Cyber risk in the times of Covid-19: the one thing that has changed

Covid 19 has accelerated a lot of the key technology, business, professional and work / life related trends that we were already seeing emerge. 

Probably none more than the role of technology in our lives. In the same blink, it has exacerbated risks and threats that companies face from cyber compromises. 

Earlier this week, Control Risks were invited by UKIBC to speak about how Cyber risks have impacted businesses operating in India and the UK under Covid-19 lockdown; and why Cyber planning should be at the heart of any recovery planning & long-range learning from the pandemic. 

Cyber risks are a tough topic to speak on – mostly because it is a decades old topic in some ways, with no failsafe solution for companies to evaluate (as threat actors constantly stay ahead of the fixes) but one with significant reputation and business risks for Boards to consider. 

One interesting question asked to me by the audience that brought home this difficulty was… What is the one key change you see (in the cyber risk landscape for enterprises) because of this pandemic? 

That one big change, in my opinion, is that Cyber risk mapping must become a pre-emptive, always-on exercise for all functions across every organisation. 

It can no longer just be an IT / technology problem. The solutions do not just lie in building higher firewalls, securing VPN tunnels even more or even adding layers of authentication for access. Everyone with a team, a P&L, a cost centre or a metric to achieve (which is all of us) has a role to play every day in keeping organisations secure. 

This is true for companies based in India because…

1. Insider risk is more real than ever… every major piece of research on cyber threats published in India since 2016 suggests that over 50% of the cyber threats to an organisation come from malicious or careless employees. Simply put – people fall prey to scams, traps and lures. Indian companies and governments routinely fall prey to viruses, malware and hackers. This risk is being exploited by the fear and uncertainty caused by Covid-19.  Having a plan to manage insider risks is a factor of changing behaviours and culture among every employee as a standard
2. New ways of working will need companies to redefine policies, governance mechanisms, roles & responsibilities. WFH will now have to be formally written into employment contracts and codes of conduct document. So will use of corporate devices for personal use – and the temptation to click on that link to learn more about how to protect yourself from Covid-19. Just training and awareness building among employees about social engineering-based attacks will not suffice – simulations and test mails must become part of the drill on an on-going basis
3. As the legal and regulatory picture becomes more complicated and fractured in India, companies will find it difficult to estimate exposure and law enforcement may become more unpredictable. We already see weaponisation of cyber resources, rise in data nationalism and the use of data as a tool for not only exerting national identify but also foreign policy. This will have implications on how multinational companies manage data at all times
4. Most companies still do not have a complete list of all vendors who have access to their internal systems. The more-broadly spread across India or more complicated the supply chain is for a business, the worse the situation gets. C&F agents sometimes have access all the way into the ERP system to log inventory and sales – even as firms have no way of knowing if these vendors have a secure wi-fi or a server that is firewalled properly. Third party compromises are the second biggest source of cyber compromises – after insiders. Reviewing and monitoring partners and vendors on an ongoing basis is critical. 
5. Digital transformation is finally happening… with organisations firmly and formally adopting technology to manage their businesses, data has finally taken centre stage in India. Even as regulators track it and competitors want it, data should be used by companies to inform and drive their business strategies. This transformation will be about ingraining the use of new skills, behaviours and tools every day

A company’s data can be its biggest asset. However, without a plan to capture, store, secure, analyse and transmit it – it could also become your biggest liability. 

Conducting a cyber due diligence to map key weak points and threat factors is a smart business manager’s best bet today

The views and opinions published here belong to the author and do not necessarily reflect the views and opinions of the publisher.

Amit Narayan

Partner & Managing Director, South Asia at Control Risks

Amit manages consultants who design, develop and implement risk-mitigation strategies for companies across South Asia. He has advised clients on political and regulatory risk, pre-investment risk, reputational DD, forensic investigations, public policy and stakeholder mapping. Amit has worked in Edelman in India and Burson-Marsteller in Singapore. He has also worked in-house at Vodafone in Singapore and The Walt Disney Company in Hong Kong.