How did you and your business respond to COVID-19?
Do you feel you were ready for the disruption of the pandemic?
What do you think business will look like post-COVID-19?
How will practices change surrounding Cyber Risk Management?
If you feel you were not ready, you are not alone. To understand why, join us as we take a trip back in time to before COVID-19. We will explore the prevailing business and information technology climate. With this backdrop, we will evaluate the response companies reported. Finally, we will posit a future state of cyber risk management including heightened cyber risk awareness and active managing of each risk.
Prior to COVID-19
Businesses were optimistic about 2020. In the Harvey Nash / KPMG 2019 CIO Survey, companies were poised to grow and innovate through increased budgets and digital transformation. Survey data indicated that over a third organizations planning new product offerings and with some companies implementing new revenue models. Over half of the 3600+ respondents anticipated increases in budget and headcount. Priorities entailed improving business processes, increasing operational efficiencies, and delivering stable IT performance.
When it comes to Cybersecurity, leaders recognized the necessity of cybersecurity, expressing concerns regarding having the right personnel and that they “feel vulnerable.” Despite this feeling of vulnerability, the focus seemed to be more on the ability to extract more value from the corporate data asset. The friction between data and security can be seen in that 83% respondents viewed data privacy as a hindrance to innovation.
Organizations recognized that there is a risk-reward equation at play when it comes to cybersecurity at the potential expense of revenue growth, and with the bullish prevailing sentiment of businesses prior to COVID-19, their decisions typically landed in favor of more aggressive revenue growth in the absence of the breadth of security measures they would have liked to have implemented.
Business During COVID-19
When COVID-19 hit full force, business had to adapt to the stay-at-home orders for their employees and customers. In many ways resembles disaster scenarios for which companies should have business continuity and recovery plans. For example, many natural disasters or business continuity events such as an earthquake or flood could force the closure of a company’s office building. Of course, COVID-19 forced the closing of all company and its customers offices. Companies should have had some preparation for working remotely however companies did not seem ready.
Unfortunately, the bad guys were not sympathetic. 23% of survey respondents on continuitycentral.com reported that cybersecurity incidents had increased by as much as double. 81% of respondents viewed security as an essential function at this time, yet almost half reported that team members typically responsible for security had been reassigned to IT-related tasks of equipping a mobile workforce. In their haste, companies used best practices however many felt those best practices can be improved.
For many organizations, COVID-19 revealed our optimism around growth and innovation made corporation complacent in their preparedness for disruptions. 10% of companies do not have a disaster recovery plan; 22% of companies do not test their disaster recovery plans; and 37% test the plan annually. In the case of COVID-19, the entire supply chain was affected simultaneously. This event demonstrates why you must be aware of business continuity throughout your supply chain. COVID-19 was not a drill.
What we learned and implication
We learned a lot from COVID-19.
1) Remote workers can be productive and the percentage of remote workers in a company will likely be higher going forward. This new environment offers a larger attack surface for the bad guys.
2) We learned the bad guys are still around and they like disruption. We need to be diligent in this new environment of a larger attack surface from the larger remote worker population and active threat actors.
3) Security is now an imperative. This combination of active bad guys and remote work has made security is an imperative. We must find the balance between security, privacy, growth, and innovation. We must be early to the limited resources doing cyber security, and we must do it now as customers are demanding it.
4) Not being prepared is expensive. We must plan business continuity, test the plans thoroughly, and use those tests to find improvement in our business processes. The days of having a binder with a plan is no longer good enough. We must use these plans and tests to improve our business and reduce our vulnerability to disruption.
You must become more aware of your cybersecurity vulnerabilities and risks and actively manage them. This awareness comes from inspect your environment to understand your application, infrastructure, governance practices, and organizational factors. You must also realize the inherent risk of working in your industry and geography.
If you would like to learn more about quantification of cyber risk and how to build an effective cyber risk management program within your organization, reach out to us today to start a conversation.