August 13, 2020
August 13, 2020
As the pandemic persists, corporate leadership must closely follow cybersecurity risks, vulnerabilities, and threats as bad actors take advantage of increased work-from-home scenarios—in which companies perhaps haven’t fully focused on security. These risks left unchecked have the potential to put company assets and viability in peril.
Initial warnings from technology leaders began to emerge as COVID-19 spread in early 2020. Following the United States’ declaration of a national emergency in March, more warnings were issued that an exponential increase in telework would create unprecedented opportunities for bad actors. As the crisis accelerated, experts implored business leaders to pay attention to cybersecurity fundamentals as dependence on digital connectivity and unprotected networks skyrocketed, and early signs pointed to an environment that was ripe for exploitation.
In May, the security firm Mimecast released a report that studied cyberattacks in the first 100 days of the crisis, between January and March. It found a 26 percent increase in spam and “opportunistic detections,” a 30 percent jump in impersonation attempts, and a 35 percent jump in the attempted use of malware, among other trends. With so many people either unemployed or working from home, the environment for recruiting scams has been especially ripe for unscrupulous actors. At the same time, demand for teleconferencing and video conferencing has skyrocketed, accompanied by security concerns since many of these third-party services did or still do not have robust security architectures. These threats have manifested in attacks on industries from banking and finance to health care.
Furthermore, according to McKinsey & Co., chief information security officers (CISOs) have reported a near-sevenfold increase in spear-phishing attacks since the pandemic began. And “[r]emote workers are also being bombarded with attacks based on COVID-19-crisis themes that are taking advantage of delayed updates to email and web filters and using social engineering to prey on workforce concerns.”
In response to what clearly was an emerging cyber threat of significant proportions, company chief information security officers (CISOs) implemented strategies to protect businesses. These strategies included reeducating employees on standard cyber-hygiene practices and ramping up the monitoring and patching of remote systems. Additionally, firms have turned to virtual private networks (VPNs), in many cases for the first time, because of the increase in exposure of sensitive internal communications through unsecured home Internet connections.
It is important for board directors to understand that in a disaggregated and remote working environment, cybersecurity is of critical importance and requires management attention, diligence, and rapid response. And communication is critical. While VPNs are important for secure connections, employees must receive clear direction on how to use them properly. The biggest risk to a company network is the end point device, be it a laptop or smart phone. The risks are exponentially greater when a company has many employees working from remote locations using personal devices that generally are not secured to the best standards.
Now several months into the COVID-19 crisis, cybersecurity and technology trends are emerging that bear watching by both directors and C-suite leaders. They include:
How should business leaders and directors respond to the increase in cybersecurity threats?
While no two companies will take the same approach, the response to these cybersecurity challenges will hold great implications for companies and their directors as they seek to balance security concerns with “new-normal” operations.
Debora Plunkett is a director on the CACI International board and former director of information assurance at the National Security Agency.
NACD: Tools and resources to help guide you in unpredictable times.