April 16, 2020
April 16, 2020
As the COVID-19 pandemic escalates and causes global disruption, those in corporate governance and executive leadership roles need to carefully consider changes in their organizations’ cyber-risk profiles, including how the rapid shift to remote working, stress on the technology workforce, and looming expense pressures increase the potential for exposure. Cyber attacks could be business-ending events for organizations that are not prepared to defend themselves during a period in which funds to combat new cyber threats may have dried up or diminished.
Boards need to consider the ways in which their organizations’ cyber posture is changing as a result of the crisis. Board oversight is critical to ensuring that management is adapting to the evolving cyber-risk landscape as it works to maintain employee safety and continued business operations.
Many of the current threats look similar to what was experienced before the onset of the crisis, only at greater volume. A summary of what boards need to know follows.
Phishing. While increases in phishing attacks are a normal symptom of disruptive global events, the risk of phishing attacks has increased now because remote workers may not have the full set of security defenses normally available to them in their alternative work environments. It is important to remember that phishing is successful because it takes advantage of the responses people have to emotions elicited by an email. In this environment, phishing attacks are using the virus to lure people in to handing over money by using false donation links for recovery funds, for instance. Furthermore, responding to incidents that result from phishing attacks may place additional strain on cybersecurity teams because triage and remediation processes that typically require office visits may not be possible. Employees could be faced with the prospect of not being able to work if their technology cannot be adequately evaluated and cleared of threats.
Rapidly Expanding Attack Surface. As organizations shift into remote working, many are experiencing a rapid expansion of their technology attack surface. This is driven by the need to deploy new equipment and technologies to support remote workers, such as virtual private networks and video conferencing and collaboration software. But this environment may also require relaxing controls and policies that were once relied on to protect enterprises. For example, will employees be allowed to use their personal computers to access company resources like their work emails? Will they be able to print company materials at home? As these new modes of working change and expand, the room for error in their configuration and deployment will increase, leaving opportunity for attackers to exploit weaknesses—especially during this transition period in which new controls for working remotely haven’t been fully designed or tested.
Overworked Technology and Security Teams. An already stretched and limited cybersecurity workforce is being pulled in multiple directions during the COVID-19 crisis. Those charged with cyber defense and responding to incidents may easily be pulled away from security concerns and into technology operations issues associated with the sharp rise in employees working from home and in customers interacting with the organization virtually. This creates the potential for mistakes that could result in inadvertent exposures for the organization. Furthermore, these team members may be asked to reduce security controls and suspend certain policies in order for them to support the business in other ways, potentially signaling that the value of their historical work is no longer relevant.
Long-term Implications. On the horizon is a challenging expense environment with a potentially worsening labor shortfall for cybersecurity positions. Consider the number of academic program enrollments and completions deferred due to the crisis and the impact of this on the number of new cybersecurity professionals entering the market. Combined with expense pressure for budgets and a shift in priorities, we face the possibility of disenfranchising the cyber workforce.
These challenges will increase the need for the quantification of cyber risks and the effectiveness of cybersecurity programs, and they establish a clear need to link continued investment in cybersecurity personnel and defenses to risk mitigation best practices. Forging this link will become increasingly important for maintaining a risk-based defense approach and representing cyber resilience to customers, investors, and regulators.
Recognizing that they can’t overburden management right now, boards should affirm the expectation that effective cyber-risk management remains a key function for the success of the enterprise. Transparency and independence on cybersecurity issues during the crisis and beyond are paramount to ensuring that risk-taking in response to the crisis is aligned with governance expectations and does not create an unacceptable short-term exposure. Remember, a cyber event during the crisis could be an existential threat to the organization. Below are some suggested approaches that directors can take in order to monitor the situation.
Chris Hetner is an executive vice president of Cyber Assessments, a joint venture between Moody’s Corp., a global credit rating agency, and Team8, a cybersecurity-focused company creation platform. Hetner also serves as special advisor on cyber risk for NACD and national board member for the Society of Hispanic Professional Engineers. Derek Vadala is the CEO of Cyber Assessments, a joint venture between Moody’s Corp., a global credit rating agency, and Team8, a cybersecurity-focused company creation platform.
NACD: Tools and resources to help guide you in unpredictable times.