A successful enterprise risk response requires identifying the right stakeholders and finding the right data to make intelligent decisions.
With a reported increase in cyber-attacks such as phishing, scamming and other related activities during COVID-19, business leaders need to identify, assess, and effectively respond to these pandemic related risks, using well established enterprise resilience frameworks.
According to the EY global board risk survey of 500 board directors and CEOs carried out in late 2019, boards ranked cyber-attacks and data breaches as their second most important business risk. Yet in a matter of weeks, where most non-essential workers globally have been working from home, the increase in use of remote access and collaboration tools has made cyber resilience even more difficult to achieve but equally more crucial to have in place.
Around 40% of board members surveyed say that cyber security is not a regular discussion item on their full board agenda, revealing an opportunity for many boards to strengthen oversight of this formerly existential threat, which is now becoming a reality for many.
With COVID-19 currently disrupting business operations across the globe, this could provide an opportunity to re-examine your cyber security policies and capabilities. Your organisation can take proactive steps to prepare for the next phases of this unparalleled pandemic and remain secure throughout the journey towards a new normal, whatever that might look like.
Here are three steps you can take to improve your organisation’s cyber security resilience:
1. Continue to promote safe computing practices within your organisation
Set expectations among your teams by reviewing the always “available” demands – employees should switch-off from work and their devices every evening. You should also set clear goals and expectations for employee’s security responsibilities while they’re working remotely.
Establish multiple communication channels to keep your employees, partners and clients connected while also providing a conduit for sending and receiving critical information on security incidents.
Track, monitor and provide updates to avoid spread of misinformation, panic, decline in productivity, and employee disengagement while enhanced security monitoring provides assurance on remote user behaviour.
Provide ongoing employee training and information to protect against cyber-attacks. Update previous materials and ensure current threats are highlighted.
2. Leverage technology securely to expand digital workspace capabilities
With much of the workforce still at home, you must increase your remote work capabilities securely. At the same time, be mindful that introducing new technologies also introduces new cyber and data privacy vulnerabilities, creating an increasingly complex cybersecurity landscape.
Expedite your security reviews and due diligence assessments of remote work infrastructure to support business operations with assurance.
Plan for response and business continuity by reviewing incident response plans and contingencies, including alternate employee communication channels (e.g., phone, social media).
Establish platforms that enable security personnel to work on day-to-day activities remotely to the same standards as internally. Enable high touch technology self-service platforms such as chatbots and Interactive voice response (IVR) for issue management.
3. Make cyber security a top priority
Do you have adequate data security and backups in place? Review remote workforce data security needs, update policies and procedures, and communicate data backup practices with your teams.
Evaluate and fortify your infrastructure security, such as for VPNs, Cloud environments and Virtual Desktop Infrastructure. Deploy or enhance endpoint and mobile security to monitor and respond to threats.
Get regular updates from dependent third-party security service providers; Revise your SLAs as needed.
Cyber Security is just one element of an organisation’s business challenges during the pandemic but nonetheless a significant one. EY’s COVID-19 Cyber Impact Assessment could provide assurance of the security controls most impacted by changes to the organisation and the operational effectiveness of these controls throughout the crisis.
This supports the board, senior management and audit committee with a snapshot of the organisation’s security posture and risk exposure during the crisis and through to the “new normal” future operating model.
With credible threats in play, this is the time to challenge whether enough time is spent at board level discussing cyber security and data privacy risks. Consider whether business model and cyber vulnerabilities necessitate additional oversight measures, such as leveraging outside cyber security experts to fill knowledge gaps or re-evaluating the board’s committee structure so that appropriate time and focus is given to cyber security risk.