President of the Internet Security Alliance
American business was largely unprepared to fend off cyber criminals before the virus hit; we are now immeasurably worse off. Metaphorically, we have gone from leaving the door ajar to cyber criminals before the pandemic to throwing the door wide open and laying out a welcome mat. One study found 91 percent of enterprises reported an increase in cyberattacks. Google has reported 18 million phishing and malware schemes related to COVID-19 every day. There already have been twice as many attacks in 2020 as in the entirety of 2019.
What’s an enterprise to do?
Think outside the box
Organizations need to understand that the boundaries of their enterprise have expanded. In fact, what used to be known as the perimeter of the enterprise has now completely disappeared. Whereas organizations were beginning to understand that they needed to secure not just their own organization but their entire supply chain, they now must realize virtually the entire workforce is the “supply chain.”
The very nature of communication has changed with the new environment as people, information, and machines have become inseparable. Employers should think in terms of how information flows over the internet from employee to employee, employee to customer, machine to machine, and system to system throughout the communication process.
Virtually every communication is now a real-life version of the old game “telephone” From a cybersecurity perspective, this heightens the ability of malicious insiders, or simply sloppy employees (and managers), to exacerbate cyber risk in ways difficult to detect using the old methods.
Organizations see technology disruption as a great strategic opportunity but the careful system of checks and balances that even the better-secured organizations had in place need to be rethought.
Not only are not we in Kansas anymore, no one is in Kansas anymore. Organizational leaders need to think in terms of balance. Tech innovations can be tremendously attractive in terms of immediate payoffs, but virtually all digital tech enhancements — while potentially great for productivity and growth — can also generate increased cyber risks.
Use of these tools may be absolutely necessary for organizations to compete, but they could endanger intellectual property, financial record, and business plans, not to mention personal data. Organizations need to be agile but be smart.
Turning thought into action
In one of the largest post-pandemic studies so far, ESI found that, “on average, firms see an overall Return on Investment (ROI) of 191 percent from their cybersecurity investments.”
ESI found that training programs and process enhancements are among the most cost-effective of cybersecurity programs. The ROI for cybersecurity investments in people averaged 283 percent and 164 percent for investments in cyber process and only about 178 percent for investments in technology. However, the ESI study also found that one third of cybersecurity investments resulted in negative ROI.
While there is no way to attest which investments are best for individual businesses, smart business leaders will ask a few important questions in order to assess how to address their specific ever-changing business and security environment.
- How has our threat picture changed post-COVID-19?
- What is our plan to prevent a “remote” cyber incident?
- Do we have written incident response and continuity plans for the new workforce?
- How has our supply chain security been affected post-COVID-19?
- How does our security budget change post-COVID-19, and why?
By balancing economics and security for the new worked order and asking the right questions, agile organizations will put themselves in the best position to survive and thrive.