Companies now face a double threat. On one hand, a fast-changing, sometimes chaotic environment increases risks to business – and on the other, it creates more opportunities for cyber-criminals. With this in mind, WIRED and Accenture convened a round table to look at the rapidly evolving threat landscape. The idea was to examine the biggest risks and examine the strategies companies have used to stay secure during the pandemic, before moving on to how they can continue to mitigate risk and build resilience as the world slowly returns to a more familiar pattern of work. Out of necessity, the adaptation to working from home happened very quickly. One participant describes the rush to remote working as “business as usual out of the window”, while others pictured it as “a baptism of fire” and “a Corona-coaster of risk assessment”. Part of the problem was physical. In the space of a few weeks, and often less, companies had to move staff from secure proprietary networks to home networks which were likely to be less secure and may even have been shared with people who worked for competitors. In the rush to replicate the office environment, staff often started using readily available third-party tools and personal tech equipment which had not been vetted by their employer. In a world where data underpins everything we do, this clearly means an increased risk of data breaches which can pose a reputational and even existential threat to companies. Employees rarely have malicious intent, but it’s all too easy to misconfigure home networks and VPNs, and not fully understand security settings. The result may be that intrusions (for instance, via a phishing email), leakage and theft of sensitive company data become that much easier. In tandem with this physical change, entire ways of doing business were being rapidly rethought as companies flexed and adapted. “Reshaping the business model is something that is happening across every function in every organisation at the moment,” says Greg Williams, editor in chief of WIRED. For this reason, it has been important to increase both resilience and adaptability at the same time – and at speed. It has been a multi-dimensional matrix of change. Many businesses had some of the necessary tools in place already. They’d learned from previous “Black Swan” events such as 9/11 and the uprisings in the Middle East which took place in 2011; moreover, governments have become far more adept at digital counter-terrorism. Companies have also developed methods of dealing with some cyber-threats and are used to providing security for key home-workers. However, a pandemic is a very different type of crisis. As Jonathan Luff, co-founder of CyLon says, “Our basic assumptions are being challenged – will we still work in offices and will services like education and primary health care become fully virtual experiences?” For many organisations, in the short term, this meant a need for immediate help from IT providers; in the medium term it has meant accelerating digital transformation programmes. Of course, companies are simultaneously struggling with other issues too. Dave Palmer, director of technology at the AI cybersecurity firm Darktrace says, “We have seen that some organisations are finding it more challenging to guide others through this period of change, whilst simultaneously managing their own staff costs and budgets.” In the longer term, many people are likely to remain working wholly or partially from home for a significant length of time. This means a larger attack surface and a greater risk to data. To take an obvious example, where once you could keep mobile devices in lockers on the premises, now you need to develop protocols to help those working remotely stay secure. Jacky Fox, managing director of Accenture Security for Ireland says, “People are working in their home environment which may increase risks around areas such as collaboration tools and home Wi-Fi which may be insecure or shared with others who could introduce risks.” She adds that this is interesting from a regulatory perspective and in terms of how it triggers risk assessments. Companies need to be active on several fronts ranging from rethinking risk around a largely remote workforce to security-privacy trade-offs to educating staff and raising awareness. George Marcotte, managing director of Accenture Applied Intelligence for UK and Ireland says, “There is an increased risk around data and intellectual property, and you need to accommodate that and build more resilience and risk protocols around it.” He adds, “Many of our clients are also finding that the regulatory regime around data continues to shift and that people’s perspectives and values around using their data also shifts – not just in the crisis, but over time as well.” It is, as ever, a question of balancing security and people’s productivity. So, how do companies get this balance right? First, they need to look at how their business has changed in the pandemic and how threats are changing. Here, they should consider consulting experts, as the interplay of IT risk and business is complex. They should take a pragmatic approach, recognising that you cannot eliminate all risk. This will mean looking at how data is used and where the risk is greatest. There is also likely to be a question around risk reduction and use of personal data. Rather than simply imposing policies, companies should seek to build agreement. Ultimately, it is about recognising that the business world has been through its most significant upheaval since World War II, taking a holistic, informed look at how risks maps on to this, and then implementing realistic, high impact, cost-effective countermeasures.
