Thesis: 46% of companies do not treat cybersecurity as a strategic priority. This has brough up new risks when facing the challenge of switching to remote operations.
Dmitry Samartsev, CEO of BI.ZONE, Sberbank’s cybersecurity subsidiary firm
Due to the spread of COVID-19 many organisations encountered the necessity to shift core business and operational processes to remote work. Large corporations are sending thousands of employees home and are urged to do this as quick as possible. According to CNBC survey among senior technology executives, near-85% of the respondents said that at least half of their company’s employees are working from home and 25% of organisations are now entirely remote.
While focusing on the need to continue business operations remotely, some companies may forget about cybersecurity and not think of related risks, as it may not look a priority for the moment. In fact, cybersecurity has probably never been as important — the damage caused by cybercriminals can be much higher at times when digital channels become the only means of operations.
What are the risks?
The transition to remote access brings up some serious challenges in terms of cybersecurity. Among them are:
- Increase in the role of human error. One of the most common examples is integration of insecure services onthe perimeter of corporate networks. Some companies have to do it consciously in order to provide quarantined employees with access to necessary resources. Since the beginning of March, we detected a 23% rise in the number of connections to publicly accessible services for remote work among our clients. This tendency is very dangerous — insecure use of such services can lead to serious incidents and result in billions in losses. Average cost of a data breach for a company in 2019 amounted to $3.92 million, with people working remotely the possibilty of such breach multiplies.
- Riskier behaviour of people online. The COVID-19 outbreak has triggered a wave of cybercriminal activity. Comparing with the previous two months, the number of phishing emails has grown by 30%, whilst 20% of all of them contain information about the Before the epidemic crisis, we witnessed that 80% of succesful cyberattacks happened through social engineering techniques, but now this number is growing in a time when cybercriminals starts to prey on the people’s fear of the disease spreading. Together with the fact that when working from home, people sometimes get careless in their personal activities, like using corporate laptops to surf dangerous websites for personal use. Such occurrences tend to increase the vulnerability of company’s data and resources.
- Possible challenges adapting company’s infrastructure to remote operations. Organising secure remote connections of a company’s employees can dramatically increase the network load, demand much larger IT resources and along with well-coordinated actions from both the IT and the cybersecurity team. Before the spread of COVID-19, the majority of the businesses could not have imagined that they would have to switch to remote operations within a few weeks or even Lack of complex developed business continuity processes or at least corresponding business continuity plans can cause difficulties with such situations, creating a bottleneck and decreasing business efficiency or even bringing the company to a standstill.
- Heightened risks related to third party relations. Various cybersecurity risks can be encountered not only inside the company, but also on the side of the company’s supplier or any other third party. This risk intensifies when the company turns to remote operations and becomes dependent mostly on digital channels. Any failure on the part of the supplier of digital services or, for example, on the part of data centres can lead to a halt of operations in the company and bring colossal damages.
How to minimise these risks?
This crisis has taught us a lot about how to quickly respond to such situations and manoeuvre in a constraining environment. But what is more important is that it has shown us that we need to be ready for such situations and standby to implement preventative measures. So here are a few of them:
- Introduce strategic cybersecurity governance. Ideally, comprehensive cybersecurity strategy should be in place, this will engage key figures from top management and subsequently linked to achieving company’s business plans. That is the first step to avoiding and minimising the aforementioned risks in the future. Some well laid out guidelines for understanding the basic principles of cybersecurity governance for top management have been proposed by the World Economic Forum.
- Carry out regular cybersecurity audits and invest in preventative measures. The average cost of one malware attack for a company reached $2.6 million in 2019. At the same time, the average price for a complex cybersecurity audit with recommendations for one company is around $40,000-60,000. Of course, each company requires different level of cyber resilience and corresponding investments — consider using Return on Security Investments (ROSI) ratio to assess your possible savings and understand the necessary level of spendings on security. It is also worth considering following security by design and security by default principles — thinking of security from the very beginning of creating a process, a system or a product can save you a fortune.
- Educate your employees on cyberhygiene basics. Human error is one of the key factors in every company’s security. The survey that BI.ZONE carried out this year showed that 38% of companies are not paying enough attention to the questions of cyber education, thus exposing these businesses to cyber risks. Trainings in cybersecurity awareness for all employees are a must to minimise them.
- Compose proper business continuity and disaster recovery plans. This year showed everyone that anything is possible, but nevertheless, we need to understand how to react. Rapid shift to remote operations is just one of possible scenarios that could potentially lead to a crisis in the company if not properly organised. Here is a good example from CIO magazine on the best practices in this area. Another good way to get ready to such situations — train your skills and participate in dedicated cyber exercises. One of such opportunities is the Cyber Polygon exercise, which we organise together with the World Economic Forum annually.
- Follow third party due diligence processes. The risk of a supply chain attack is always present, so this principle better be observed at all times, but in today’s conditions of remote work and almost total reliance on digital communications this issue needs to become of much greater importance. Lots of cybersecurity companies provide such services — check you suppliers and partners before you start working with them and minimise your risks before it is too late.
Shifting people to work from home has become a great challenge for us all. This is not the only scenario that will test our capabilities in dealing with crisis situations, but it is definitely a good example which managed to highlight the areas we need to pay attention closer to — cybersecurity is one of them. Time to learn and take actions.