Operational Risk Revisited in the Wake of COVID-19
Mark Lanterman | June 12, 2020
In my March 2017 article, "Understand the Layers of Cyber-Security and What Data Needs Protecting," I wrote on the dangers of operational risk in considering the far-reaching impact of cyber threats in both the short- and long-term.
I also discussed the immediate problem of an organization that is unable to perform necessary tasks and procedures following a cyber attack or breach and the need for proactive security strategies to counteract this particular type of risk.
At the time of writing, I did not anticipate the extent of the looming COVID-19 pandemic and the huge effect it would have on nearly every facet of daily life, especially business operations.
Responding to COVID-19 Scams
Countless pieces have been published on the ramifications of the increased reliance on remote work capabilities and the Internet of things during the COVID-19 age, and it will continue to be important to consider COVID-19's role in unearthing the business continuity gaps that may have existed in our organizations leading up to the beginning of the pandemic. Many companies were left scrambling to enable their employees to work remotely while struggling with the logistical challenges that remote work brings. Others were made aware of just how difficult it was going to be to effectively train and educate employees on current cyber threats, specifically those related to COVID-19.
Between January 2020 and mid-May 2020, the Federal Trade Commission (FTC) has had 50,827 overall COVID-19 scam reports with $37.16 million reported losses. 1 By taking advantage of the fear and uncertainty caused by the pandemic, cyber criminals have turned to phishing schemes as a way to target victims. Remote work tools, such as Zoom, are also threatened by this wave. Given the circumstances and inherent challenges already present in remote work, organizations face an even greater risk for operational failure.
Security Training Is Key
Managing this risk can be mitigated in part with simple security best practices, such as the use of virtual private networks, multifactor authentication, avoiding public Wi-Fi, securing endpoints, strong passwords, email encryption, updating software when necessary, and using only approved technologies and devices while working remotely. Communicating these practices to employees is critical, as well as training in phishing attack awareness and social engineering.
As is always the case, the "human element" of security is the most important factor in a strong security posture; likewise, it is the most vulnerable to attack as humans tend to be much easier to hack than our technologies. Instructing remote employees in what will be communicated electronically, as well as the general guidance to slow down if an email seems urgent, appears in any way suspicious, or makes a request that goes against standard procedures, are also important components of managing security from a distance.
Conclusion
As many states begin to open back up, we also have to ask ourselves how to safely return employees to their physical workspaces while remaining capable of providing remote work options. In the coming weeks, striking a balance will be an ongoing challenge and one that greatly affects business operations.
As I discussed in my last article, clear communication to employees, the ability to report cyber events, and cyber-specific leadership are all necessary to best address operational risks. These days, highlight the need for proactive strategizing and preparation when it comes to security and technology, even in the midst of unpredictable and unprecedented circumstances.
Footnotes
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
