October 14, 2020

Creating Cyber Resilience: Plan for Today, Prepare for Tomorrow

The business world is no stranger to cybersecurity concerns — email hacks, malware, and data breaches are not new to the digital landscape. In 2007, malware Zeus was used to steal personal financial information, and 2009’s Stuxnet targeted software controlling industrial systems. More recently, Facebook’s data breach saw 540 million records of users compromised and published on Amazon’s cloud computing service.

However, the COVID-19 pandemic compounded the problem of cybersecurity and impacted how network protection was delivered to organizations as they raced to provide a virtual workplace for their instant digital workforce. This fast-tracking of remote work and accelerated cloud adoption inadvertently exposed companies to more email and web-based threats, a concern that is not lost on CIOs and CISOs since the World Health Organization declared a pandemic on March 11, 2020.

What’s at Stake

Interpol reports cyberattacks have shifted from targeting individuals and small businesses to major corporations and governments during the pandemic. The period has seen more large organizations, such as Universal Health Services, the World Health Organization, and Shopify, falling victim to security breaches and network vulnerabilities. The cost of critical data breaches in the US has increased by 130% over 14 years, from $3.54M in 2006 to $8.19M in 2019. The healthcare industry, in particular, saw a 65% higher average total cost of a data breach.1

Email has long been the target of hackers looking for easy access into a company, using a simple email to deliver malicious attachments, and spear-phishing vectors to infect the system. Email scams have increased by 667% since the end of February 2020. However, the intruders are no longer just mining for credentials or information; they’re taking the opportunity to plant malware to secure long-term infiltration and enable persistent threats from the inside.

Cybercriminals have been quick to take advantage of the target-rich environment of unsecured connections, employees unfamiliar with technology, organizational processes in flux, and the knowledge that a major breach in security can go unnoticed for 280 days. Cybercriminals now have a wider, more vulnerable platform to exploit and inflict damage with the geographically diverse workplace extending beyond corporate perimeter walls into a remote workforce’s suburbs and homes.

Creating a Culture of Cybersecurity

Cyberattacks and data fraud rank third among the most significant COVID-related business concerns. The World Economic Forum outlines these five cybersecurity leadership principles to chart a responsible course of action during the pandemic and beyond:

  1. Foster a culture of cyber resilience
  2. Focus on protecting the organization’s critical assets and services
  3. Balance risk-informed decisions during the crisis and beyond
  4. Update and practice the organization’s response and business continuity plans during the transition to the “new normal”
  5. Strengthen ecosystem-wide collaboration

CIOs and CISOs recognize the need to evolve from a compliance enforcement and risk management strategy to one that establishes a foundation of shared cyber-risk ownership throughout the organization and makes it a fundamental component of the business operating model. Leaders are faced with the challenge of promoting best cybersecurity practices that integrate seamlessly with employees’ work. Beyond awareness programs encouraging employees to change their work behavior to mitigate security breaches, it demonstrates that a team is only as strong as its weakest player.

Jim Alkove, Chief Trust Officer with Salesforce, echoes this sentiment and suggests treating cybersecurity like a team sport, and “building a culture of awareness in your company so that all the employees in your company can act like security trailblazers.” Investing in ongoing cybersecurity training, prioritizing a cyber-secure mindset at the workplace, and putting in place essentials like strong-word password policy and two-factor authentication will lay the foundations of a robust cybersecurity culture.

A bigger challenge is establishing a collective responsibility across the organization and removing the expectation that network security is solely the security department’s job. By eliminating “extreme information asymmetry,” where critical knowledge is left in the hands of a small group of experts, and widening the understanding of digital technologies to all employees, cyber leadership can ensure stronger network security across the board.

Expect the Unexpected and Plan for It

Organizations should assume an adaptive nature. The first, most prominent area is boosting staffing in the IT and security departments to implement regular updates, VPNs, servers, firewall patches, monitoring, and securing networks. However, the shortage of cybersecurity professionals worldwide even before the pandemic is exacerbating the hiring problem. Consultants are now critical resources for organizations to close their talent gaps and raise their network security to an acceptable level.

Enterprises are turning to new technologies such as Artificial Intelligence (AI) and machine learning to reduce the number of successful attacks and deliver a more consistent response. Almost three-quarters of companies surveyed in Capgemini’s Reinventing Cybersecurity with Artificial Intelligence Report are adopting AI in cybersecurity. Nearly two-thirds of businesses believe AI is necessary to boost cybersecurity, and three in five organizations see AI improving the accuracy and efficiency of cyber analysts.

Organizations are also recognizing that current authentication protocols are not enough. Many enterprises are eager to abandon passwords for more robust authentication methods such as biometrics and a zero trust architecture that’s rooted in the premise “never trust, always verify.” These new technologies will tighten and close security gaps manifested by the new majority-remote work landscape, and pave a more secure, password-free future.

While preventative measures are crucial to mitigate threats, it’s also important to plan for the worst and proactively map a crisis plan that details communication, risk-mitigation, and recovery strategies in a cyberattack event. Some of the areas to consider include identifying the circumstances that will trigger the plan, the people who will lead and manage the process, the process itself, objectives and goals, and determining what success looks like.

Security is like air in Maslow’s Hierarchy of Needs. Similar to how every employee breathes without thinking about it, so thinking about security needs to become integrated in an organization. Technology and process can solve many security issues, but a company’s best line of defense against security incidents is it’s employees.  If every employee treated security like air, influenced by support of the company’s culture, then the line of defense becomes stronger and less likely to be at risk for security incidents such as malware and phishing.

If a company can couple this mindset with strong passphrases, multi-factor authentication, and security awareness training, this will help limit the exposure to the increased threats across all industries.

1. IBM, 2019 Cost of Data Breach Report (76 pp., PDF, no opt-in)

Quality. Commitment.
Trust.

Whether you want to advance your business or your career, Oxford is here to help. With nearly 40 years’ experience, we know that a great partnership is key to success. Start a conversation today.