COVID-19: Digital transformation enabler or cybersecurity disaster?

October 1st, 2020

Matt Elton


INTRODUCTION


As many places around the world continue to struggle with the COVID-19 pandemic, it seems likely that the much discussed “new normal” is going to be around for a while yet. For many firms, this “new normal” has come to mean having to manage a remote workforce, confined to their home offices and dealing with clients using video conferencing. Some employees, and even employers, have expressed a desire to retain this way of working into the future, saving on office rental costs and avoiding the daily commute to the office!


COVID-19 has been described as the big enabler in Digital Transformation, tearing down beliefs that it is necessary for staff to work in crowded city-centre offices to be productive, and that customers will only deal with firms they can interact with face-to-face. Satya Nadella, CEO of Microsoft described the change as “two years’ worth of digital transformation, in two months”. He may be right; Microsoft’s own collaboration tool, Microsoft Teams, went from 17 million to 75 million users as a direct result of the pandemic. While it may be true that firms are far more accepting of digital working practices than they were pre-COVID-19, much of the “digital transformation” which has taken place has been done in as an emergency, and reactionary, measure, with firms making quick, often tactical decisions to bring pieces of technology and new vendors into their businesses to keep-the-show-on-the-road.


LOOKING BACK


While COVID-19 is certainly not the first incident many firms have faced, what is significantly different is the truly global nature of the pandemic. Firms initiated their BCP plans very quickly, with very little opportunity for any detailed (re)planning or alignment. Firms have faced a number of challenges, not least because many firms' BCPs were focused on their own situation or perspective - for example, not being able to work in their office, or in a particular city; of course in the COVID-19 situation there was no possibility to fail over operations to the firm’s offices in Chicago, San Francisco, London, Tokyo, or Sydney, as everywhere faced a similar situation. The response of a great many firms was to send staff home, asking their staff work from home.


In no particular order, some of the key issues that firms faced:

- BCP plans were not fully tested, or did not anticipate widespread events, including having to move to 100% remote access.

- Firms did not evaluate the BCP plans of their critical service providers, and how they would impact the firm’s own BCP.

- Firms trying to equip staff with mobile devices and laptops faced supply issues and long lead times for purchasing new equipment.

- Many firms have centralized IT infrastructure and have experienced network and telecoms capacity issues with everyone working remotely.

- Staff using home internet connections not intended for business use suffered from localized latency, performance, and availability issues.

- Loss of key personnel for extended periods of time with insufficient succession planning, leading to an inability to make decisions.

- Firms who deal in a predominantly face-to-face business model needed to quickly find a way to interact with clients, and other key contacts, without physical contact.

- Supervising staff remotely for long periods of time proved challenging for team leaders, middle-management, and senior staff.

- Some staff abused working from home to avoid surveillance and take part in illegal, unethical, and prohibited activities.


What is clear is that the rapid development of the situation has led firms into taking very quick decisions to change their operating models, and with it potentially exposing themselves, and their clients to new risks.


CONFIDENTIALITY AND CYBERSECURITY


Confidentiality, cybersecurity, and privacy risks are particularly concerning, and expose firms to potential reputation damage, regulatory fines, and legal issues. While the world has been grappling with the pandemic, not everyone has had our best interests in mind – it has been an opportunity too good for cybercriminals, corporate espionage, and even hostile governments to gain access to sensitive private data. Cybersecurity incidents of one form or another are being reported almost daily, with phishing, data theft, and ransomware all on the rise, many of these incidents directly traceable to staff working from home.


The causes are often to be found in the very reaction of firms to the new pandemic-led working model. Firms may have made quick and on-the-fly configuration changes to allow staff to work remotely – are these sensible, and is the configuration secure? Do these changes allow the possibility for hostile parties to access the enterprise or its private data?


The sudden increase in the use of BYOD (bring your own device) driven by a lack of remote working infrastructure has led to staff using consumer grade devices for work purposes. Firms should ask: are these devices patched, securely configured, or can they even be securely configured? Consumer operating systems often lack enterprise-class functionality like full disk encryption, for example. Are antivirus utilities up to date? Perhaps more importantly, what level of control does the enterprise have of its data when it resides on these employee-owned devices?


The security of home networks has suddenly become a key issue, these becoming the perimeter of the enterprise, with the result being, perhaps not unsurprisingly, a significant increase in attacks on home routers and end user devices to use as a back-door to the enterprise.


Cloud services have started to be used more extensively, including file and data sharing without necessarily understanding the impact – firms should ask if they are still in control of the data? How many individuals shared information with the colleagues using personal email and file sharing tools without any idea that data is potentially being transferred across international borders – where is this data now and who has access to it?


New roles were quickly introduced for service providers and third parties – firms should ask if this work is being done securely, as well as how do these vendors operate, and how are they managing our data?


Firms were quick to introduce new tools to keep in touch with staff and clients, and despite widely publicized risks, conferencing tools like Zoom were being implemented by everyone from families and friends to small, medium, and large enterprises and governments alike. Are these the right decisions and solutions going forward?


