How 2020 Changed Cyber Risk Management

Almost overnight COVID-19 upended our everyday reality. A risk that we didn’t even know we faced took center stage both personally and professionally. In this post, we look at what’s driving cyber risk mitigation decisions today—including what’s very different from what we heard on January 1—and how cybersecurity priorities are coming to the forefront.

Using Data to Make Sense of Chaos

Coronavirus has plunged us all into a chaotic new reality. As we grapple with it, one of the more interesting things I have noticed is how we search for data to help make sense of these events and drive decision-making.

Be honest here! How many of us have a “favorite” site to track the data on COVID-19? I’m a fan of the Financial Times[i] and Johns Hopkins[ii] sites as the data is easily consumed and understood.

There is also a lot of data on how businesses are being affected due to the virus. PwC surveyed CFOs and its study shows substantive impacts are expected in 2020 with half of all respondents (55%) projecting a decline of at least 10% in company revenue and/or profit this year.[iii]

But that doesn’t mean it’s easy to make sense of specifically how IT and cyber spending may be impacted by the downturn in company revenue (and spending). For instance:

  • IDC predicts a 2.7% drop in global IT spending due to delayed projects and the end of refresh cycles for PCs[iv]
  • Forrester projects a “best-case” decline of 5%, and an alternate scenario projecting a 9% decline, in 2020 US tech spending[v]
  • Glassdoor research indicates that tech job openings dropped 18%, showing “how the crisis continues to affect even industries where companies are more able to shift to work-from-home arrangements”[vi]

With revenue declining, jobs being reduced accordingly, and spending curtailed, many are worried that organizations will put cyber spending under the same sharp knife.

Dramatic Priority Shifts from January to May

What’s clear is that priorities are shifting quickly within organizations. Four months ago, companies had put plans in motion to manage cyber risk. Spending was allocated, projects were created and being tracked, and work was underway. Then wham: everything changed. Today’s priorities aren’t the same as a few months ago. But did those other priorities really go away?

Take a look at an example priority list from Jan 1, 2020:
Risk Impact Mitigation
System downtime due to ransomware attack $$$$ Increase network monitoring and breach response time
Unknown assets on the network $$$ Add network discovery/asset management (or inventory)
Non-PII data theft $$$ Encrypt all data and improve 2FA coverage
Legacy modernization of systems that are beyond EOL $$$ Increase recapitalization timeframe
And now a list of the priorities as of May 1, 2020:
Risk Impact Mitigation
Remote access workers $$$$$ Improve 2FA and VPN capability
Increased phishing attacks $$$ Add additional e-mail security and endpoint lockdowns (GPO)
Lower headcount (hiring freeze) leads to longer time to detect/remediate issues $$$ Identify where to automate and how to prioritize better
Faster onboarding of third-party vendors (to handle remote workforce) $$ Automate process for checking vendors and increase controls around what users can do (IdM)

Re-prioritizing Risk?

What should we do about our priority list from January 1 when today’s list looks so different? The answer, in my opinion, lies in how you prioritize risk.

I’ve always believed that there are three things you need to know to prioritize risk:

  1. Determine what’s most important to the business
  2. Identify where those key business assets (data, revenue, systems) are located or generated
  3. Plan what can realistically be done to mitigate those risks

The first step to prioritizing (or re-prioritizing) cyber risk mitigation is to make sure you understand the business well and can categorically state what’s most important. For example, many would argue that the most important risk to mitigate today is how remote workers access IT systems. But what if 90% of remote access is to your email server? And the item atop the list on January 1 was preventing ransomware attack against your manufacturing system that produces 75% of your company’s revenue? Would that change your prioritization?

Second, you must understand where your most essential and vulnerable assets exist in your network. We worked with one healthcare company that had its healthcare data stored in over 15 places because it was easier for partners and vendors to access. That’s “easy” but also risky.

Finally, plan what can be done to realistically mitigate risk (the technical security component). It’s more critical now, with budgets under intense scrutiny, to make sure that we are protecting the most important items as best we can from an inside-out perspective. And it’s one reason I’ve always been a fan of layered defense vs. defense in depth. Figure 1 below from Cloud Mask outlines it well. It shows a set of layers being built around what matters most.

Prioritizing Cybersecurity

With this pandemic causing businesses to re-evaluate across the board, one possible silver lining here is that we could see a closer relationship between security and the business. According to a 2019 KPMG survey, 16% of CEOs think that cybersecurity is their top risk (it’s ranked third highest risk overall). Perhaps the challenges businesses are encountering today as remote working accelerates and virtualization takes center stage mean this is the year that cyber risk truly moves to the forefront in an organization.

Top Risks Facing Businesses, with Cybersecurity Risk Being Third

Top Risks Facing Businesses, with Cybersecurity Risk Being Third

Whether you change your security focus in 2020 or re-evaluate only to conclude that the risks you faced on January 1 are still the most important things for your business to deal with, it’s critical to look at risk holistically and often (ideally daily/weekly). If you don’t, it becomes easy to miss the forest for the trees and risk making overcorrections that leave your critical assets unprotected.

Learn more at our upcoming webinar - How 2020 Changed Cyber Risk Management - Thursday, June 4 at 11:30 AM ET - Register

😎 Nehemiah Security Named a Gartner 2020 "Cool Vendor"Learn More
+