“Pandemics are known unknowns.”
This makes one think about risk subconsciously as we are uncertain about when pandemics will happen as well as how we should be prepared to contain and reduce their impact. The COVID-19 pandemic is considered one of the most complex known unknowns to quantify due to the lack of reliable data about its emergence, multiple mutations and spread rate across the globe.
We have seen different countries rely on different approaches and countermeasures to contain the pandemic. The degree and the extent of control enforcement needed to make people comply with what is expected from them is an excellent example of effective risk management.
However, since the COVID-19 pandemic has brought unprecedented impact across the globe, we must consider this as a global risk management practice that has practical applications within all industries, including being an invaluable exercise for cybersecurity experts.
The prolonged spread of COVID-19, along with the social and economic upheaval that has resulted, has also triggered an acceleration of the digital transformation. Many organizations decided to seize the digital opportunities without quantifying the risk exposure, therefore giving rise to new emerging risks. Organizations were forced to adapt to physical distancing and teleworking modes overnight.
This has created new priorities that mandated shifting our mindset within a cybersecurity context. Remote onboarding, the increasing use of online collaboration tools and the use of non-corporate networks to access the organization’s information assets created the need to redesign business processes, enhance the risk register, focus on cybersecurity controls effectiveness, and review the risk appetite statement. These opportunities have given rise to a wider range of cyberattacks.
According to the “Cybercrime in a Pandemic World” report from McAfee Enterprise and FireEye for 2021, 81 percent of global organizations experienced increased cyber threats with 79 percent experiencing downtime due to a cyber incident during a peak season. The attacks were diverse and included ransomware, data exfiltration/leakage, phishing, brute force, malware, etc.
The massive adoption of work-from-home technologies and applications have put considerable strain on the cybersecurity function within the enterprise, which must safeguard these applications without impeding overall enterprise performance and employee productivity. Cybersecurity leaders around the world must address three main areas: technology, people and processes.
Technology: Required technological controls must be in place as enterprises enable employees to work from home and maintain business continuity; the cybersecurity function can support the proper course of action to mitigate cybersecurity risks.
People: All employees must understand the information and cybersecurity risks (including those employees who are working from home) and must still exercise good judgment to maintain information security through building a “human firewall” to keep their enterprise secure.
Processes: Few internal processes were designed to support extensive work from home. Therefore, process re-engineering that promotes resilience will help establish the right controls to mitigate risk for this purpose.
Employees working from home must keep exercising good judgment to maintain information security within their enterprise by adhering to stronger technological controls. On the other hand, organizations should make sure they are not fighting a losing war. While distributing disproportionate resources on strengthening preparedness for known risks, organizations might miss new emerging risks coming from other directions.
As they navigate the new digital opportunities, organizations are trying to reframe their risk universe and adopt according to the new risk factors. The iteration of all information risk management processes became more frequent than before, especially given the timeframe of the risk response and monitoring phase between iterations.
Furthermore, COVID-19 has seriously challenged the ability of organizations to embrace their risk appetite, tolerance and capacity, and use them to make important business decisions. It was a real resiliency test for risk methodologies and frameworks in general, which has revealed many vulnerabilities and deficiencies in risk management practices. The role of information risk management seems to be reframed from an information security governance function to a critical business ally.
To fully understand the potential risks associated with each hazard and assist with making informed decisions, the most probable scenarios must be evaluated and communicated following both the top-down and bottom-up approaches. These scenarios should represent the reasonably foreseeable range of events that an organization may experience. Another essential tool is the definition of significant KRIs as an early-warning risk detection system to help organizations effectively monitor, manage and mitigate known and emerging risks. KRIs must be linked to the organization’s strategic priorities so that they can flag when the organization is at risk of not achieving its objectives.
Additionally, the ability to embrace agile and adapt quickly to a changing environment is now more important than ever before. To foster an agile approach, organizations should:
- Increase cross-functional collaboration
- Provide extensive management buy-in for risk management activities
- Increase the speed and accuracy of data collection and analysis to feed the performance indicators
- Be proactive throughout all risk management phases
- Bolster the resilience of the critical information assets
Boards of directors must have reasonable and realistic cyberrisk expectations about the COVID (and eventually post-COVID) world, and this can’t be achieved without building true resilience in all the main areas that are mentioned above. They must perform effective oversight of the risk management function to ensure sound governance practices across the enterprise.
In addition, boards of directors must consider allocating the necessary budget for security and separating it from the overall technology spending. To keep pace with the cybersecurity challenge, organizations must consider cyberrisk at the strategic level. The enterprise-wide approach to the identification, detection, response and recovery of information risk must be effectively communicated to the board of directors and cross-functionally.