HLB CYBERSECURITY REPORT 2020 - NAVIGATING THE CYBER-RISK LANDSCAPE IN THE AGE OF REMOTE WORKING - Storyblok
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
HLB CYBERSECURITY
REPORT 2020
NAVIGATING THE CYBER-RISK LANDSCAPE
IN THE AGE OF REMOTE WORKING
www.hlb.global
TOGETHER WE MAKE IT HAPPEN
2 HLB CYBERSECURITY REPORT 2020 CONTENTS IT PROFESSIONALS REPORT CYBERSECURITY CHANGES 4 CTOs AND CEOs IDENTIFY AND PRIORITISE URGENT CONCERNS 6 CYBER-ATTACKS ON THE RISE IN 2020 8 COMPANIES ARE OVERCOMING DATA PROTECTION HURDLES 10 STRENGTHENING YOUR CYBER-RISK MANAGEMENT STRATEGY 12 LESSONS LEARNED FROM LOCKDOWN 14 KEY TAKE-AWAYS: CYBERSECURITY AND REMOTE WORKING 18 NEXT STEPS: IDENTIFY YOUR CYBERSECURITY RISKS AND COUNTERMEASURES 20
HLB CYBERSECURITY REPORT 2020 3 The COVID-19 pandemic forced many organisations across the globe to adopt remote working and dig- ital processes with record speed. In doing so, CTOs and IT management faced increased vulnerabilities allowing for cyber-attacks and data breaches to take place. Overnight, organisations went from controlled office environments to diverse home worksites. Continuing business, while securing multiple virtual environments, proved to be a challenge. But remote working is here to stay, so enterprises must adjust and overcome se- curity hurdles. In light of Cybersecurity Awareness Month 2020, we surveyed 76 IT professionals about their perceptions on information security and data protection in today’s complex digital environment. We also spoke with HLB cybersecurity experts about today's cyber-risk land- scape, the lessons learned from lockdown and the road ahead for CTOs to protect against cyber-crime in the age of remote working.
4 HLB CYBERSECURITY REPORT 2020
IT PROFESSIONALS REPORT
CYBERSECURITY CHANGES
Across the globe, companies BIGGEST CHALLENGES TO
shifted teams to remote work to MAKING HOME OFFICES SECURE
reduce disruptions to business
when governments announced From securing personal devices
lockdown measures to prevent to giving access to virtual private
the further spread of Coronavirus. networks (VPNs), CTOs scrambled
While business continuity was the to get remote workforces running.
most immediate, and pressing Initially, the most significant
concern, changes also had to reflect difficulties stemmed from individual
the unexpected cybersecurity home setups, such as:
challenges of virtual workforces.
Home WiFi access. With home
The results of our HLB survey and WiFi, everything is completely
expert analysis finds that as time open, and workers use different
went on, companies settled into types of infrastructure, making
remote work yet saw an increase in it hard to standardise. Bourke
cyber threats, which led to changes remarks that organisations went
to cybersecurity strategies and from just a couple of offices to
protocol for 88% of respondents. secure, to having as many different
HLB’s Chief Innovation Officer configurations to track as the
Abu Bakkar together with Global business has employees, when they
Advisory Leader Jim Bourke and shifted to remote working from
HLB Digital partners Carlos Morales home, creating a massive hurdle.
and Gustavo Adolfo share their
experiences alongside responses
from IT professionals.
HLB CYBERSECURITY REPORT 2020 5
58%
OF ORGANISATIONS WERE
NOT PREPARED FOR A REMOTE
WORKFORCE
VPN access. Virtual private Performance. High-bandwidth video
networks provide safe connections. conferencing and various voice
However, few companies offer technologies strain home networks.
access to all employees. Adolfo Whereas some countries suffer
recognises that companies were from this more greatly than others,
using VPN, but it was not widely differences in regional infrastructure
available for all employees. For can affect remote working
example, in some cases only IT staff performance. While office buildings
and people who needed to work can work around these issues, it's
remote regularly had VPN access. harder when all of your staff are
This was a challenge they had to remote.
overcome.