DON’T FORGET PHYSICAL SECURITY


We often think of our homes as our safe place, but perhaps now that our homes have become our workplaces, we need to reconsider. Office buildings are designed to be secure, have on-site security personnel, and strict access control systems. Employees’ homes, by comparison, are most definitely not; relatively basic alarm systems are no match for today’s sophisticated criminal. Theft of end user devices is on the rise, and theft of a device can easily lead to theft of credentials and data.


Employees often believe that their homes are private, write down passwords, and other sensitive authentication data on post-it notes and attach them to their screen or desk! It is easy, and perhaps a little naïve, to think that theft of equipment is only undertaken by petty-criminals seeking some quick cash to buy drugs. Targeted thefts are performed by sophisticated criminal groups whose reason for theft of the equipment is for something of far greater value: the data, or access to data that the device might provide.


Business focused social networks like LinkedIn make it easy to identify staff in key positions who are likely to have access to sensitive data. Correlate these names with personal social networks, especially Facebook updates, and it is very easy to figure out when the employee is out of the house.


INSIDER RISKS


The traditional approach to information security was to focus on the external threat, bad actors from outside the organization out to profit from the firm’s data. The top concern of the moment is insider threats, employees taking advantage of working in the less supervised privacy of their own homes to steal data from the firm, or use privileged information that they are party to for their own personal gain.


A recent meta study by Deloitte found that those who carried out data theft often had a history of violating company policies, and 92% of cases were preceded by some kind of negative work event. 97% involved an employee that had been flagged by a supervisor but not followed up on. Some may be surprised by the amount of planning and preparation which goes into data theft, with 59% of employees who leave an organization, voluntarily or involuntarily, saying that they take sensitive data with them!


Even when operating in an office environment, regulated firms have experienced challenges surrounding the conduct of their staff, mis-selling scandals which have both damaged the reputation of firms and exposed firms to fines. When working from home, the risk of misconduct is greatly increased – what is to stop an employee who isn’t correctly supervised from acting in their own interest rather than that of the firm or their client?


Employees working in an un- or under-supervised environment have an increased risk of performing trades on their own accounts to benefit from privileged information that they may be exposed to in their daily activities. Not only are these actions illegal, they can expose the firm to reputational damage and fines


WHAT SHOULD FIRMS DO?


As it seems this “new normal” is going to be around for a while, and it may even become the case that work life is “never the same again”, firms need to take stock of the changes they have made.


Perform risk assessments on their new working practices, the new roles for vendors, and the solutions they have put in place. If any of the quick-fixes are outside of the firm’s risk appetite, alternatives will need to be found and put in place.


The first task is to create an inventory, evaluating where we are now. What does the firm have, data and infrastructure, where is it deployed, how is it configured, who has access to what, and from where? Understand where you have sensitive data, not only data relating to individuals as GDPR, CCPA, or PIPEDA mandates specific controls, but also corporate confidential data. Where firms are using cloud services, evaluate where these are implemented, what controls are in place, and what access does the vendor have to corporate data? Where data is shared with suppliers and other third-parties, how are they managing it? Ensure that information and protection governance is up to data, that data is correctly classified, governed, and protected. Quantify the impact of data leakage, both in terms of potential fines, as well as the value of the data itself.


Operating models need to be updated to ensure that staff understand what to do when working remotely. Having reasonable policies and procedures in place is an essential starting point, followed up with defining the roles and responsibilities, and skills necessary to perform them. Firms need to ensure that staff have the right skills and knowledge to do their jobs, and ensure that sufficient succession planning is in place should key roles or specialist knowledge be lost in the event that staff are unavailable for extended periods of time, with continuity planning for key roles and responsibilities. Give users training and guidance, test their understanding, and enforce policies without inhibiting productivity. A training and certification program backed up by both internal, job specific, and external training and e-learning ensures we know how to get a new staff member up and running in a short period of time should the need arise.


With a distributed workforce, it is even more important that firms keep track of their different internal controls. Linking controls to external regulatory requirements and external standards, as well as the company’s internal policies allows for traceability.


THE OPPORTUNITY


It certainly seems that this COVID-19 driven work transformation is going to have an impact on us for the long term. In this, of course, there are lots of opportunities for solution vendors to package their products and services to be the enablers in securing the remote working environment. Cybersecurity solution vendors, GRC tools focused on risk management and reduction, and solutions for conduct risk management are all positioning themselves for the “new normal".


Demand for solutions to remote employee supervision, range from determining that staff are sitting at their desk, and working their contracted number of hours, all the way to logging all activity including screen and keystroke logging applications on the company owned device. These controls can be aligned with conduct risk monitoring solutions to identify bad behaviour on the part of the employee. Of course, firms will need to balance the privacy of their employees with the need for supervision to avoid accusations of abuse, whether real or perceived, and put in place the necessary checks and balances.


An overhaul of the workplace to one which is truly digitally-enabled gives a great opportunity for regulated firms to increase efficiency and effectiveness – and with it, a huge opportunity and market for the 1000+ firms producing solutions.


Joined-up thinking in putting together the firm’s digital strategy with its regulatory approach is vital to fully unlocking the value of the opportunity.