The Coronavirus Pandemic has forced many businesses to reconsider their cyber and data privacy systems and policies. But how can firms best mitigate risk and manage compliance in this new operating environment?
For businesses across all sectors of the global economy, cybersecurity has become one of the biggest risk factors associated with the coronavirus (COVID-19) pandemic. As they try to continue operations without interruption, and protect their workers and employees, businesses increase their exposure to cyber attacks.
At a specially-convened Cyber Surgery for its clients, Grant Thornton UK’s experts discussed the specific types of threat that are emerging, as well as what actions businesses should be taking to reduce risk and maintain regulatory compliance during these extremely challenging times. The issues discussed, apply more widely around the globe.
The session, Risks And Regulatory Expectations: Responding To Evolving Circumstances, was presented in collaboration with multinational law practice Eversheds Sutherland.
The lockdown policies introduced into economies all over the world have forced millions of businesses to pivot quickly to more agile forms of working – with the large-scale adoption of home working technology.
Vijay Rathour, Partner and Head of the Digital Forensics Group at Grant Thornton UK, explains: “We have seen organisations carrying out a transformation, that may take six weeks under normal circumstances, in just a few days – and we are concerned about how the threats and threat actors are evolving to take advantage of this rapidly changing cybersecurity landscape.”
The attack surface for cyber criminals – the opportunities to break into businesses, for example, as well as to compromise individual workers – is constantly evolving, a situation that is creating unprecedented challenges for firms, both in terms of security and compliance.
“There has been a significant increase in cyber attacks in organisations like financial services and professional services firms – in fact, any business that controls sensitive or valuable data,” explains Rathour.
“But what we are also seeing is that even many larger organisations, despite having comprehensive business continuity plans, have never, in fact, tested these plans in anger” which increases vulnerability and presents opportunities for cyber criminals.
External dangers are not the only risks to businesses. “Insider threats – whether accidental or malicious – are also very real,” points out James Arthur, Partner and Head of Cyber Consulting at Grant Thornton UK. “There are lots of people who switched to working at home at short notice who may be making unintentional mistakes, for example.”
“There is also the issue of disgruntled ex-employees. “We’ve have heard reports that it is of particular concern in the US, where companies have had to let people go at very short notice. Businesses are concerned that these workers may have been able to take intellectual property with them – or employers may not have been able to close down their access to data quickly enough.”
Another problem that organisations might face is the rise of “shadow IT”. Arthur explains: “This is where different areas of the organisation have spun up their own services – for example, where a development team has taken some space on an Amazon Web Service, or a joint working team has decided to start using Dropbox for exchanging information.”
The danger there, particularly when using cloud-based services, is to think that security is “someone else’s problem”. Arthur says: “Now is the time for organisations to get their arms around what cloud systems and infrastructure their people are using and ensure they are clear on who is responsible for securing and monitoring these– and to ensure people are adhering to the processes and training they have been given.”
The panel also responded to questions about the security issues surrounding the outsourcing of IT solutions as well as other areas of operations.
As Rathour explains: “You should invariably be implementing privacy-by-design and data-segmentation policies so you have insight and control over who has access to data in both first- and third-party environments.” Moving to agile and home working environments may expose gaps in the access controls presented to employees – or hackers.
Many outsourcing issues are around ensuring basic security standards are met by suppliers of technology services. Arthur adds: “For large businesses with distributed supply chains, a lot of it is about using effective threat intelligence – understanding the risks that can be exploited and how can they be escalated through the chain.”
He continues: “At a time when a lot of businesses are using VPNs to connect securely, there are still a number of organisations using VPNs from major manufacturers that have some easily exploited vulnerabilities, which still haven’t been patched.”
Growing cyber risks and shifts in working practices are presenting new compliance challenges as well, the panel agreed. Having workers across geographical locations presents issues related to GDPR, especially in relation to data transfers outside the European Economic Area (EEA).
Rathour says that although some organisations have said they are going through a compliance pause as they implement new systems, regulators have not formally relaxed their expectations or requirements. Businesses should therefore ensure any temporary solutions implemented at the start of the lockdown should be clearly documented and explained for the benefit of regulators.
Another important factor from both an operational and a regulatory perspective is being able to demonstrate that any security policies have been tested in a robust fashion.
“What we have seen recently is that regulators are becoming increasingly interested in the detail of cyber solutions and whether they are operationally effective,” says Arthur. “While a year ago, regulators might have been happy with high-level information about solutions, there is a lot more emphasis now about exactly what technology is in place and whether it has been shown to be operationally effective – and this emphasis is only going to be heightened as a result of the current crisis.”
The cybersecurity challenges presented by the coronavirus (COVID-19) pandemic and new ways of working are significant for businesses, regardless of the sector in which they operate. For more information and guidance about the steps your organisation should be taking to mitigate risks and deal with threats, please contact James Arthur or Vijay Rathour.