Figure 1: Cybersecurity strategies changed in response to COVID-19
Q: Since the start of the pandemic, would you say cybersecurity strategies and protocols
at your organisation have…
12%
25% Remained the same
Changed somewhat
63% Changed drastically
6 HLB CYBERSECURITY REPORT 2020
CTOs AND CEOs IDENTIFY
AND PRIORITISE URGENT
CONCERNS
With any crisis, CEOs and CTOs an internal risk assessment. This
must act fast. However, during suggests that they’re confident in
the pandemic, it also required an their company’s ability to identify
immense amount of flexibility. and address issues. Still, they also
According to Bourke, “The top recognise that remote working has
concern, from day one, was altered initial risk assessments, and
access to data to ensure business it is vital to reassess.
continuity.”
MAINTAINING BUSINESS
It comes as no surprise that the CONTINUITY
first order of business for IT teams
was to quickly implement solutions Few companies can fully prepare
to support the availability of data for global locations to face similar
to the remote workforce and challenges of being shut down or
maintain operations as smoothly not having employees in the office.
as possible. But, as time went on, Bourke says, “Most companies lost
companies found ways to improve that continuity. They were able to
data access which shifted their do most things, but they couldn’t
focus to cybersecurity and data do everything. And now, they don’t
confidentiality. ever want to be in that position
again.”
And now, even though four out
of five respondents say they’re Once organisations shifted to virtual
comfortable with their level of teams, CEOs expressed concerns
security, they also mention that over staff efficiencies. These trust
their top priority is to complete issues led many to ask, “Can our
HLB CYBERSECURITY REPORT 2020 7
employees be productive outside organisations has accelerated.
the office?” Early on during the Those previously sceptical about
pandemic, Morales received multiple collaboration platforms and video
client requests for information calls to interact with others now
solutions about employee had no choice but to adopt these
monitoring systems or monitoring technologies. Many have found
services. them far more user-friendly and
efficient than they thought and have
ADJUSTING TO REMOTE WORKING changed their perceptive on them.
The initial CEO mindset of worrying
Even for companies with some about efficiencies resolved, as
remote staff, suddenly having remote workers demonstrated
dozens, hundreds, or thousands efficiency.
of employees working from
home creates disruption. Morales ADDRESSING OFF-SITE CYBER-
says, “What we’ve seen is that RISKS
many businesses are finding
out how to make working from With a quarter of respondents
home technology available. Most saying they’ve had to make drastic
organisations had local servers changes to their cybersecurity
at the office, and VPN solutions strategies and protocols, many
weren’t as solid as they should be.” organisations looked for ways
The result was a rapid shift to SaaS to transfer their organisational
solutions like Microsoft Office 365 or cybersecurity objectives into
Google Drive to share information. employees’ homes. After all, the
isolation of remote work makes
A positive that has come out of the organisations more vulnerable to
rapid shift to remote working is that cyber-attacks.
the digital adoption process within
“Many organisations were prepared for cybersecurity. But
what they weren’t prepared for was cybersecurity concerns
in a remote work environment. Decision-makers didn’t
anticipate that their entire workforce would be working
virtually. So now their mindsets shifted again to ask how
can we protect our confidential and private data that all our
employees need access to while working from home?”
JIM BOURKE
GLOBAL ADVISORY LEADER
8 HLB CYBERSECURITY REPORT 2020
CYBER-ATTACKS ON
THE RISE IN 2020
From mobile security threats Unfortunately, without reassessing
to unauthorised access to files, cyber-risk and adjusting protocols,
recent cyber-attacks shed light its possible many organisations
on an increasing problem. These don’t yet realise existing
online assaults may affect multiple cloud computing threats and
networks and computers. It disables vulnerabilities. Bourke comments,
programs and steals data. Cyber- “Knowing that 65% of organisations
attacks may also use your remote have been or may have been
workers’ computers to launch exposed during this period is scary!
additional attacks. And out of the 35% who didn’t
notice a difference, how many of
Cyber risks include reputational them may have missed a potential
damage, financial loss, and breach of data?”
disruption to business operations.
