The ongoing COVID-19 pandemic opens a new era for remote working and collaboration technology. This also leads to new challenges related to cybersecurity. The smartest approach businesses can take is to boost their cybersecurity, because this crisis is also an opportunity for the cyberattackers to thrive.
The PwC Cybersecurity Day on October 29 will provide many valuable insights from the latest international developments in cybersecurity and privacy. The event will focus on helping CISOs, DPOs and CEOs ensure they keep their organisation secure in a digital society. There will also be a pitch competition, and applications are open now!
In the lead-up to this event, today we’re already sharing some thoughts about Cybersecurity in COVID-19 times. More info can also be found directly on the PwC blog.
Cybersecurity in COVID-19 times
The entire globe has come to a halt by a tiny organism. Sure, some crisis plans may have considered pandemic related measures since the beginning, but a sizable majority didn’t or they underestimated the situation. Needless to say, all most plans were quickly outdated when the social distancing mandate came, and the use of office buildings was off the discussable options.
These days the pandemic has accelerated the remote-working adoption in business, fueled by both the fear of infection and running out of business. In a rush, companies have looked out for quickly-deployable solutions. These solutions range from buying electronic devices in retail shops to equip employees, deploying software for staff to work from home, setting up remote systems to work with such as Citrix, to name a few. Any measure has had to be deployed in a very short time frame.
But once the COVID-19 quick-and-urgent action stage is gone, businesses have to think through their current cybersecurity measures and how they have to be adapted or advanced because of the generalised implementation of remote work.
From panic to stability and what it means to cybersecurity
A common crisis denominator is panic. Oftentimes, the decision or methodology put in place to manage a crisis is motivated by fear and anxiety. But, if there is one thing that countless business stories have taught us, it is that both factors rarely help.
After severeal weeks of lockdown, people have surely started adopting certain habits, have started setting expectations and even think more creatively of what the weekends will look like even under the obvious limitations.
Somehow, the situation is reaching a certain stability, apart from the fact that the increased vigilance in the city remains and the anxiety around getting contaminated hasn’t really diminished. Stability means that, to some degree, there is acceptance of the situation. This is a critical time point: before convenience sets in, you need to reassess the technology that has been deployed, and rethink the security measures already taken and the ones that should be implemented throughout the crisis timeline.
This relatively more stable situation gives the opportunity to look back more comfortably. With less urgency to be attended, but still with the chance to get enough management attention, it’s time to get the much required cybersecurity budgets. And, this is also time for reflecting on the importance of the CIO and CISO at organisation level. This event is clearly demonstrating how companies are becoming increasingly dependent on digital technologies.
Assessing what’s at stake now and in a back-to-normal situation
During a crisis, decisions are taken at a rapid pace, obviously. The focus is on getting things up and running and a lot less on how secure the outcome of implementing the new measures will be. That’s understandable and even justifiable when time is against us. However, doing an inventory of the actions taken, the systems deployed, the accesses given, the software implemented (whether it has been a Bring-Your-Own-Device measure or not), etc, is key to thinking more thoroughly and defining a strategy around the current circumstance.
What if we never entirely get back to a situation like prior to the COVID-19 crisis? It will be one thing to regain mobility in the city or between countries but, will employees easily accept the fact that they will be dragged back into traffic jams, the rushy wake ups, the dress code, and being social after months of isolation or reduced physical interactivity?
Going back to “normal life” won’t happen overnight because it’s unlikely that the new reality will look like the one we had before COVID19. Both the positive and negative consequences of this crisis aren’t fully understood at this stage.
Understanding the risks of remote work & creating an adopted roadmap
The devil is in the details and details must surface when businesses have a clear overview of the situation and a sound inventory of the implemented measures, not only in terms of cybersecurity.
Since we all are still running against time, businesses need to define an acceptable risk level. In reality, any additional risk considerations that one would add to a remote work situation should be almost identical to risks in “normal” working environments. But, quite frankly, many businesses aren’t quite there yet. Instead, they’ll need to map the new risks and the mitigation measures to take, and document residual risk.
Once the mitigation actions are clear, the company can define priorities and create a roadmap to increase the security posture and reduce the risk exposure. Paramount for success is prioritisation and looking for mitigation measures that are beneficial in the long run, not only for the current situation. One big caveat is that it must be done remotely: project management, design stage, solution selection, vendor interaction and even deployment. And everything must be able to roll out without physical intervention.
The work-related changes due to the COVID-19 situation are likely to be here for a while. It comes with setbacks and opportunities, but if we manage it correctly we’ll come out safe and sound. If you want to learn more about cybersecurity during COVID-19 times, make sure to sign up for the PwC Cybersecurity Day 2020.