2020 has brought with it immense change across the cybersecurity risk landscape. The effects of COVID-19 pandemic are still ongoing, and the opportunities for new cybersecurity risk areas to emerge is more real than ever.
The perfect storm of strained resources in organizations’ Security Operations Centers (SOCs) as corporations virtualize their workforce, to increased complexity within supply chains have cybersecurity risks emerging from every angle. Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) need to have visibility into their cybersecurity posture now that the cybersecurity risk landscape has drastically changed.
Knowing where you stand against cybersecurity best practices and then remediating effectively are two steps to boost security across organizations, as detailed in a previous post. Before doing your first assessment, however, it’s essential to keep up-to-date with where adversaries are targeting and to understand the risk that comes with changes in the current landscape. Focusing your efforts will help you inform your cybersecurity risk management strategy for 2020 and beyond.
Cybersecurity Risk in the Supply Chain
Supply chain attacks were up 78% in 2019 according to Symantec, and that exponential increase isn’t slowing down anytime soon in 2020. Supply chain cyber security is a constant area of focus for many enterprise organizations.
Organizations without dedicated vendor or third-party risk teams oftentimes have difficulty assessing the posture of their supply chain. The complexity created by increased digitalization, business growth, and third-party partnerships increases the need to protect sensitive information, including financial, personal, and strategic information such as intellectual property.
COVID-19 spurred travel restrictions that limited the number of assessment organizations and service providers that could perform onsite assessments, creating a gap in the supply chain security program’s activities. Some businesses are approaching this issue by asking suppliers for reports on how they have changed their cybersecurity risk management strategy to accommodate these changes. If possible, vendor risk management teams are encouraged to track supplier cyber risk posture with not just risk assessments, but also security controls, policies, and procedures managed in a single system of reference such as an integrated risk management solution.
75% of the Fortune 500 will treat vendor risk management as a Board-level issue by 2020. - Gartner
Especially for organizations that partner with a lot of small businesses, which are most at risk for cyber attacks, knowing where the security gaps in the supply chain lie are critical to directing suppliers to meet low-hanging-fruit cybersecurity best practices from multi-factor authentication to scenario planning. As much as security leaders hope the supply chain will promote proactive cybersecurity whenever possible, it’s best to be very realistic about what cybersecurity risk areas exist and to communicate these risks to leadership before they manifest, especially in times of economic uncertainty.
Cybersecurity Risk in Being Human
In times of crisis and uncertainty, cybersecurity teams must stay alert and proactively work to make sure that employees across their organization are not caught with their guard down. This effort takes many forms, but the two that show great promise during times such as these are awareness and training as well as prioritizing the mental health of employees.
Ultimately, cybercriminals are looking to exploit areas of weakness - whether it’s forgetting to turn on 2FA or clicking on a link in a seemingly innocent email. Both of these examples of opportunities for cyber incidents are what most would describe as human error. Implementing a virtual awareness and training program, or holding weekly security training detailing the most common cyber attacks and how to spot them in the day-to-day may be what organizations need to stay alert and aware as change continues to occur.
Especially in sectors such as hospitals and healthcare, prioritizing awareness and training is essential (if you're in the healthcare sector, check out our PDF of the most common attacks during times of crisis and security controls to prioritize during the COVID-19 pandemic PDF). The DDoS attack on Health and Human Services was only the beginning. It’s also worth noting that while many of these cyber attacks are designed to manifest quickly and cause disruption quickly, some of the most sophisticated state actors will be taking advantage of organizations that are preoccupied with maintaining day-to-day operations and shifting to remote work by taking a longer-term approach to creating disruption. For example, some sophisticated cybercriminals will plant malware inside a piece of critical infrastructure, only to have it manifest months down the road.
Human error comes about in a variety of ways, and the data shows that it’s not just awareness and training that can make all the difference. The other area to focus on - mental health - may not be talked about as much, but in unprecedented times like those we’ve experienced in 2020, it’s more important than ever to support employee’s need to rest, reflect, and spend time offline. Positive morale and the mental agility and alertness that comes from a healthy psyche is in large part the responsibility of managers and the employer.
Building a healthy and balanced culture during times of uncertainty could help avoid the opportunities for cybercriminals to exploit employee mishaps - an employee’s mindset could be the difference between engaging with phishing attacks touting “Coronavirus News” or spotting that attack right away.
Cybersecurity Risk in Corporate Governance
The interconnected risks that have been fueled by the events in 2020 are requiring greater oversight from information security and cybersecurity teams, security and risk leaders, and executive management from the C-Suite to the Board of Directors. One clear area of cyber security risk in 2020 will come from the inability of corporate governance functions to have the same level of efficacy that they had when meeting in-person.
If Board members fall ill or are unable to fulfill their duties, there must be a plan. Organizational leadership must be confident that their business will be able to maintain operations regardless of environmental or cybersecurity incidents alike. Executive meetings must be organized in virtual or hybrid ways while still maintaining their ability to work as a team and react quickly and precisely in times of crisis, especially if a cybersecurity event occurs, but even simply continuing to sign off on day-to-day initiatives without additional delay.
Creating clear incident response plans and maintaining cybersecurity governance through an integrated risk management approach is recommended for leadership regardless of the business scale. In addition, linking the reality of cybersecurity risks to impacts on the bottom-line - and measuring Return on Security Investment (ROSI) if possible - is critical while trying to maintain growth and financial stability during economic uncertainty and still managing cybersecurity risk.
About CyberSaint’s Integrated Risk Management Approach
CyberSaint’s mission is to empower all organizations to build a cybersecurity program that is as clear, actionable, and measurable as any other business function. CyberSaint’s CyberStrong platform empowers teams, agencies, and government leaders to measure, report, and mitigate risk with agility and alignment, even in the most uncertain times.
The CyberStrong platform is a flexible, agile system through which security teams and organizational leadership align to build cybersecurity resilience and boost productivity. The platform’s ability to simplify even the largest enterprise continuous assessment projects has organizations achieving audit, risk, third-party, and regulatory compliance objectives with remarkable results.
CyberStrong’s near-immediate implementation time, ability to put cybersecurity posture in the context of organizational objectives, and breakthrough Machine Learning automation have CyberSaint highlighted as “an example of a technology provider that demonstrates a vision for addressing emerging risks associated with cybersecurity”.