Companies need to focus on cybersecurity and address the potential for expanding threats due to the abrupt shift to a remote workforce.
The number and aggressiveness of cyber threats have been steadily growing, particularly during the COVID-19 crisis. Prior to the pandemic, the World Economic Forum identified cyber attacks as the most concerning technological risk, and the last EY CEO Imperative Study revealed that cybersecurity is the number one global concern for CEOs. Now, more than ever, private and public companies need to sharpen the focus on cybersecurity and address the potential for expanding threats due to the abrupt shift to a remote workforce.
The FBI has indicated a recent spike in cybersecurity complaints, receiving 3,000,000 per day, up from 1,000.[i] The average business ransomware payout since the outbreak has increased by 33%,[ii] and the EY Cyber team has noted a significant jump in phishing and targeted spear-phishing complaints. The question is not if, but rather when, an organization will fall victim. It is imperative that company boards and executives shore up their cyber strategy and stay vigilant. Here are three actions cyber-savvy CEOs are taking to address emerging cyber risks.
1. Weave cybersecurity through the business
Cybersecurity is not an IT task; it is an enterprise-wide issue that demands attention and collaboration from teams across the organization. “Cybersecurity is involved in virtually every important business decision – mergers, acquisitions, innovation, new product deployment, strategic partnerships, virtual working. All of these things have a cyber component,” says Larry Clinton, president and CEO of Internet Security Alliance. “Cybersecurity needs to be woven into the business on the front end and thought of more like we think of finance or legal, that is, an inherent part of every business decision.”
2. Put remote workers at the center of your strategy
When the pandemic erupted, the way we work changed instantly. The physical workplace shifted overnight to a remote workforce – something for which most organizations were ill-prepared. Cyber teams had to determine whether those remote workers were using personal devices and, if so, whether they had antivirus protection.
“Because corporate network operators no longer have the ability to manage home devices, you are further exposed now more than ever before,” says Warren Perlman, CIO of Ceridian. “We’ve gone from one corporate network to more than ever imagined based on the total number of employees now working virtually. That is a huge surface area and something that has to be managed very carefully.”
3. Learn from the experts
Boards understandably struggle with how to govern cybersecurity strategy, since it is an area with which few are familiar. The Internet Security Alliance and its members, including EY, worked with the National Association of Corporate Directors to develop a framework to help organizations better address the topic. It is built upon five basic principles:
1. An enterprise-wide strategic risk. Although there is an IT component, cybersecurity is not just an IT problem. It is also a human resource issue and a financial issue, so it should be woven into the business.
2. Legal and disclosure implications. Boards need to be aware of their unique legal obligations, which vary from country to country and by sector.
3. Board oversight structure and access to expertise. To create an effective cybersecurity strategy, boards need to bring in outside cyber and privacy experts.
4. An enterprise framework for managing cyber risk. Boards and management across the enterprise must work together in developing a cyber strategy, as well as understand each other’s roles.
5. Cybersecurity measurement and reporting. Management should present the board with a cyber risk assessment and framework. The framework must make sense from both a managerial and technical standpoint, and the cyber risk analysis needs to be forward-looking, risk management-oriented, empirical and financial.
What Organizations Can Do Now, Next and Beyond
Carlos Chalico, a leader in Cybersecurity and Privacy, EY Canada, offers advice on how private businesses can best strategize to fend off cyber threats during and after the crisis. In the short term, they should allocate resources to support the business to enable teleworking, start planning for the future by continuing to enable a remote workforce and determine how to securely interact with third-party sources, all while keeping an eye on how these actions will affect the cost structure. Moving forward, businesses need to define a new normal with a transformed cyber function optimized to enable a new business reality.
Think two steps ahead
Security by design should be the template moving forward. “As the workforce changes and as digital applications explode, what we are being reminded of again and again is you cannot bolt cybersecurity on after the fact,” says Chuck Seets, EY Americas Assurance Cybersecurity Leader US. “We are finding that board members and directors want to roll up their sleeves and dig into this issue and they are investing more and more of their personal time to get their arms around the risk. Developing a framework for effective governance is critical for successful implementation throughout the enterprise.”
The views reflected in this article are those of the author and do not necessarily reflect the views of Ernst & Young LLP or other members of the global EY organization.