The threats are widespread with our WORKFORCE ISOLATION AND
survey finding that: PHISHING ATTACKS
• 53% of respondents were aware Our experts’ overwhelming
of unusual cyber-related activity opinion is that phishing attacks are
and/or attacks since the start of increasing, with a trend pointing to
the pandemic; cyber-attacks involving employee
• 12% reported their organisation login details to their virtual work
had been breached; platform being targeted. These
• yet, the remaining 35% responded primarily ask users for their logins
they had not noticed a difference. on tools like Microsoft Office 365 or
Dropbox.
HLB CYBERSECURITY REPORT 2020 9
According to Bakkar, social open the document or click on a
engineering is also rising. He says payment link. The fact that so many
remote workers may be more of our processes have changed in
vulnerable to phishing emails that a short period of time and have
get people to click on a link. This become less personal due to their
is especially true with employees remote and digital nature, it is easier
who attend physical or virtual to social engineer an attack.
events and leave a digital footprint.
Bakkar shared a recent instance Social isolation also plays a role
when hackers followed their target, here, as in an office environment,
an event attendee, on social media you’d ask a co-worker for their
to see what they were doing. Then input or pop into the administrative
they sent him an email seemingly assistant’s office to double check
from the event organisation with what you received is correct if
the message “here’s your invoice.” you have a moment of doubt. But
In this case, the target knew to remote workers must make these
double-check the request before small decisions on their own and
paying the invoice. However, many often, the consequences can be
newly remote workers may simply disastrous.
Figure 2: Organisations notice increase in suspicious cyber activity
Q: Have you and/or staff members at your organisation noticed any unusual cyber-related
activity and/or attacks since the start of the pandemic?
12%
Yes, we have been breached
35%
Yes, we have seen an increase in
activity that could lead to a breach
53%
No, we have not noticed any differences
since the start of the pandemic
10 HLB CYBERSECURITY REPORT 2020
COMPANIES ARE
OVERCOMING
DATA PROTECTION
HURDLES
With business continuity addressed, 3. Develop a cybersecurity incident
organisations turned to security. But response plan:
there isn’t a one-size-fits-all solution Many cybersecurity incident
to this complex problem. Instead, response plans relate directly to
professionals must assess a range the corporate offices, not remote
of pressing issues then develop workplaces, which makes it essential
an approach that works outside for CEOs to reassess their reporting
of the office. When asked to rank procedures and responses.
five actions in order to strengthen
cybersecurity in order of priority, 4. Revisit cloud computing
respondents provided the following strategies:
ranking. HLB experts provided As organisations move through
commentary to each: various stages of digital
transformation, the three tenets of
1. Conduct an internal security risk information security prove vital. To
assessment: meet this challenge, executives must
Changing infrastructure to allow understand where data availability,
data availability makes businesses confidentiality, and integrity fit into
more exposed, which is why our home offices.
respondents listed internal security
risk assessments as a top priority. 5. Complete third-party
cybersecurity risk assessments:
2. Update cybersecurity training for Although our respondents listed
workforce: this low on their priority lists, our
Attackers exploit vulnerabilities in experts point out how security risks
software like Microsoft Office 365 include our interactions with third-
and Zoom. As a result, training party vendors. Our interconnected
programmes and objectives need supply chain means that what
to be revised. Many organisations happens to your supplier can affect
already rolled out additional any number of your remote team
cybersecurity training videos to members or the entire organisation.
meet new challenges as new ways
of working were adopted.HLB CYBERSECURITY REPORT 2020 11 ‘‘One of the positive side effects of the pandemic and rapid shift to remote working is that the adoption speed of digital processes and platforms by employees has accelerated. Where some people were slow to adjust to new, more digitised ways of working before, now they did not have a choice.’’ ABU BAKKAR GLOBAL CHIEF INNOVATION OFFICER
12 HLB CYBERSECURITY REPORT 2020
STRENGTHENING YOUR
CYBER-RISK MANAGEMENT
STRATEGY
When asked about the level of Bourke notes, “From a cybersecurity
security across the three tenets month perspective, it’s worth
of information security, one in noting that the question about
five respondents doesn’t believe data confidentiality should have
their online systems are secure. In been answered with 100% secure.
a regular work environment, it’s We have rules and regulations, like
simply unacceptable for anything GDPR, so we should be secure.” Yet,
less than 100% security. But with some organisations have trouble
remote work, we’re seeing 21% of managing data security as they
respondents question their data would under normal circumstances
integrity. and have not yet completely caught
up.
