(We are publishing the first part of this two-part column today after inadvertently publishing part two out of sequence on Monday. BusinessWorld regrets the error.)
(First of two parts)
Risk professionals around the world have always had pandemics on their radar and rightly so. In the last 20 years, the world has witnessed how diseases such as ebola, chikungunya, SARS, H1N1, and MERS-CoV placed nations in grave danger. However, governments and medical communities were always able to address each situation, and while there may have been some casualties, the contagion was somehow managed, preventing the disease from spreading worldwide. When news of a novel respiratory disease from China broke out in December 2019, it took several months before the World Health Organization (WHO) gave it an official name, declaring a pandemic on March 11.
Because of previous similar outbreaks, many in the Philippine business community reacted coolly to the news. Even when infections started to appear in the Philippines in late January, few businesses saw the urgent need to prepare for a pandemic. Consequently, when the government imposed the lockdown on March 16, many organizations were caught unprepared and had to improvise to survive. Companies scrambled for tools and facilities to allow remote working and continue business operations.
For the past nine months, Philippine companies have learned to deal with COVID-19 and the lockdown. The impact was significant across the board, not only disrupting current operations, but also influencing how businesses will behave in the months and years to come.
Cybersecurity has been no exception. Like with other business functions, the pandemic caused widespread disruption in cybersecurity operations and is expected to have significant impact on cybersecurity strategies, investments and future priorities.
In the first part of this two-part series, we will discuss the challenges of cybersecurity in terms of remote working, identity and access management risk, physical security and data privacy.
WORKING FROM HOME
Remote working has been a notable issue. Shifting the workplace — from central corporate offices to the homes of employees — has expanded the attack surface. The perimeter of the corporate network is no longer defined by the firewalls, and employees can now do more with their company-issued laptops without the traditional firewall controls. For example, personal cloud storage solutions and other non-work related websites that may be prohibited by the company are now readily accessible by employees through their home networks.
Because of the pandemic many companies were compelled to issue a significant number of laptops to their employees. In addition, new applications were deployed to allow employee access to corporate systems using mobile phones and tablets. This further expanded the number of endpoints that can be compromised by attackers.
Adopting new technologies to enable remote working during the lockdown also represented concerns for security professionals. Many companies made quick decisions and deployed tools for collaboration and communication, online selling, digital and contactless payments, and the like. At times, a new vendor is contracted to enable these digital tools, and in some cases even manage these applications for the company. The challenge in this situation is not only procuring reliable external support, but also ensuring that the vendors undergo strict risk assessment and the tools subjected to robust testing prior to their actual deployment. Short-cuts in the deployment process simply cannot be allowed.
ACCESS MANAGEMENT RISKS
Also presenting challenges in the new normal are identity and access management. In many cases, user profiles and roles need to be created or modified to enable the remote access of employees and business partners to the corporate systems. The chief information security officer (CISO) needs to ensure that these profiles were created based on strict business-need only basis. The company’s formal approval and role development process cannot be ignored even if there is a seeming urgency because of the pandemic.
Inevitably, employees come and go even during a pandemic. New hires continue to be onboarded, people change roles and move departments, and some staff members resign for various reasons. User profiles created and roles added should always be accurate to match the employee’s responsibilities. Likewise, user access revocation — including the retrieval of company-issued mobile devices — should be timely.
A greater challenge with remote working is the physical security of the employees’ homes. This is particularly true for companies with a younger workforce who live in dormitories and boarding houses with roommates and friends who may be working for competitors.
While at reduced risk, those living with their families in cramped spaces may also not be ideal for many companies. In a developing country like ours, these are realistic situations that companies need to manage.
Data privacy continues to be a major cause of concern not only within businesses but also among consumers who distrust external parties handling their personal data. In the Philippines, companies are required by the Department of Labor and Employment (DoLE) and the Department of Health (DoH) to collect employee and visitor health information and submit monthly reports.
These data are crucial for companies and the government to maintain safe working environments and to help contain the pandemic. However, there are questions raised on access, storage, sharing among agencies, and retention which are valid. Employees need to understand that their employers are required to record their temperature daily, but the security of their personal and household members’ health and travel data will remain a concern. This is a gap that will take a well-engineered bridge to cross.
To illustrate, the lack of trust in providing access to one’s privacy and personal data is exemplified by the unpopularity of contact tracing apps that were developed during the pandemic. While several of these apps have been endorsed by government agencies and companies, their use is still limited among the general public.
In the second part of this article, we will discuss the additional threats to cybersecurity that require recalibrating traditional security for the remote workspace; potential analyst disruption; the pandemic’s impact on cybersecurity budgets; and reassessing the cybersecurity function as we adjust to the new normal of business.
This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views reflected in this article are the views of the author and do not necessarily reflect the views of SGV, the global EY organization or its member firms.
Warren R. Bituin is the Technology Consulting Leader of SGV & Co.