One of the clear impacts of the COVID-19 pandemic is that it has forced many organizations to resort to remote work; and this could have an irreversible impact on future work practices – and cyber resilience.

The COVID-19 crisis will undoubtedly have a lasting impact on the way most organizations operate, as work life and operational structures are forced to change dramatically. One of the most obvious changes brought about by the COVID-19 pandemic is the increase in remote work. This development, brought about by the need to reduce physical contact and the spread of infection between people, is likely to remain a feature of modern life even after the worst of the pandemic is over.

A key reason for this changing dynamic is that COVID-19 has shown many companies the benefits of virtual online communications. In particular, many companies have seen how effective remote work can be, with well-functioning workforces running smoothly regardless of employees’ physical locations. Given that this method of working is much more cost-effective than traditional office space, it’s possible that many companies will be hesitant to fully return to the old way of working.

Unfortunately, this remote work revolution comes with cyber resilience concerns, as the relocation brings certain threats with it. Many companies are more exposed than ever before as they must deal with a digitized workforce that now works remotely from corporate offices. Cyber risk professionals must therefore remain aware of the impact of remote work on their organization’s overall cyber resilience and help build appropriate resilience in response to the increased exposure.

A critical point that risk professionals need to be aware of is that in the future, there will be less standardization in the computer systems and Wi-Fi networks that employees use to perform their jobs. This change makes it more difficult for information security teams and risk managers to assess vulnerabilities and develop mitigation strategies because an organization’s digital footprint is much larger today than it was in the past. With a larger digital footprint, there is also greater potential for cyber threats, as attackers can find more points of attack. This, in turn, could lead to individual employees being hacked and allow cybercriminals to access corporate resources that have even been made remotely accessible or controllable for the purpose of remote work in the first place.

Another problem created by more people working from home is that many internal systems and VPNs could be overloaded by the increased number of users connecting simultaneously from external sources. This strain on existing digital infrastructure can trigger significant vulnerabilities for an organization while also impacting productivity. For government agencies in particular, traditional office work is so pronounced that resources are not adequately sized for remote access. Systems that were designed to be accessed by a limited number of people need to be used by many more users now and in the future, so additional capabilities are required. In this case, not only does the bandwidth need to be greater, but security tools such as firewalls need to be properly tested to determine if they can handle the greater volume of data, which causes latency and requires additional computing power. Related to the issues created by a lack of standardization, different workers may use a variety of different technologies, which can create problems integrating with existing infrastructure.

Organizations that adequately address these issues and adapt to the new prevalence of remote working are likely to be in the best position to set themselves up for cyber resilience both during the COVID-19 crisis and in a post-pandemic world.

A simple step for organizations looking to build resilience would be to conduct more security reviews within IT systems. Organizations could take an in-depth defense approach that adds additional layers of security, with multiple defenses working simultaneously to ward off potential attacks and increase overall system security. Digital checkpoints can be used to authorize the right people and prevent cyber criminals from accessing sensitive systems. This can be achieved with corporate laptops, for example, that use specific controls such as endpoint protection or multifactor authentication not just for VPN-enabled remote access – each method adds a layer of defense to ensure those with appropriate access can connect securely. If everyone worked internally, this would be much easier to control, but the model changes when people are connected externally.

Another area that organizations need to consider in terms of cyber resilience is the importance of having an up-to-date crisis response plan. The pandemic has highlighted how unpredictable events that seemingly have nothing to do with cybersecurity must be properly addressed in the future. As a basic requirement, organizations need to understand their exposure to cyber risk and which areas may need more attention. For example, does the organization have the right policies and procedures in place? Is the contingency plan regularly updated to address new potential scenarios? These questions must be answered with an understanding of the organization’s mission-critical processes and how to adequately protect them.

It is now clear that the COVID-19 pandemic will have a major impact on cyber resilience, even if the worst of the pandemic has passed. Although changes to operational structures have been made out of necessity, it is likely that working remotely will remain a common practice long after COVID-19 has become a less pressing issue. Cyber risk professionals will need to understand this trend, as they will be responsible for ensuring that the shift to remote work is not accompanied by increased cyber vulnerability. Implementing more stringent security measures in an effort to replicate on-site security procedures in each employee’s home will go a long way toward building cybersecurity. Of course, this is no small task, but it is one that risk professionals must adapt to or risk their organizations suffering from the new reality.

 

 

An article written by iugitas, published on 24 July 2020
Translated by Charlotte Ley