The Word of the Day isn’t Virus, its Agility

July 6, 2020

In 1929 the vibrant US economy went through the greatest shock it had ever received when the stock market crashed. A frightened and bewildered Congress, flaying for answers, summoned the economic chieftains of the day to testify as to if they had manipulated the crisis.

The venerable JP Morgan was called to task before the US Senate. “You know what the stock market is going to do, don’t you Mr. Morgan,” the story goes.  To which JP admitted, “Yes Senator I do know.”  “You have an obligation to share it with the nation Mr. Morgan, the Senator demanded, what is the stock market going to do”?

“It’s going to fluctuate,” said JP.

On March 11, 2020, the coronavirus struck, and the vibrant US economy when into its greatest shock since the Great Depression.  Overnight, the virus ushered in the largest alteration in how humans do work in history. In less than one week, we went from a workforce wherein about 21% of workers at least occasionally used online facilities to work from home to a workforce wherein approximately 80% of the workforce did roughly 100% of their work online at home.

Since then the US economy, has fluctuated.

The stock market fell precipitously, then recovered, then began to drop again and steadied – and no one really knows what the stock market or aspects of it are going to do. The more things change, the more they stay the same.

To use another tried but true adage.  We have learned again that the only constant is change. But there is a difference now.  In the digitally based economy of 2020, change comes much faster, and so do the business by products – for better or worse –of the pandemic.  There wasn’t too much to loot in the thoughts of the Potemkin like economy of the 1920s, but there are billions and billions of dollars at risk in the wake of the robust pre-pandemic economy,and cyber thieves, and they are coming after it with a vengeance.

American business was largely unprepared to fend off cyber criminals before the virus hit., we are now immeasurably worse off.  Metaphorically, we have gone from leaving the door ajar to cyber criminals before the pandemic, to throwing the door wide open and laying out a welcome mat for them now.

The criminals are going to be quick, we need to be quicker.

THESE ARE THE GOOD OLD DAYS

Prior to the virus hitting the U.S., online work was typically part of a carefully managed system. Chief Security Officers were generally distrustful of allowing important work to be done outside the normal system of operations and security. Remote work generally was carefully planned, and tested, and training to assure security procedure were adhered to were standard operating procedure.

That basically all went out the window post-virus.  Now, virtually everyone is working at home. Whereas most workers were part of the system in the office, now essentially everyone needed their own system.  The networks and tools were not designed for this immediate overload.  Moreover, the mangers of the systems, outside of the 20% who had prior training, now were essentially “ad-hocking” how to manage their online workforce and developing workarounds for many of the security issues that tended to slow them down and impede productivity.

The criminals have responded to the dinner bell and are feeding themselves like gluttons. Google has reported 18 million phishing and malware schemes related to COVID-19 every day. Millions of workers, untrained in cybersecurity for the remote space. are working from home  using insecure personal devices and increasingly falling, unwittingly, pray to cyber attacks.

A CrowdStrike study revealed that intrusions were already up in Q1 of 2020 with the expectation of even higher numbers in Q2.  Unfortunately half of business leaders surveyed say they do not think they will see an increase in cyber-risk.

They are wrong, very wrong. A recant PWC post-pandemic survey of cyber security experts said that 98% feel the need to alter their cybersecuiry strategy post pandemic to account for increased risk. Who you going to believe?

Things are only going to get worse. With any luck, we will eventually (soon?) emerge from the virus-dominated era.  We will be faced with a crippled economy. Unemployment surpassing depression levels and many businesses on life support at best – through no real fault of their own.

We all know the medical crisis generated an economic crisis, but it has also generated a technology crisis – at the very time we have become totally dependent – and many of us thought were already too dependent – on insecure systems, we are now even more reliant on theses systems.

 Once we have moved past the immediate pandemic environment there will be a necessary and intensive effort to re-engage the full US economy. However, virtually no one believes that we will return to the central office dominated structure of the pre-pandemic world.  Most estimates are that at least half the workforce (as opposed to the pre-pandemic 20%) will continue to work remotely.

We have seen this movie before.  When there is a special emphasis of maximizing productivity, security always gets short changed. Private enterprises, especially smaller businesses, many forced to operate at lower capacity due to resilient virus risk – will put their peddle to the mettle to maximize productivity and profits.  Security, despite the best efforts of pro-security advocates, will be typically seen as an impediment to speed, productivity and profit – it actually often is – and will get short shrift.

A massively weakened system, increasingly emboldened cyber criminals and an almost universal, and understandable, desire to maximize profit quickly to repair both personal and the national economy is a perfect storm for increased cyber-attacks.

In the past couple of months Congress  dumped $2 trillion plus into pandemic aid. The Federal Reserve system contributed about another trillion dollars. Concern about budget deficits seems not to be a major concern due to the medical, and to some more importantly, the economic issues resulting from the pandemic.

For some reason cyber security support seems to be nowhere in the calculus. When the government’s initial advice for returning to work was published, cybersecurity was not mentioned. This is ironic since the economic nexus with cybersecurity is fairly obvious.  Multiple studies over a period of several years have indicated the major obstacle to improving cybersecurity is neither technological nor attitudinal, its economic.

According to the McAfee 2018 Cyber Crime Report the chief motive for cyber-attacks is economic.  According to the world Economic Forum pre pandemic losses from cybercrime currently total about 2 trillion dollars a year, will grow to 6 trillion in a couple of years – and those are pre-pandemic estimates. Small businesses are the enterprises are the soft underbelly of cyber security both as a target for attack and an entryway into larger organizations they interconnect with to undermine their security.  More people are employed in small companies than any other element of the economy. Small firms are also the ones that have been most impacted by the pandemic with sales down 75% on average.

