The coronavirus pandemic accelerated the journey towards the fourth industrial revolution and new threats emerged in the process. Business leaders must therefore think about cybersecurity in a new way, writes Dani Michaux.
Over the past year, we have seen significant geopolitical changes driven by the impact of COVID-19, forcing organisations to strengthen their resilience. The realisation has also dawned that the world as we once knew it has changed.
Amid all of this, I see a new and very different operating model emerging for business. That new operating model is based on various restructuring activities, accelerating digitalisation initiatives, alternative partnership models, and a sharper focus on core activities. As organisations pivot, it is essential to reflect and consider the risks that may emerge as part of these organisational changes. What do the changes mean for the organisation, its supply chain partners and players, connected industry, government, and broader society?
One prominent challenge is the need to safeguard the new digital ecosystem, which underpins this transformation, from cyberattack and information infrastructure breakdown.
The world kept turning in 2020
During the early part of 2020, we saw an increased number of CEO identity frauds, payment frauds, ransomware attacks, and crude attacks on insecure cloud services. As the year grew old, we saw more complex attacks targeting supply chains, major cloud environments, remote working applications, security product providers, and even critical infrastructure services.
This time last year, we claimed that cybersecurity is key to achieving the fourth industrial revolution. COVID-19 has accelerated that revolution and the use of digital and cloud technologies in both the public and private sectors. Those technologies are now fundamental to our society.
Sadly, the pandemic has also shown that organised crime is opportunistic and ruthless in exploiting events to gain financial advantage. Thus, we witnessed a steady stream of high-profile cyberattacks on private enterprise, government, and social media platforms during the year.
It is nevertheless encouraging to observe the pace at which organisations rolled out robust digital infrastructure during difficult times and the collaboration between business, technology, and security teams to safeguard these rapidly deployed services. It illustrates how these often-siloed parties can work together effectively to introduce secure innovation at market speed.
COVID-19 has propelled Chief Information Security Officers (CISO) into a new dimension. Suddenly, they must manage thousands of home-working sites, personal devices, and a rapid shift to the cloud. The CISO has moved from securing corporate IT boundaries to a broader view of enterprise security.
The timescale for many cloud migration projects has collapsed from years to months in the race to meet fast-changing business needs. Hyperscale cloud providers are increasingly dominant and intently focused on security.
To succeed in the future, security teams must:
- Reskill employees to reflect the split of responsibilities between enterprise and cloud-service providers;
- Adapt to agile development methods and new digital channels; and
- Enact these innovations while cloud security skills attract a premium salary as the global job market competes for much-needed talent in 2021.
The rise of supply chain attacks
Political and business leaders have become alert to the global interdependence of many critical functions and the nature of risk that cross-border supply chains have. The pandemic made these murky operational and systemic risks real and gave people pause for thought.
Supply chain attacks are not new. However, in the new highly digitalised and interconnected world, they are becoming more prominent. Frequent attacks raise concerns about organisations’ ability to remain resilient.
We have seen several prominent cases over the past few years. Examples include the Target cybersecurity attack, where a network intrusion may have exposed approximately 40 million debit and credit card accounts; a global cyber-espionage campaign known as ‘Operation Cloud Hopper’, which formed part of a shift to target managed service providers; a worldwide campaign against telecommunications providers called ‘Operation Soft Cell’; and the latest cyberattack on Solarwinds, a global provider of network management solutions.
A common theme in these attacks is the presence of third-party providers of hardware, services, or software. In complex infrastructure, set-ups that include rapid pivoting to new environments and dependencies on third-party suppliers are both common and intimate.
Third-party providers are targeted with the ultimate aim of reaching a bigger mark. The methods and duration of the compromise vary, but there are some common patterns. These include exploiting speed and rapid deployment challenges and looking for exposures in security controls as firms shift rapidly to new technology. Of course, smaller organisations within the supply chain may also attract greater attention, based on the assumption of reduced sophistication and scale of security operations.
Lessons can be learned from sectors like oil and gas, where human safety is at the top of executive agendas and assumptions are challenged continuously. It starts from the proposition that you cannot assume that anything will work in the event of an explosion. For example, a company might have a procedure to pre-book hospital beds for casualties, but what happens if the hospital doesn’t have a burns unit? What happens if the ambulances can’t get to the site of the explosion? These things have to be planned for in advance, requiring creative paranoia and a certain mindset. That’s the type of culture of resilience that should be in place in all organisations. It is a question of overall operational resilience, not just the resilience of IT systems and security.
In this complex world, organisations should address the following practical questions:
1. Understand the risks and dependencies in the supply chain. Here are some questions to ask: What are the threats and exposures associated with third-party access to your environments, services, and products? Do you have contractual agreements in place with clear service level agreements concerning expectations around cybersecurity? Are you in a position to monitor those, including supplier activities? Do you monitor exposures and cyber risks associated with the supply chain and discuss these issues as part of an ongoing agenda within the organisation’s management and risk committees?
2. Understand the full extent of the supply chain within the existing environment and any changes arising from new digitalisation initiatives. Here are some questions to ask: How has the profile changed based on the rapid digitisation, restructuring and transformation initiatives in place? Do you have a view further down the supply chain (to fourth- and fifth-party providers, for example)?
3. Make arrangements to respond to supply chain cyberattacks collectively. Here are some questions to ask: Are there any mechanisms in place? Have you exercised these? Has the organisation included lessons learned from previous attacks? How has the organisation adapted based on the lessons learned from incidents? Are any other improvements required?
Stepping into the future
As we look to the future of highly digitalised and scalable environments, resilience will be paramount and non-negotiable. Organisational resilience will rely heavily on the stability of the end-to-end supply chain. However, it will also require a new approach to data security.
The hunt will be on for cybersecurity orchestration opportunities, robotic process automation around manual security processes, more integration with key IT workflows, and new managed service and delivery models. Third-party security may also need new models for more dynamic risk management and scoring, including better tracking of supply chain stresses.
Of course, assessments such as SOC 2 and ISAE 3402 will play a growing role as firms seek to provide evidence once to satisfy myriad client questions about cybersecurity. However, we can also expect to see the rise of ‘utility models’ where intermediary organisations aggregate client assurance requirements to undertake a one-size-almost-fits-all assessment of suppliers’ cybersecurity. This is already happening in the UK with the support of financial regulators.
Over the last few years, firms have also sprung up offering risk scoring services based on a scan of a firm’s internet-facing services. They also monitor for data disclosures in the shady corners of the internet and alert customers to a potential supplier problem that they may not be aware of or are yet to disclose. Large companies will often ask these risk-scoring services to monitor hundreds of suppliers.
As the outsourcing of non-core business services accelerates, it is worth asking: do you pay sufficient attention to your dependency on third-party actors who are now integral to your security and resilience as a business?
As we look to the future, organisations will need to move on from thinking exclusively about enterprise firewalls, anti-virus software, and patching policies. Instead, they will need to consider approaches to security. This begins with the premise that a company’s success is based upon its reputation, which is ultimately a manifestation of the trust others have in its offerings. This mindset leads companies to embed security into products and services, but it also focuses attention on protecting customers, clients, and those increasingly important supply chain partners. It emphasises stewardship of the trust they place in you when they share their most sensitive data or show their willingness to become dependent on you.
No organisation is an island, and all of us are part of an increasingly hyperconnected world. In that world, trust in supply chains and ecosystem partnerships matters more than ever.
Dani Michaux is Head of Cybersecurity at KPMG Ireland.