October 1, 2020

Cybersecurity during COVID-19 and Beyond

Chubb survey shows SMEs unruffled by cyber risk

Research by Bain & Co. indicates that executives at many companies overestimate the effectiveness of their cybersecurity and lack the strategic capabilities essential for a robust posture, according Gregory Garnier and Syed Ali.

While the COVID-19 pandemic hit its peak, businesses across the globe had to make drastic changes to survive. Owing to difficulties in arranging personal meetings and the inability to work with physical documents, most organisations adopted technological innovations and went digital.

Not only did the pandemic force most companies to embrace the new digital era, but approximately 70 percent of the companies rolled out work-from-home (WFH) for their employees. This included increasing network connectivity to allow more people to connect simultaneously, shifting select workloads to the cloud to make access easier and faster, adopting new collaboration and productivity solutions like Zoom and Slack, and deploying devices like laptops along with peripherals. Unfortunately, while companies scrambled to keep their workers productive, there was a significant rise in cybercrime.

Even before the COVID-19 pandemic, few organisations had mature cybersecurity capabilities that could meet the mounting challenges posed by attackers. Research by Bain & Company in the fourth quarter of 2019 found that executives at many companies overestimate the effectiveness of their cybersecurity and lack the strategic capabilities essential for a robust posture. Instead of increasing cybersecurity, over 40 percent of large enterprises made moderate to significant reductions in IT budgets, and about 20 percent cut their security spending. This made it easier for malicious entities to launch attacks with a greater frequency and intensity on remote employees and other corporate assets. Security teams have seen more attempts at intellectual property theft, particularly since late January 2020. APT41, a prominent cyberthreat group, reportedly targeted companies across industries in the US, UK, Canada and parts of the European Union and Middle East using recently disclosed vulnerabilities in major vendor systems. This was one of the broadest campaigns in recent years, and its aim was long-term espionage and surveillance.

With the digital ecosystem expanding almost daily, it is essential to protect customer information, intellectual property, sensitive communications and other data generated online. Organisations should take two sets of actions against cybercrime, the first to neutralise the threats to all companies that have adopted digital technology and the second to position themselves for the evolution of how work gets done after the pandemic. A multidisciplinary task force is the most effective way to tackle WFH threats and improve resilience during the pandemic. The chief security officer should lead this effort, along with informed leaders with decision-making authority from various parts of the business, IT and cybersecurity, as well as audit, risk, compliance functions, legal and HR.

The task force should begin by characterising groups of remote workers and partners based on their business role and level of access. All groups should be covered by a common set of modern security technologies and processes. However, high-risk groups, like the top leadership who perform mission-critical functions or employees that have the deepest system access such as DevOps teams, system administrators and application developers, need a robust complement of security.

Additionally, to avoid hacks, companies must also consider revising software and hardware technology standards, such as minimum specifications for employee-owned laptops, and lists of approved USB, HDMI and Bluetooth peripherals for remote workers. Strong cybersecurity involves much more than implementing technology. Companies should perform ongoing activities like adjusting technology standards and offering security-awareness training that help maintain a security baseline for remote work. Finally, companies must also reevaluate the full complement of security capabilities as they permanently adjust operating models for the post-pandemic world.

Text provided by Gregory Garnier, partner at Bain & Company Middle East and Syed Ali, expert partner at Bain & Company Houston, United States.



Previous Issue