Figure 3: One in five do not consider tenets of information security 100% secure
Q: How secure do you consider the following three tenets of information security at your
organisation?
Data
availability
Data
confidentiality
Data
integrity
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
very secure secure not secure not at all secureHLB CYBERSECURITY REPORT 2020 13
To manage cyber-risk, it’s necessary accurate and that it has not been
to adapt the three tenets of inappropriately modified.
information security to remote
working environments: Data availability. The objective of
availability is to ensure that data
Data confidentiality. The idea is available to be used when it is
is to ensure information is only needed to make decisions. For
provided to those who are remote working to work, your
authorised to manage or view it. people need access to the data they
Measures are designed to protect need to do their job. It’s as simple
against unauthorised disclosure as that. But balancing availability
of information. In an office with confidentiality and integrity
environment this is easier to enforce requires strategic planning and
whereas when users are working infrastructure.
remotely it becomes increasingly
complex and risky. Every threat to security is not
necessarily malicious. Major security
Data integrity. Stakeholders and breaches have been caused by well-
employees at all levels must have intentioned users, which is why
confidence in the systems and data. security training is essential. Access
Moreover, data integrity is a key to data should be given to users
component of meeting regulatory on the principle of least privilege,
compliance standards. Ensuring which means that the level of access
the quality of the data you collect given to users should be confined to
and keeping it up to date comes what they need to accomplish their
down to internal access and data duties.
management. The principle of
integrity is designed to ensure
that data can be trusted to be14 HLB CYBERSECURITY REPORT 2020
LESSONS LEARNED FROM
LOCKDOWN
When the pandemic hit, and many countries adopted lockdown
measures to prevent COVID-19 from spreading, business leaders’
priority was business continuity. However, the cyber-risk
management lessons learned continue to build on the common
themes of agility and resilience.
LESSON 1: Improve However, increased awareness and
training can combat this issue, along
cybersecurity training and with addressing the heightened risk
support of phishing scams and other cyber-
attacks. Adolfo says, “The isolation
It takes a 360-degree approach of people is a risk factor. You have
to manage cyber threats. secluded people, and they have to
Workforce training ranked make decisions on their own.” The
second in terms of priority as fact that this makes them more
indicated by our respondents. vulnerable is something they might
Morales reports an increase in not be aware of and is something
questions from business leaders that needs to be addressed in
about making and enforcing security training fit for the current
rules for remote offices. This is circumstances.
a tricky area, because “you can
have an NDA for your employee, Moreover, Bakkar claims, “Your
but you can’t have an NDA for workforce is your most significant
a life partner, cousin, or anyone asset yet also your biggest liability.
else in the home.” Keep in mind You can increase protective
that people may unintentionally measures, but if your people are
or without maleficent intent not trained, then they give access
leak information. So, preventing to the wrong people and open your
leaks of confidential information organisation up to vulnerabilities.”
can get complicated in remote Combat this by assessing your
environments. support channels, surveying your
employees and identifying ways to
help them navigate remote work
safely and securely.HLB CYBERSECURITY REPORT 2020 15
Figure 4: Levels of readiness for lockdown varied
Q: To what extend were your IT infrastructure and cybersecurity protocols prepared for
lockdown and remote working?
13%
Not at all prepared
42% Somewhat prepared
45%
Well prepared
LESSON 2: Don’t wait to Infrastructure plays a crucial role
in data confidentiality, so now
prepare IT infrastructure that data is accessible in more
and cybersecurity places, professionals are under
protocols pressure to address their approach
to cybersecurity and regulatory
While 42% of IT professionals compliance standards while people
claim the IT infrastructure and remote work. According to Gartner1,
cybersecurity protocols of their companies must invest “to protect
organisations were well prepared for the technologies that support their
operating the business remotely, the business outcomes. Understanding
majority stated they an organisation’s most important
were somewhat prepared (45%) outcomes, its most important
or not at all prepared (13%) for processes, and its most important
lockdown. Bakkar says, “Everything technology outcomes are the first
happened in such a quick, short step in putting a business context
time. If your infrastructure is not set around cybersecurity.”
and ready, then you have issues with
data confidentiality and figuring out
who has access to what.”
