Cyber threats are considered one of the most worrying issues for businesses of all sizes, both in terms of probability and overall consequence. However during the Covid-19 crisis cyber threats have had to take a back seat so companies can refocus their efforts on enabling staff to work remotely.
This is a high risk situation for Network Teams and Security Teams, as they realise they may drop their security standards to support the very survival of the business. They may wonder how will their heroic efforts be measured once the Covid-19 crisis ends, and workers return to their physical offices and the old-normal.
All organisations need to assume they have been breached during the Covid-19 crisis and this Assumption of Breach should be a priority agenda item when the Board meets to assess fallout from the Corona Virus crisis.
Since January, all companies have relied even more on technology at every layer of the organisation, and so any possible harm caused by a cyber breach will be substantial.
Post Covid-19, it will be essential that a organisation's board receives a detailed audit from their Management Team regarding any detected breaches, cyber vulnerabilities and corrective actions that need to be taken.
Many company boards will not be fully aware of their new risk exposure levels and may not receive the information they need in a format that is easily consumed.
Board members should recognise the efforts made by their IT teams during the crisis and support them by giving them the tools they need to re-secure their systems.
To deliver a detailed Post-Covid-19 Cyber Audit, we suggest a Compromise Assessment.
Data breaches and privacy:
Before the Corona Virus halted us in our tracks Cyber-crime was commonplace and a consistent threat against protecting sensitive business critical data, but criminals have no moral obligation to stopping their activities during a crisis, in fact they see Covid-19 as the perfect opportunity to further exploit the misery being endured by people and companies across the globe.
Governments across the globe have, or will be introducing further legislation to ensure private data is protected against misuse by criminal elements and those who are found to have profited illegally by exploiting the Corona Virus will be punished accordingly.
The threat of a cyber-breach is now more of a concern for businesses than that of traditional threats such as natural disaster (which is ironic in the sense that Covid-19 could be looked at as a force majeure), and thus, requires a well-considered plan and expert skills to ensure the company is protected when a breach occurs.
Over the coming months the topic of cyber security will be a mainstay on the agenda of many company board meetings where the CISO or dedicated Cyber Security Officer delivers regular assessments of the company’s security posture and vulnerability risk.
The role of the board is to measure their management team regarding its ability to successfully mitigate the threat of a breach, whilst also keeping employees productive from their remote sites. However, in order to support their management team, the board needs to have access to accurate information regarding the company’s current cyber security posture.
Less than half of companies provide their Board with an accurate cyber security audit, but on the other hand, company Board's should be requesting regular cyber audits as standard.
Updating the board:
Covid-19 has displayed how successful remote working can be, and maybe will will not return to the old-normal from the new-normal, maybe a hybrid-normal will emerge.
Whichever model prevails, over the coming months company Board's should regularly receive a cyber audit that is easy to digest and clearly highlights the most critical threats to the business.
The quality of these reports will depend on where the organisation is on their returning journey to cyber safety.
Some organisations will have existing reports that satisfy all stakeholders whilst others will not have the in-house skills or tools to deliver such audits..
Reporting to the board on Covid-19 related cyber-security issues will become as important as reporting on financial matters, and in the future companies may be obliged to produce regular cyber audits along similar lines to financial audits.
Guiding principles when presenting Cyber Audits to the Board:
- Relevant to the board
- Easy to read: Use summaries, dashboards, and visuals,
- Avoid technical vocabulary
- Put things in context, not just details.
- Emphasise progress and trends
- Keep it short.
- Discussion: Audits should encourage discussion
This is an opportunity for Management Team to gain further credibility from the board:
What metrics are being audited to determine risk to the organisation?
Boards need assurance that critical assets are protected whilst remote working is facilitated.
What cyber-security investments are essential?
Boards need to understand their current and future cyber-security vulnerabilities and calculate what level of investment is needed to reduce risk.
What improvements can be made post Covid-19 and why?
What compromises were made during the Covid-19 crisis?
Is the present level of resourcing effective?
How does the current cyber-security strategy compare to industry best practice?
Would trusted cyber-security partners have been better placed to advise and deliver best practice solutions during the Covid-19 crisis?
If a company is part of a wider supply chain network then the board may also be concerned with the increased risk from external organisations given the degree of inter-connectivity and data-sharing involved.
Areas of concern will be:
What number of external vendors had access to sensitive data during the Covid-19 crisis?
Should a Compromise Assessment be carried out on 3rd party suppliers?
GuardYoo has been delivering automated Compromise Assessments as a service for many years and now via a SaaS platform can provide a detailed cyber audit that whilst easy to consume, contains valuable information concerning an organisations true cyber posture.
GuardYoo Compromise Assessment audits will ensure that both the board and its management team have all the information needed to highlight current vulnerabilities and the risks associated with them.
For further information contact us at: info@GuardYoo.com