Cybersecurity Defense and Oversight During the COVID-19 Crisis

By Chris Hetner and Derek Vadala

04/16/2020

COVID-19 Cybersecurity Online Article

As the COVID-19 pandemic escalates and causes global disruption, those in corporate governance and executive leadership roles need to carefully consider changes in their organizations’ cyber-risk profiles, including how the rapid shift to remote working, stress on the technology workforce, and looming expense pressures increase the potential for exposure.

Cyber attacks could be business-ending events for organizations that are not prepared to defend themselves during a period in which funds to combat new cyber threats may have dried up or diminished.

Boards need to consider the ways in which their organizations’ cyber posture is changing as a result of the crisis. Board oversight is critical to ensuring that management is adapting to the evolving cyber-risk landscape as it works to maintain employee safety and continued business operations.

The Threats

Many of the current threats look similar to what was experienced before the onset of the crisis, only at greater volume. A summary of what boards need to know follows.

Phishing. While increases in phishing attacks are a normal symptom of disruptive global events, the risk of phishing attacks has increased now because remote workers may not have the full set of security defenses normally available to them in their alternative work environments. It is important to remember that phishing is successful because it takes advantage of the responses people have to emotions elicited by an email. In this environment, phishing attacks are using the virus to lure people in to handing over money by using false donation links for recovery funds, for instance. Furthermore, responding to incidents that result from phishing attacks may place additional strain on cybersecurity teams because triage and remediation processes that typically require office visits may not be possible. Employees could be faced with the prospect of not being able to work if their technology cannot be adequately evaluated and cleared of threats.

Rapidly Expanding Attack Surface. As organizations shift into remote working, many are experiencing a rapid expansion of their technology attack surface. This is driven by the need to deploy new equipment and technologies to support remote workers, such as virtual private networks and video conferencing and collaboration software. But this environment may also require relaxing controls and policies that were once relied on to protect enterprises. For example, will employees be allowed to use their personal computers to access company resources like their work emails? Will they be able to print company materials at home? As these new modes of working change and expand, the room for error in their configuration and deployment will increase, leaving opportunity for attackers to exploit weaknesses—especially during this transition period in which new controls for working remotely haven’t been fully designed or tested.

Overworked Technology and Security Teams. An already stretched and limited cybersecurity workforce is being pulled in multiple directions during the COVID-19 crisis. Those charged with cyber defense and responding to incidents may easily be pulled away from security concerns and into technology operations issues associated with the sharp rise in employees working from home and in customers interacting with the organization virtually. This creates the potential for mistakes that could result in inadvertent exposures for the organization. Furthermore, these team members may be asked to reduce security controls and suspend certain policies in order for them to support the business in other ways, potentially signaling that the value of their historical work is no longer relevant.

Long-term Implications. On the horizon is a challenging expense environment with a potentially worsening labor shortfall for cybersecurity positions. Consider the number of academic program enrollments and completions deferred due to the crisis and the impact of this on the number of new cybersecurity professionals entering the market. Combined with expense pressure for budgets and a shift in priorities, we face the possibility of disenfranchising the cyber workforce.

These challenges will increase the need for the quantification of cyber risks and the effectiveness of cybersecurity programs, and they establish a clear need to link continued investment in cybersecurity personnel and defenses to risk mitigation best practices. Forging this link will become increasingly important for maintaining a risk-based defense approach and representing cyber resilience to customers, investors, and regulators.

How can boards respond?

Recognizing that they can’t overburden management right now, boards should affirm the expectation that effective cyber-risk management remains a key function for the success of the enterprise. Transparency and independence on cybersecurity issues during the crisis and beyond are paramount to ensuring that risk-taking in response to the crisis is aligned with governance expectations and does not create an unacceptable short-term exposure. Remember, a cyber event during the crisis could be an existential threat to the organization. Below are some suggested approaches that directors can take in order to monitor the situation.

Tactical:

  • Ensure the chief information security officer (CISO) understands that they have the support of the board to flag any decision made in response to the crisis that may adversely impact enterprise cyber defense. (This isn’t the CISO’s decision to make, but it is their obligation to raise any concerns that could affect security.)

  • Ask for periodic updates about cyberattacks and incidents during the crisis. If there is nothing new to report, ask how the organization is validating that its monitoring protocols are working appropriately.

  • Ask management if key cybersecurity personnel are being repurposed to handle operational technology tasks and, if so, when such personnel will resume their normal duties.

  • Ask what new equipment, technologies, and services are being deployed in order to support response and relief efforts. Is there a process in place to validate that the cyber defenses associated with these changes are being maintained?

  • Ask which security policies are being relaxed in order to support the company’s response. Will these relaxed policies be in place for the duration of the crisis, or will more stringent policies be restored quickly? What risks do these changes create? Are these relaxed defenses being supervised?

Strategic:

  • Company-wide economic headwinds need to be considered as they may impact the budgeting of cyber defenses. How is management considering the impact of furloughs and layoffs with respect to insider threat? What organizational restructuring actions might impact the company’s cybersecurity posture? Is the cybersecurity team proactively involved in the handling of these actions in order to mitigate and monitor any issues that arise?

  • Understand the key cybersecurity scenarios that present the most material impacts to the enterprise. Consider, for instance, business interruption, data disclosure, and fraud. 

  • Define what risks the organization is willing to accept and to what degree.

  • Understand how security changes driven by the current crisis will be monitored and improved over time and require updates on how these changes align with strategic objectives for cybersecurity. 

  • Establish mechanisms to provide continuous insight into the cost to recover from an attack and how an attack would interrupt the business.

  • Develop an understanding of how your cyber-risk defense and exposure compares to peers in this environment.

Chris Hetner
Chris Hetner served as the senior cybersecurity advisor to SEC chairs White and Clayton and currently is a senior advisor at The Chertoff Group, a special advisor for cyber risk at NACD, and a member of the NASDAQ Center for Board Excellence Insights Council.

Derek Vadala
Derek Vadala is senior vice president, head of risk at BitSight, where he leads a team that is focused on creating an automated cyber-risk quantification solution that enables chief information security officers to better communicate cyber risk to boards of directors and senior business executives by translating cyber risk into financial terms. Before joining BitSight, Mr. Vadala was the CEO and founder of VisibleRisk, a joint venture between Moody’s Corp. and Team8, which was acquired by BitSight in 2021. Prior to that, Mr. Vadala was the global head of cyber risk for Moody’s Investors Service, responsible for developing capabilities for evaluating cyber risk and incorporating those capabilities into credit analysis. Mr. Vadala also previously served as the chief information security officer for Moody’s Corp., where he was responsible for global information risk and security across Moody’s businesses worldwide, from 2013 to 2018.