By: Rico Brandenburg and Paul Mee
This article was first published in MIT Sloan Management Review on July 23, 2020.
Employees are starting to return to offices as countries begin to ease COVID-19-induced lockdowns and lift stay-at-home orders. But as uncertainty related to the pandemic lingers, many organizations are choosing to maintain semi-remote, virtual workplaces over the next 12 to 18 months — and possibly for good. Facebook is allowing employees to work from home permanently, while Canadian e-commerce platform Shopify announced that it is becoming “digital by default.”
Organizations have rapidly shifted to semi-remote working arrangements and thus they must be equally speedy in mitigating the cyber risks created by the expanded “attack surfaces” that have accompanied the “work anywhere” operating models.
To take on the new cybersecurity challenges of this virtual working environment, organizations must understand the changes in their cybersecurity risk profile and revamp their strategies, training, and exercises to address these changes. Otherwise, the current better-than-expected outcome of the rapid shift to “work from home” may not succeed in the longer term.
The New Cyber Normal
In the spirit of “never letting a good crisis go to waste,” organizations will, and should, rapidly redefine their new operating model. Five key factors drive the cybersecurity risk implications in this new, likely semi-remote, working environment. Organizations should keep these factors in mind when defining how to adjust their cybersecurity risk programs.
1. An increasing number of cyberattacks.
Since the COVID-19 outbreak began, the number of cyberattacks has soared as hackers have exploited a greater number of weakly protected back doors into corporate systems as well as the human distraction caused by COVID-19-related events. The FBI is receiving 3,000 to 4,000 cybersecurity complaints daily, up from 1,000 prior to the pandemic. Hackers continue to target key industries such as health care, manufacturing, financial services, and public sector organizations like the World Health Organization. Banks are now fending off nearly three times as many cyberattacks as cyber criminals flood employees’ inboxes with COVID-19-related phishing emails, often attaching seemingly innocuous files designed to lure unsuspecting employees into executing malware.
2. Changing attack surfaces.
The shift to using new teleworking infrastructure and processes may lead to the undetected exploitation of vulnerabilities in existing remote work technologies. Security agencies in both the United States and the United Kingdom have warned that a growing number of cyber criminals are targeting individuals and organizations with malware. In addition, cyber risks via business partners and third parties are increasing as well. It is hard enough to prepare internally for a semi-remote working environment but even harder to verify the preparedness of vendors ranging from IT service providers to business process outsourcing firms to law firms.
3. Distracted workforces.
A vast number of successful cyberattacks are caused by human error, including an estimated 90% of such attacks in the U.K. in 2019. Increasingly preoccupied by greater personal and financial stress at home, employees are more vulnerable to cyberthreats and “social engineering” cyberattacks designed to trick them into revealing sensitive information. As homebound employees become less vigilant in their cyber hygiene, the volume of successful attacks that result from human error may further increase.
4. Unanticipated staff shortages.
Workforces are stretched thin as employees (including cybersecurity professionals) call in sick or take time off to care for dependents, further harming organizational abilities to respond to cyberthreats. Many employees who found working from home more productive before the pandemic now juggle forced isolation, loneliness, limited privacy, and new demands related to children’s schooling and care at home, resulting in lower productivity. Since mass work from home began during the coronavirus outbreak, self-reported data in the United States shows decreased productivity across industries, with 11% of professional and office workers and 17% of industrial and manual service workers reporting lower productivity.
5. Multi-stress environment.
Security teams are operating in an unprecedented environment in which multiple crises are constantly arising, each demanding significant attention from cybersecurity and management teams. COVID-19-related challenges will be the baseline for the foreseeable future. Of course, organizations still have to manage through other crises and stress events, like hurricanes, forest fires, or widespread protests as recently observed in the United States.
Assess Your Changing Cybersecurity Risk Profile
As organizations transition to the new ways of working, the resulting changes to the company’s cybersecurity risk profiles must be repeatedly assessed and monitored so that they can be actively managed, prioritized, and mitigated.
The list of entry points for attacks as a result of far-flung workplaces keeps growing. Bad actors can openly record sensitive customer information shared with customer service employees taking service calls on their mobile phones at home, instead of in highly secure and monitored call centers. Inadequately tested new technologies and digital products rapidly deployed to meet customer needs during the pandemic, like customer service chatbots and Paycheck Protection Program applications could inadvertently introduce new threats. Remote working operations of interconnected vendors and customers further amplify organizational risk. Cybersecurity teams are now forced to virtually mobilize and coordinate multidisciplinary teams to mitigate potentially complex attacks.
Adjust Your Cyber Strategy
Based on this risk assessment, teams of risk management, business, and security personnel should work together to reevaluate cybersecurity budgets and prioritize investments to improve a company’s cyber resilience in line with its risk tolerance.
Start with stopgap measures that can be implemented immediately, such as revising existing cyber risk guidelines, requirements, and controls on how employees access data and communicate with a company’s network. Rules of behavior analytics need to be adjusted to consider changes to the “normal” behavior of employees, many of whom now work outside standard business hours so that security teams can effectively focus investigations.
Then examine new security tools and requirements for sharing and maintaining private information with vendors. For example, organizations may need to adopt more robust data loss controls, traffic analysis tools, and access restrictions. Ensure that vendors that aren’t currently prepared for heightened cyberattack risk commit to developing cyber preparedness plans to safely handle information or interact with your corporate network.
Review changes to boost your technology and security infrastructure today, even if such changes may take years to implement. Some organizations may want to speed up their cloud strategies so that their IT resources can rapidly meet demand spikes from large-scale remote work. Other common improvements include investing in automation and advanced analytics to improve the effectiveness of security processes, introducing greater discipline around cyber-relevant data, rationalizing duplicative monitoring and security tools to manage the cost of exploding data volume, and focusing cybersecurity teams on the highest-risk areas.
Finally, develop mechanisms to understand how your security program changes reduce cybersecurity risks after each initiative is rolled out. This is not a one-and-done exercise; organizations need ongoing agility to hit what is a decidedly moving target.
Step Up Cyber Training and Exercises
Recalibrate cyber awareness programs to measure, track, and improve the cyber risk culture of your employees, management teams, and cybersecurity professionals in the new cyber normal. Employees need to be informed of new cyber risks and reminded of their role in effectively preventing, detecting, responding to, and recovering from cyberattacks.
Design role-based training programs and exercises to raise the awareness at every level of new and changed cyber risks introduced by increased remote working. Training programs should cover new threats, rules for approved device and data use, and processes to report suspected cyber incidents.
Management teams should engage in walk-throughs and simulations for new cyberattack scenarios armed with playbooks that provide clear guidelines for required actions, including when (and to whom) decisions should be escalated. These scenarios should be considered for future cyber war games and simulations to prepare cybersecurity, technology, and business teams for future large-scale crises. By doing so, teams can identify shortcomings that must be overcome in order to respond effectively to cyberattacks.
As the pandemic continues to unfold, organizations are operating in a real-life multi-stress environment, facing cyberattacks along with many other COVID-19 related challenges. Much of the operational shift that has occurred as a result of the pandemic will outlast the immediate crisis and aftermath. Organizations will, and should, draw lessons from the current crisis to design and execute a new operating model that incorporates more remote working flexibility. To do that securely, organizations need to understand how their cyber risk profiles have changed and must revamp their strategies, training, and exercises to address threats and minimize risks.
Editor's note: Oliver Wyman is monitoring the COVID events in real-time and we have compiled resources to help our clients and the industries they serve. Please continue to monitor the Oliver Wyman Coronavirus hub for updates.