Technology has given us much to be thankful for in the past 18 months. Ten years ago, the prospect of pivoting global workforces to remote working overnight would have been unthinkable. Productivity levels during a 2010 pandemic would have looked very different.
However, as with all macroeconomic disruptive forces, threats will emerge in addition to opportunities for organizations, sharply illustrated through the accelerated advances in tech.
Such a large proportion of our personal lives already relies on online connectivity, from banking to shopping to entertainment. The potential vectors of digital vulnerability have been multiplying for years before COVID-19’s arrival.
The swift adoption of decentralized employee bases increased pressure upon individuals to tune up their cyber security sensitivity, while organizations rapidly intensified communications to guide inexperienced colleagues through such testing times.
However, the pandemic has, perhaps unsurprisingly, resulted in a surge in cyber crime. The FBI’s Internet Crime Complaint Center registered 791,790 complaints in 2020 – up 69.4% on 2019 – accounting for $4.2bn in reported losses by individuals. Business email and email account compromises were responsible for 44% of this loss value.
Digital disruption is top of mind in the boardroom
The levels of complexity and sophistication in cyber attacks run at a pace proportionate, if not faster, than the advances in preventative measures available to counter the threats. The recent supply chain attack on SolarWinds’ Orion network monitoring platform, which could have potentially impacted more than 18,000 customers including government agencies and Fortune 500 companies, only serves to cement cyber security at the top of the boardroom agenda for 2021 and beyond.
As organizations ramp up digital innovation, they generate more and more data every step of the way, and increase their cyber risk accordingly. For example, distributed networks with thousands of connected devices, automation technology, and increasing reliance on cloud computing will all infuse vulnerability into corporate networks.
What’s more, each merger, acquisition, or divestiture deal completed – and every legacy IT system maintained – will amplify cyber security and network security risks further. At a time where M&A has emerged as a driving force in business restart and recovery post-COVID-19, posting a record year to date in deal-making volume and value worldwide, the vulnerabilities of other organizations are increasingly of immediate concern for buy-side leadership teams.
Our 2021 AlixPartners Disruption Index (ADI) further reinforces business leaders’ uneasiness around cyber risk and, as CEOs are confronted by disruption more than ever before, it is clear that the pandemic itself is not one of their top concerns.
Second only to “new or evolving competition or business models”, which featured as the highest-impact disruptive force according to ADI respondents, the subsequent five identified forces all carry unmistakable connections to increases in cyber risks:
- Technological advances in materials and process
New technology brings new security concerns. Hardware, firmware, and software compromise is becoming more sophisticated and harder to detect and mitigate - as technology advances, so do security solutions. Companies should require vendors to provide ongoing evidence of secure creation and maintenance and all aspects of the supply chain need to be scrutinized from both vendor and consumer perspectives.
- Data privacy and security related issues
True data privacy can only be achieved through the rigorous application of policy compliance and technological deployments. Security is a journey, not a destination, and establishing “Security Maturity” is critical to increase the effectiveness and outcomes of corporate security investments. As security technologies mature, their ability to solve problems must be tested and confirmed as effective before any upgrades or displacement of existing solutions.
- Pervasive connective infrastructure
As traditional connective infrastructure is extended to address new connection models and solutions, the focus on security must be enhanced from the outset. The Internet of Things, Industrial Internet of Things, 5G/6G, and WiFi 6 are all capable of being highly disruptive to markets and the security of these solutions is not always a given. Great care should be taken to confirm secure deployment before relying on them empirically. The business world today is also increasingly enabled through Software as a Service, which can bring many new attack surfaces into focus.
- Automation, Artificial Intelligence, Robotics
As new solutions are created and connected, more opportunity for digital complexity equates to a greater likelihood of breach or data manipulation for malicious purposes. Autonomous and semi-autonomous solutions have the potential to create physical and digital hazards, and the complex programming solutions being developed are even more dangerous due to the many application permutations that require significant observation, feedback and controls to be implemented to ensure safe usage.
- Regulation, policy, or politics
Policy and politics are generally the creator of regulatory compliance metrics, put in place to protect the public. However, regulatory compliance almost always comes after the fact. While technology exists to meet compliance objectives if properly adopted and implemented, unfortunately the costs to do so often prove to be the nemesis of meeting these standards from the outset.
How can organizations effectively respond to cyber disruption?
The reality is that malicious actors have themselves sought out opportunity through the pandemic to leverage COVID-19 as a means to profit further from cyber crime. As the world emerges from the tumultuous events of the past 18 months and seeks to establish stability and a steady path forward, cyber criminals will only intensify their efforts to disrupt progress.
Cyber attacks present not only financial risk to companies but also increasing impact on individuals and potential threat to human life. Recent attacks targeted at critical infrastructures such as fuel (Colonial Pipeline, USA), energy (Volue, Norway), and water (Oldsmar, USA) suppliers demonstrate the degree to which everyday life can quickly take a sinister turn for the worse.
The stakes are getting higher. In a volatile environment, clarity, control, and pace are imperative. How business leaders respond and the speed at which they do is critical, given the uncontrollable nature of so many other macroeconomic factors.
- Take control and prioritize. It is essential to fully understand, evaluate and control cyber and technology risks alongside the adoption of necessary governance, controls, technology, and contingency planning that will help organizations cope with the evolving world of risk.
- Diagnose vulnerabilities quickly. Rapid diagnosis of a technology environment allows areas of potential concern to be identified and protected at pace. Sharp focus can then be applied to key areas of technology architecture and operating models in order to detect risks immediately and respond and recover.
- Rolling execution is essential for effectiveness. Planning for cyber security outcomes and developing achievable metrics are the foundations to any secure solution. Executing on the plan and continuously monitoring it for effectiveness while planning for the next level is a maturity model, whereby solutions may be able to stay on top of risks. This is a constant cycle. Cyber security agility and enhancement against those who would do us harm is an ongoing effort.
Ransom payments stretching to tens of millions of dollars, reputational damage that erodes brand equity and increases customer churn, and failure in compliance and regulatory obligations are the potential impacts from cyber crime that businesses face every day.
For technology to continue as a positive enabler post-pandemic and beyond, cyber security must now sit at the core of an organization, empowering business missions and helping to build a more resilient and sustainable digital future.