The current COVID-19 pandemic opens a new era for remote working and collaboration technology. Whichever our working preference—if some of us had to choose, we may go for the vibrant atmosphere of an open space— there is no other option left for the time being. It’s also the case for cybersecurity: the smartest approach businesses can take is to boost their cybersecurity because this crisis is also an opportunity for the cyberattackers to thrive.
The entire globe has come to a halt by a tiny organism. Sure, some crisis plans may have considered COVID-19 related measures since the beginning, but a sizable majority didn’t or they underestimated the situation. The fact that, at first, some businesses thought of spreading staff around in different buildings as a sufficient measure is proof of that.
Others, for instance, considered the possibility to use the so-called “disaster recovery office space” that they had rented as any good business continuity practice dictates. Unfortunately, these offices can be used only when the main building is inaccessible as one reads when having a close look at the small characters of the regulation/contract related to this type of space. Needless to say, all those plans were quickly underestimated when the social distancing mandate came, and the use of buildings was off the discussable options.
Since years ago, some forward-thinking companies have already experienced, and have pushed through, remote and collaborative working amongst their employees. Some of the reasons were to cut down building overhead and to reduce the cost of empty seats because the staff were rarely coming onsite all at the same time. However, among the main motivations was also to create a better connection with the staff that worked frequently at customer sites, executing projects. These days the pandemic has accelerated the remote-working adoption in business, fueled by both the fear of infection and running out of business.
In a rush, companies have looked out for quickly-deployable solutions. These solutions range from buying electronic devices in retail shops to equip employees, deploying software for staff to work from home, setting up remote systems to work with such as Citrix, to name a few. Any measure has had to be deployed in a very short time frame. In Luxembourg, the education facilities, especially schools, closed on March 13. The lockdown officially started two days later. During that weekend supermarkets faced shortages caused by hoarding, uncommonly seen in Luxembourg.
This article is a wake up call. We want to remind you that once the COVID-19 quick-and-urgent action stage is gone, businesses have to think through their current cybersecurity measures and how they have to be adapted or advanced because of the generalised implementation of remote work. We still have some time, but it is passing by rapidly.
From panic to stability and what it means to cybersecurity
A common crisis denominator is panic. Oftentimes, the decision or methodology put in place to manage a crisis is motivated by fear and anxiety. But, if there is one thing that countless business stories have taught us, it is that both factors rarely help.
After two or more weeks of lockdown, people have surely started adopting certain habits, have started setting expectations and even think more creatively of what the weekends will look like even under the obvious limitations.
Somehow, the situation is reaching a certain stability, apart from the fact that the increased vigilance in the city remains and the anxiety around getting contaminated hasn’t really diminished. Stability means that, to some degree, there is acceptance of the situation. This is a critical time point: before convenience sets in, we need to reassess the technology that has been deployed, and rethink the security measures already taken and the ones that should be implemented throughout the crisis timeline.
This relatively more stable situation gives the opportunity to look back more comfortably. With less urgency to be attended, but still with the chance to get enough management attention, it’s time to get the much required cybersecurity budgets. And, this is also time for reflecting on the importance of the CIO and CISO at organisation level. This event is clearly demonstrating how companies are becoming increasingly dependent on digital technologies.
Assessing what’s at stake now and in a back-to-normal situation
During a crisis, decisions are taken at a rapid pace, obviously. The focus is on getting things up and running and a lot less on how secure the outcome of implementing the new measures will be. That’s understandable and even justifiable when time is against us.
However, doing an inventory of the actions taken, the systems deployed, the accesses given, the software implemented (whether it has been a Bring-Your-Own-Device measure or not), etc, is key to thinking more thoroughly and defining a strategy around the current circumstance.
What if we never get back to a situation like prior to the COVID-19 crisis? It will be one thing to regain mobility in the city or between countries but, will employees easily accept the fact that they will be dragged back into traffic jams, the rushy wake ups, the (sometimes annoying) dress code, and being social after months of isolation or reduced physical interactivity?
Going back to “normal life” won’t happen overnight because it’s unlikely that the new reality will look like the one we had before COVID19. Both the positive and negative consequences of this crisis aren’t fully understood at this stage.
Do we fully understand the risks related to the remote working environment?
The devil is in the details and details must surface when businesses have a clear overview of the situation and a sound inventory of the implemented measures, not only in terms of cybersecurity.
Since we all are still running against time, businesses need to define an acceptable risk level. In reality, any additional risk considerations that one would add to a remote work situation should be almost identical to risks in “normal” working environments. But, quite frankly, many businesses aren’t quite there yet. Instead, they’ll need to map the new risks and the mitigation measures to take, and document residual risk.
Create an adapted roadmap
Once the mitigation actions are clear, the company can define priorities and create a roadmap to increase the security posture and reduce the risk exposure. Paramount for success is prioritisation and looking for mitigation measures that are beneficial in the long run, not only for the current situation. One big caveat is that it must be done remotely: project management, design stage, solution selection, vendor interaction and even deployment. And everything must be able to roll out without physical intervention.
Keep the fire burning
People have shown inventiveness to overcome the constraints of the current situation, from virtual bars and restaurants to organising e-aperitifs or window-to-window drinks.
Use this as the ideal awareness platform, a space to talk about security but also about the impact on society, and mix it with social engineering tips. The situation is likely to be here for a while. It comes with setbacks and opportunities, but if we manage it correctly we’ll come out safe and sound.
What we think
Koen Maris, Cybersecurity Director at PwC Luxembourg
The pandemic has similarities with a cyber crisis; containment as an early solution to further spread and monitoring closely the movement of a malware or hacker. Casualties and loss are givens, hopefully privacy won’t be one of them.