  THINK FAST AND KEEP THINKING FAST

 Corporate managers need to understand that they don’t live in the 20th century anymore – in fact they don’t live in the first quarter of the 21st century.  The game has changed overnight, and they need to change with it and fast.

New thinking needs to begin at the top of organizations, the board of directors, not always thought if as the bastion of corporate innovation, but they need to be now.  At a June conference on cybersecurity sponsored by the National Association of Corporate Directors (NACD) the directors were first urged to begin to think differently about their workforce especially with respect to cyber security.  The NACD members were advised to follow three principles

•         Think outside the enterprise

•         Think in terms of people, information and machines

•         Think in terms of balance

THINK OUTSIDE THE ENTERPRISE

Organizations need to understand that the boundaries of your enterprise have expanded.  In fact, what used to be known as the perimeter of the enterprise has now completely disappeared. Whereas organizations were beginning to understand that they needed to secure not just their own organization but their entire supply chain of vendors, partners and clients, they now must realize that functionally – from a cyber security perspective – virtually the entire workforce are the “supply chain.” In addition, COVID is a systemic issue.  Cyber threats can also be systemic.  The defining characteristic of the Internet is its interconnection.  Entities cannot think just in terms of securing their enterprise but in terms of the entire eco-system.  It’s not just an issue if “our Internet” goes down, suppose the whole Internet –systemically – goes down? Corporate emergency planning (already an underappreciated and supported function) may now have to take the prospect of a systemic cyber event – akin to the systemic medical event that has been COVID-19 –into consideration.

THINK IN TERMS OF PEOPLE, INFORMATION AND MACHINES

The very nature of communication is changed with the new environment.  An excellent article in the National Law Review pointed out that people information and machines are inseparable in the new environment “To be more secure employers should think in terms of how information flows over the Internet from employee to employee, employee to customer, machine to machine system to system throughout the communication process.:” Virtually every communication is now a real life version of the old game “telephone” where messages are whispered down a line of individuals and content always winds up massively altered by the time it reaches its destination.  From a cybersecurity perspective this again heightens the ability for malicious insiders, or simply sloppy employees (and managers) to exacerbate cyber risk in ways difficult to detect using the old (“old” meaning since March 2020) methods.

  THINK IN TERMS OF BALANCE

Organizations see technology disruption as the greatest strategic opportunity hence digital transformation is a top goal. This will naturally be intensified in the post-COVID economy. However, the careful system of checks and balances that the even the better secured organizations had in place need to be rethought. Not only aren’t we in Kansas anymore, no one is in Kansas anymore.  This will be especially important as the post-pandemic urge to recapture lost value of time economically become almost irresistible, and neat new tech may seem to be the best way to recapture lost revenue. Organizational leaders need to think in terms of balance.  Tech innovations can be tremendously attractive in terms of immediate payoffs, but virtually all digital tech enhancements such as cloud computing, Internet of Things, artificial intelligence, etc., while potentially great for productivity and growth, can also generate increased cyber risks. Use of these tools may be absolutely necessary for organizations compete in the post-COVID economy, but they  could endanger intellectual property, financial record, business plans not to mention personal data. Organizations need to be agile, but be smart.

THINKING IS FINE, WHAT ABOUT ACTING?

In one of the largest post-pandemic studies so far ESI ThoughtLab found that “digital transformation continues to expose companies to greater risk. The COVID-19 pandemic is accelerating this trend as companies embrace remote working and supply chains while consumers ramp up their use of digital shopping and banking as well as remote medicine communications and entertainment.” ESI’s prescription for the growing cyber infection –more investment on security will enhance ROI.

ESI found “On average firms see an overall Return on Investment (ROI) of 191% form their cyber security investments.  That means for every dollar of investment generates $2 in benefits. “Not surprisingly ESI found smaller companies tended to be less mature, including investing less, than larger one with respect to cybersecurity but they also found that “the least mature firms recognize the highest ROI since they have more to gain.”

ESI found that training programs and process enhancements among the most cost effective of cybersecurity programs. The ROI for cyber security investments in people averaged 283% and 164% for investmetns in cyber process and only about 178% for investments in technology.  However, the ESI study also found that one-third of cybersecurity investments resulted in negative ROI.

So, even assuming organizations will appropriately balance their post-pandemic resources they still need to invest in people process and technology that will be effective and agile.  While, there is no way to attest to which investments are best for individual businesses the NACD conference on cybersecurity suggested enterprise leaders ask the following questions in order to assess their ever-changing business/security environment.

•         How has our threat picture changed post-COVID?

•         What is our Plan to prevent a “remote” cyber incident?

•         Do we have written incident response and continuity plans for the new work force?

•         How has our supply chain security been affected post-COVID?

•         How does our security budget change post COVID, and why?

•         How have our compliance requirements changed?

•         Do we have Multi Factor Authentication  (MFA) as our default for all equipment?

•          Have we installed adequate encryption for all work machines?

•         Have we gotten strong confidentiality agreements and acceptable use policy statements from our remote employees?

•         What are our plans for dealing with a systemic cyber incident?

By thinking not just in a 2020 mindset, but a post March 2020 mindset, balancing economics in security for the new worked order and asking the right questions agile organizations will put themselves in the best position to survive and thrive.

| The Word of the Day isn’t Virus, its Agility