Cyber security risks have risen significantly during lockdown. How can firms best mitigate risk and manage compliance in this new operating environment?
For businesses across all sectors of the global economy, cyber security has become one of the biggest risk factors associated with the coronavirus lockdown. As they try to continue operations without interruption, and protect their workers and employees, businesses increase their exposure to cyber attacks.
What actions should you be taking to reduce risk and maintain regulatory compliance?
Emerging cyber security risks
The lockdown policies introduced into economies all over the world have forced millions of businesses to pivot quickly to more-agile forms of working, including the large-scale adoption of home-working technology. I've seen organisations carry out transformations that might have taken six weeks, under normal circumstances, in just a few days, and I'm concerned about how the threats and threat-actors are evolving to take advantage of this rapidly changing cyber security landscape.
The 'attack surface' for cyber security – the range of opportunities to break into businesses or compromise individual workers – is constantly evolving. It's a situation that is creating unprecedented challenges for firms in security and compliance.
There has been a significant increase in cyber security attacks in organisations like financial services and professional services firms. In fact, any business that controls sensitive or valuable data is at risk. But many larger organisations, despite having comprehensive business continuity plans, have never actually tested these plans 'in anger', which increases vulnerability and presents opportunities for cyber criminals.
External dangers are not the only risks to cyber security. Insider threats, whether accidental or malicious, are also very real. Many people who switched to working at home at short notice may be making unintentional mistakes.
There is also the issue of disgruntled former employees. We’ve heard reports that it is of particular concern in the US, where companies have had to let people go at very short notice. Cyber security experts are concerned that these workers may have been able to take intellectual property with them, or employers may not have been able to close down their access to data quickly enough.
Another problem that cyber security might face is the rise of 'shadow IT'. This is where different areas of the organisation have spun up their own services. For example, where a development team has taken some space on an Amazon Web Service, or a joint-working team has decided to start using Dropbox for exchanging information.
The danger there, particularly when using cloud-based services, is to think that security is someone else’s problem. Now is the time for cyber security teams to get their arms around what cloud systems and infrastructure their people are using. They need to ensure they are clear on who is responsible for securing and monitoring these, and that people are adhering to the processes and training they have been given.
Outsourcing concerns for cyber security
You should invariably be implementing privacy-by-design and data-segmentation policies, so you have insight and control over who has access to data in both first- and third-party environments. Moving to agile and home-working environments may expose gaps in the cyber security access controls presented to employees, and to hackers.
Many outsourcing issues involve ensuring basic cyber security standards are met by suppliers of technology services. For large businesses with distributed supply chains, a lot of it is about using effective threat intelligence, understanding the risks that can be exploited and how can they be escalated through the chain. At a time when many businesses are using VPNs to connect securely, there are still a number of organisations using VPNs from major manufacturers that have some easily exploited vulnerabilities, which still haven’t been patched.
Growing cyber security risks and shifts in working practices are presenting new compliance challenges, as well. Having workers across geographical locations presents issues related to GDPR, especially in relation to data transfers outside the European Economic Area.
Although some organisations have said they are going through a compliance pause as they implement new systems, regulators have not formally relaxed their expectations or requirements. Businesses should therefore ensure any temporary cyber security solutions implemented at the start of the lockdown are clearly documented and explained for the benefit of regulators.
Another important factor from both an operational and a regulatory perspective is being able to demonstrate that any cyber security policies have been tested in a robust fashion.
What we have seen recently is that regulators are becoming increasingly interested in the detail of cyber solutions and whether they are operationally effective. While a year ago, regulators might have been happy with high-level information about solutions, there is a lot more emphasis now about exactly what technology is in place and whether it has been shown to be operationally effective. This emphasis is only going to be heightened as a result of the current crisis.
For more information on managing cyber security risks and compliance, contact Vijay Rathour.