated coronavirus-themed phishing emails, ranging from purported communications from the IRD to fake requests from health providers or other authorities.

Changing work landscape

The changing work landscape is presenting a new set of cyber-security risks companies need to urgently think about. While for many companies working from home has long been an option, it is now the new normal, at least for the short term.

The more likely scenario is that flexible working arrangements will become a permanent feature of the work environment in the post-COVID-19 world, and this means significant numbers of workers might spend much less time working in the office.

We are already seeing some leading technology firms adapting to the practice. Twitter’s head of human resources Jennifer Christie explains: “People who were reticent to work remotely will find that they really thrive that way. Managers who didn’t think they could manage teams that were remote will have a different perspective. I do think we won’t go back.”

From a cyber security perspective this has huge implications for how systems are configured, accessed and hardened. Chances are that right now many systems will be particularly vulnerable, given the race that many companies took to set up their remote working solutions.

Along with that haste to get up and operating quickly, standard processes may have been bypassed. Many companies are likely using workarounds like personal email addresses, Dropbox or OneDrive folders instead of their usual approved and secure methods of accessing, using and sharing information.

Positioning for a new normal

If this is the new normal, a re-examination of how to protect systems and data is required and directors must take the lead. This includes re-examining your overall risk strategy and how you extend your current cybersecurity measures and practices into the homes of your employees.

Good information technology security policies must start with a focus on people first. Employee understanding and buy-in is the critical first line of defence in maintaining cyber security, but now that homes are essentially part of the work environment for growing numbers of employees, we need to ask how we ensure the buy-in extends out of the office and into the living room. Process also requires attention.

Take the time to re-examine how business policy and procedures apply to remote workers en masse and ensure you have the technology components to keep all these remote connections secure.

Fragility and resilience

COVID-19 is causing major disruption to business and will make many organisations more fragile than usual, increasing the risk of successful cyber-attacks occurring. Acknowledging this can help you prepare.

Resilience relies on adjusting your defences accordingly. A useful starting point is scenario planning to test your vulnerability in this new environment. Make sure you include understanding the potential cost of an attack. This helps to clearly quantify the risk to your organisation and provides the justification for appropriate mitigation strategies.

Be honest. The emergence of reporting successful attacks (notifiable breaches) in Australia serves as a good example that successful recovery depends on being forthright not only with authorities but also with your teams. Put plainly, the best approach for a successful recovery from an attack is openness. 

It’s important to include recovery in your planning. If the worst happens, it’s important to have a clear strategy in place to help you navigate the pathway forward rather than starting with a blank sheet of paper. Your recovery plan should include contingency measures for remote working, as well as good backup support and restoration systems, and potentially communications and legal support.

What should the board ask of the CISO?

Directors should be asking their executive team, and the chief information security officer (CISO) in particular, to define the actions that will be taken if your business is breached. Agree on what metrics the CISO should present when reporting back to the board and define how the business will quantify whether the situation is being well managed.

Third-party risk must also be examined. The CISO should conduct robust, independent testing with partners, customers and suppliers you have strong links with to help determine where they may also have security flaws. A regular table-top simulated exercise with the board will help build team strength and resilience in preparation for an attack.

Remember, cyber criminals do not play by the rule book. The best you can do right now is prepare up front, and ensure your systems are secure while employees work from home. While an attack may be unavoidable, you can minimise the impact with a good, well-planned response.

This article is featured in Boardroom April May 2020 issue