With the ongoing COVID-19 pandemic, the entire cybersecurity industry has undergone massive challenges and changes. In a business space that used to be dominated by minor protections like firewalls and network security systems, the game has now changed. Companies have come to identify threats to data and the need for data protection from both external and internal parties of the organization.
In this installment of the Co-create.AI series, our guest @Jitender Arora, Chief Information Security Officer (CISO) for Deloitte UK, engages in an insightful discussion with @Robert Webb, Advisory Board Member @Network Science and Founder @TBM partners on the rising trends in the cybersecurity space. Prior to joining Deloitte, Jitender also worked with renowned names like Coventry Bank, GE Capital, and Deutsche Bank.
Cybersecurity during COVID-19
Regardless of the industry your organization belongs to, a threat to data is a constant. Every company in this age and time is a technology company, even if their primary focus might be elsewhere. “[Organizations] are always processing data one or the other way,” says Jitender, emphasizing the growing need to protect this information. GDPR regulations have made it imperative to secure data and increase transparency in how data security is handled on platforms.
Looking at security problems in a holistic manner has become important. Companies cannot simply spend money on cybersecurity solutions without a grasp on how to properly use them. The user interface should be simple yet effective, and personnel must be trained to bring out the maximum value of such systems.
When it comes to the changes brought on by COVID-19 and therefore, Work from Home (WFH) practices, Jitender highlights the following trends:
- The changing landscape as organizations adapted to a sudden shift in practices to the online mode has been a game-changer.
- Employees might be unwittingly connected to other IoT devices that could bring in threats to organization data since the network is no longer as secure as it was in an office setting. The concept of boundaries has diminished.
- The COVID-19 situation has created a lot of anxiety and stress due to isolation on employees. Social engineering and manipulation by hackers have increased the cases of phishing, smashing, and other cyber crimes as attackers play on the emotions of their targets.
Cybersecurity Advice for Stakeholders
There should be a fine balance between preventative capabilities (defence mechanisms) and good detective capabilities in place. Organizations need to be able to determine why certain machines or systems might be malfunctioning or performing ineffectively. Equally important is for them to be able to combat the issues identified in time.
“People are the best line of defence,” says Jitender, explaining how proper training and education can make employees aware, prevent external and internal threats both, decrease the number of phishing or smishing cases and set up a proper procedure for resolution.
When assessing which technological tools to use for fighting cyber threats, it often pays to take a step back and understand the use cases of each of these tools. Once the problem has been identified and studied, relevant technology can be applied. It is also beneficial to retire outdated methods and technologies when they no longer deliver results.
A common mistake that company executives make when it comes to information security practices is the excessive and obsessive implementation of too many technology systems without proper focus on the people aspect. It’s important to have a sense of “shared responsibility” in the organization. Under this mindset, each individual understands what’s happening and embeds the significance of information security into everyday practices to become “cyber savvy”.
Framework for Measuring InfoSec Risk & Compliance
Cybersecurity has become an important agenda for company meetings globally, especially since the onset of COVID-19. Under such circumstances, different organizations may undertake different measures to fight threats in their environment:
- Some companies have pre-determined a framework, procedure or matrix in place to deal with cybersecurity issues
- Other companies do not have such a clear-cut method, but rather prefer to handle challenges depending on the nature of the threat and what capabilities are required to neutralize it
- The most beneficial contributor to either form of combat is dialogue. Companies must have fruitful conversations with c-suite executives and board members about their concerns regarding infosec. Apart from just defensive capabilities, the organization must also ensure that they have a target in mind with respect to current vs future maturity level
- Models and capabilities should be developed by keeping in mind the risk appetite of the company and what that means in terms of dollar value (financial resources)