Boards Beware: Increase in Cyber Attacks Reveals New Weaknesses

As the pandemic persists, corporate leadership must closely follow cybersecurity risks, vulnerabilities, and threats as bad actors take advantage of increased work-from-home scenarios—in which companies perhaps haven’t fully focused on security. These risks left unchecked have the potential to put company assets and viability in peril.

Ripe for Exploitation

Initial warnings from technology leaders began to emerge as COVID-19 spread in early 2020. Following the United States’ declaration of a national emergency in March, more warnings were issued that an exponential increase in telework would create unprecedented opportunities for bad actors. As the crisis accelerated, experts implored business leaders to pay attention to cybersecurity fundamentals as dependence on digital connectivity and unprotected networks skyrocketed, and early signs pointed to an environment that was ripe for exploitation.

In May, the security firm Mimecast released a report that studied cyberattacks in the first 100 days of the crisis, between January and March. It found a 26 percent increase in spam and “opportunistic detections,” a 30 percent jump in impersonation attempts, and a 35 percent jump in the attempted use of malware, among other trends. With so many people either unemployed or working from home, the environment for recruiting scams has been especially ripe for unscrupulous actors. At the same time, demand for teleconferencing and video conferencing has skyrocketed, accompanied by security concerns since many of these third-party services did or still do not have robust security architectures. These threats have manifested in attacks on industries from banking and finance to health care.

Furthermore, according to McKinsey & Co., chief information security officers (CISOs) have reported a near-sevenfold increase in spear-phishing attacks since the pandemic began. And “[r]emote workers are also being bombarded with attacks based on COVID-19-crisis themes that are taking advantage of delayed updates to email and web filters and using social engineering to prey on workforce concerns.”

Initial Responses to the Threat

In response to what clearly was an emerging cyber threat of significant proportions, company chief information security officers (CISOs) implemented strategies to protect businesses. These strategies included reeducating employees on standard cyber-hygiene practices and ramping up the monitoring and patching of remote systems. Additionally, firms have turned to virtual private networks (VPNs), in many cases for the first time, because of the increase in exposure of sensitive internal communications through unsecured home Internet connections.

It is important for board directors to understand that in a disaggregated and remote working environment, cybersecurity is of critical importance and requires management attention, diligence, and rapid response. And communication is critical. While VPNs are important for secure connections, employees must receive clear direction on how to use them properly. The biggest risk to a company network is the end point device, be it a laptop or smart phone.  The risks are exponentially greater when a company has many employees working from remote locations using personal devices that generally are not secured to the best standards. 

Trends to Watch

Now several months into the COVID-19 crisis, cybersecurity and technology trends are emerging that bear watching by both directors and C-suite leaders. They include:

• The mainstreaming of work-from-home models as more businesses transition from crisis response to sustained business operations,
• Increased use of automation and technology solutions,
• Reliance on hybrid or multi-cloud infrastructures,
• Investment in artificial intelligence, and
• Increased investment in cybersecurity.

How to Address Cybersecurity Threats

How should business leaders and directors respond to the increase in cybersecurity threats?

1. Stay vigilant. Companies should reinforce a culture of security to all employees. This should include periodic refresher training on basic security hygiene and reminders about company security policies. Companies need to have appropriate monitoring in place to quickly identify and respond to malicious activities while continuing to support business operations whether from headquarters or from homes.  
2. Leverage expert security guidance. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has published cybersecurity tips related to COVID-19 since February, and this information is updated regularly with threat information and cybersecurity resources. Staying current on security guidance is critical to the ability to quickly assess and respond to threats.
3. Plan. Companies who have mature business continuity and crisis response plans will see these preparations pay off as they address cybersecurity threats. The NACD Director’s Handbook on Cyber-Risk Oversight, produced in partnership with the Internet Security Alliance, highlights five key principles to enhance cyber-risk oversight. These principles are relevant to establishing the right risk profile and plan to address new and emerging COVID-19 risks.

While no two companies will take the same approach, the response to these cybersecurity challenges will hold great implications for companies and their directors as they seek to balance security concerns with “new-normal” operations.  

Debora Plunkett is a director on the CACI International board and former director of information assurance at the National Security Agency.