A return to normal - a 'new normal' - is thankfully underway.  An organisation’s ability to transition effectively from response to recovery will undoubtedly provide competitive advantage over those firms who are not prepared, while immediately enabling much needed cash generation. 

Many companies have been in semi-permanent crisis response mode since mid-March; how will they shift focus from the intensity of sustained crisis management to a more “stable” business as usual? How will they find the bandwidth to make the necessary plans for that shift? Will organisations reset their risk appetite and impact tolerances to meet the challenges of the new operating environment? Will decisions made as part of the response to the global pandemic be revisited and risks reassessed? 

There is no single answer to address the questions posed above.  Technology functions will be at the core of the restart to ensure their organisation is well-positioned to recover quickly, effectively and sustainably.  Key activities for consideration span from a closer look at security hygiene to in-depth recovery and response planning exercises.  

Stabilizing the response

Many decisions being made during the response to the COVID-19 crisis, such as firewall rule approval, port openings, and increased access granted to third parties to supplement capability gaps, need to be reviewed in a timely manner.

Recognizing that every firm is on a different cyber security maturity journey, it is essential that actions taken during the response to the pandemic have not been allowed to excessively amplify the cyber risk debt. In order to quickly adapt to non-standard processes, employees and third parties may have been granted elevated privileges in order to backfill sick colleagues or expedite execution of day to day tasks such as key configuration alterations, emergency changes or changes not requiring standard approvals.  A risk-based view of a sample of changes made during the pandemic would help firms identify if changes retrospectively need to be approved or tested in order to avoid the introduction of vulnerabilities.

The inevitable economic downturn and employment uncertainty for employees will see a marked increase in the risk of insider threat, potentially resulting in data breaches, theft or disruption to business operations.  A return to business as usual will need to consider a thorough review of all access rights within the environment, not just those of privileged users.

Protecting yourself from opportunistic attacks

Activity from cyber criminals who are exploiting the pandemic for financial gain, as well as nuisance actors intent on causing disruption with no specific objective, have been widely reported.  Security agency sources also indicate nation states are using the pandemic to infiltrate industrial as well as government targets, whose attention might be elsewhere. 

It is important to recognize that not all cyber-attacks are “noisy” and detectable by the target.  Where there is a known absence or lack of maturity in monitoring, firms could consider adopting an ‘assumed compromise’ approach.  Performing a proactive compromise assessment may uncover a dormant threat that has covertly infiltrated the environment.  For example, performing in-depth perimeter scanning and internal and external penetration testing could highlight vulnerabilities created by forcing through emergency changes to the production environment in response to a change in business operations.

Revisiting scenario planning

The global response to the Covid-19 pandemic has tested societal, organisational and individual resilience in ways few scenarios would have truly considered.   Organisations would do well to revisit their scenario planning and consider a real-world series of exercises to robustly test their integrated response plans and capabilities. 

Preparing for the recovery

As international press speculation continues in relation to the exit strategy of various governments in easing lock down restrictions, the one certainty is that businesses need to quickly get back to generating cash.  Preparing to recover will remove some of the uncertainty for the future, it will reassure employees, customers, suppliers and other stakeholders while mitigating the risks and remediating the vulnerabilities introduced during these unprecedented times.

There are several key considerations that senior leaders and cyber security professionals should consider as their organisations transition from response to recovery:

  1. What’s the shape of the business after the crisis?
  • Have key facilities been mothballed or scaled back?  
  • Will the workforce return to work en masse or in a phased approach? 
  • How will the phasing be prioritized?  
  • Will significant numbers of people remain at home?

2. Therefore, what’s the shape of the required IT estate:

  • How will the IT estate be supported?  
  • How will temporary solutions and processes be transitioned to permanent?

3. Consequently, how will your security programme reflect the shape of the estate and the inherent risks:

  • Have security and technology risks been updated based on current operating model?  
  • Does the organisational security posture reflect the threat environment? 
  • Is the workforce aware of their responsibilities in maintaining information security in the new environment?

4. And, what have we learnt/would we do differently, after this experience:

  • What went well in the organisational response to the pandemic?  
  • How can you:
    • Review capacity constraints, technological and human, during the response phase.  
    • Identify and address functional or process gaps in response.  
    • Revisit scenario planning and update response plans.

As you transition from response to recovery consideration of the above themes will support a resilient restart that is robust enough to withstand and absorb the impact of any subsequent aftershocks.