In a year we would all rather forget; an unfortunate side effect has been a rise in ransomware incidents and opportunistic cyber-attacks. Our current situation has been unexpectedly thrust upon us, forcing a rapid change to our ways of working, and a more vulnerable remote workforce. One positive that’s close to my own heart though, is a growing awareness of cybercrime, and a shared responsibility across the entire organisation from the Board and the CEO, through to the front line, to boost cyber resilience.
I have been in this business for more than 19 years, and I’ve spent every day obsessing about the cyber perils that businesses face, with my frustration that it seemed many just didn’t seem to care. Maybe the executive team didn’t have the right education or training, or maybe, they just didn’t think the risk was real.
Whatever the reason, the move for so many to remote working, has forced business leaders to think ‘harder’ about how vulnerable their workforce is. IMHO, pre-COVID, there was a degree of complacency for many. We’ve all been guilty of a laser focus on business growth, sales, and new product development, and that urgency for more and faster progress. Rarely did we make enough time to think about the downside risk.
When you can glance around an office and see hundreds of smart professionals, busily working away at desks and in meeting rooms, with a buzz of friendly banter across the office and teams rushing along to close the next deal. Everything is going well, and you’re on track. You can see it with your own eyes, and anyone that dares to suggest that it might not last, or that a devastating cyber incident might be imminent, risks scowls from the exec team who are hell bent on delivering an upbeat quarterly update. Don’t be the office buzz kill, so the Infosec team would often continue their planning and monitoring of risks behind the scenes with very little fanfare, and scarcely the time or resources that they need to adequately protect the business and its people.
Just as we hear that Microsoft observed 2-years of digital transformation in the first two months of the pandemic, so too is Zero Trust becoming a mainstream. Andrew Conway, GM, Microsoft Security says ‘Zero Trust shifted from an option to a business priority in the early days of the pandemic. In light of the growth in remote work, 51% of business leaders are speeding up the deployment of Zero Trust capabilities,’ adding ‘The Zero Trust architecture will eventually become the industry standard, which means everyone is on a Zero Trust journey... 94% of companies report that they are in the process of deploying new Zero Trust capabilities to some extent.’
Now that leaders don’t have the luxury of walking the floor, and trusting their eyes, they are forced to contemplate the risks that they can’t see. What if Rodger lets his kids use his laptop in his lunchbreak? Or, if Jodie works from an unsecure public WiFi network at her local café? The finance team are under the pump at the end of financial year and they’re struggling to adjust to the cloud environment – they used to have access to all of their files via a secure, internal shared network. What if one of them inadvertently leaves a file on a public directory, or if they click an email without thinking, because they’re on the phone to a creditor and their kids are home schooling on the other side of the kitchen table?
Certainly, in 2020, not only has the world been turned on its head by the COVID-19 pandemic, but there has also been a parallel rise in the number of new cyber threats hitting inboxes, and in reports of companies falling prey to ransomware and other malicious scams.
Every other day now we read about a new threat, or of a new company that has fallen prey to an attack:
- Garmin: Reportedly paid a ransom of $10M following a ransomware attack that encrypted its internal network and some production systems in July.
- Twitter: Became a victim of business identity theft. High-profile Twitter accounts (like those belonging to Elon Musk, Joe Biden, etc.) were hacked in July after a fraudster convinced a Twitter employee he worked in the company’s IT department.
- University of Utah: Paid $457K to prevent cybercriminals from releasing files stolen during a ransomware attack in August that encrypted the university’s College of Social and Behavioral Science (CSBS) servers.
- BlueScope Steel: Halted its production systems after a ransomware infection was discovered in one of the company's United States-based businesses in May.
- Service NSW: Suffered a cyber-attack in April after being targeted by a phishing campaign. The government department confirmed that 47 staff email accounts were accessed in the attack.
- Toll Group: Was hit twice by ransomware attacks this year, in January by MailTo and in April by Nefilim, resulting in significant disruptions to its online operations.
All of these companies and institutions are large, well-funded and sophisticated organisations. And, they all exist in that same torrid, daily business environment that we all share, where priorities are constantly being weighed to ensure that we hit our targets. Where we struggle with the daily grind to serve all of our stakeholders to our best ability.
But the vulnerability of these firms, and sadly their recent experience, carries a lesson for us all – that no company is immune from a cyber-attack.
To succeed in the post-COVID-19 era, business leaders are actively rethinking their cybersecurity strategies and resilience to accommodate not only a more distributed, remote business model, but also a significantly more treacherous threat landscape. A new survey by Microsoft found that globally, 58% of business leaders have reported budget increases for security, while human security expertise is at a premium, with more than 80% of companies adding security professionals in response to COVID-19.
Every cloud has a silver lining, and this one is far too valuable for us not to recognise.
How do you think perceptions towards cybersecurity have changed since the advent of the pandemic? Leave your comments below.