1. Gartner, 2020. The Gartner Business Risk Model: A Framework
for Integrating Risk and Performance16 HLB CYBERSECURITY REPORT 2020
LESSON 3: Think long- LESSON 4: Regularly assess
term relief not short-term cloud computing threats
solutions and vulnerabilities
Organisations did not anticipate the A recent study by Oracle2 reports
length of time the workforce would that two-thirds of senior executives
be working remotely for. say cloud native is integral to
While data availability was the first their firms’ competitiveness. The
concern, now as remote working way we are operating today and
looks like it’s here to stay, data accessing data is different from the
security needs to be strengthened. way we were working a year ago.
Bourke says, “CTOs may have been Adolfo notices a considerable jump
prepared for employees to work in requests for internal security
remotely, but they weren’t ready for assessments. “Everyone’s focus is
the cybersecurity concerns around on internal security. The pandemic
employees working remotely for an has given rise to this assessment;
extended period of time. They didn’t everyone wants to know if they’re
anticipate cybersecurity concerns good. So when we go in and do
with a stretch of months or maybe a these assessments, we’re finding
year or more.” exposure in areas not anticipated
before the pandemic.”
Whether you believe remote
working a temporary solution while While data availability was essential
the world combats a pandemic, to business continuity, data
or that it is here to stay for good, confidentiality and data integrity
you need to start thinking long- have become more challenging to
term relief. Just as businesses are govern. It is likely circumstances
reviewing their office space leases will be ever changing and therefore
and plan to scale down the amount advisable to conduct regular
of office space they use, so should assessments of vulnerabilities. In
CTOs plan for cybersecurity in particular as they relate to cloud
a world where people will not computing.
return to a single controlled office
environment.
2. Oracle, 2020. Cloud 2020: Cloud Accelerates with UrgencyHLB CYBERSECURITY REPORT 2020 17
‘’We are all part of the business
ecosystem. This means that we are very
interrelated and depend on our suppliers.
So when a supplier of ours is hit by a
cyber-attack, it will affect us as well.’’
LESSON 5: Addressing
cyber risk is an GUSTAVO ADOLFO
PARTNER, HLB DIGITAL
organisation-wide
exercise
As we’ve noted, a current top first to get buy-in from decision-
priority for IT professionals is makers. Then empower them to get
doing an internal risk assessment. everyone else behind your program.
But don’t limit conversations
to only business leaders. It’s It is important to avoid reactive
essential to start a company-wide fear-based decision making. Often
conversation about the three tenets this is the result of asking staff and
of information security. Traditionally, stakeholders the wrong questions
digital transformations take a leading to poor cybersecurity
long time. But under the current investments. The ultimate focus
circumstances, adoption of digital should be on addressing employee
technology has been accelerated. behaviour and helping them realise
To get everyone on board with your how they impact security as a
cybersecurity strategy, it’s necessary whole.18 HLB CYBERSECURITY REPORT 2020
KEY TAKE-AWAYS:
CYBERSECURITY AND
REMOTE WORKING
So what can your organisation do to ASSESS YOUR ENTIRE
promote cybersecurity awareness CYBERSECURITY PROCESS
during the age of remote work?
Our experts offer their top tips for Jim Bourke recommends revisiting
managing your cyber risks while cybersecurity training for
supporting your virtual workforce. workforces. And if you haven’t done
a cybersecurity assessment in the
ACKONWLEDGE THE RISKS last six months, then you need to do
one immediately. Lastly, it’s essential
Carlos Morales suggests that to re-examine your cyber risk within
an underlying issue in most and outside of your organisation.
cybersecurity concerns is that For instance, you rely upon your
many companies don’t realise their vendors and your customers. Their
vulnerabilities. Business leaders security concerns become yours.
focus on continuity and giving
people access to the data they
need to work. But it’s essential
to acknowledge that the current
circumstances increase risk and ‘‘The first step in tackling cyber-risks is
may lead to a data breach or acknowledging they exist, and they are
privacy concerns. a real thread to the business. And that
is something that, at least in Central
America, I don’t think always is the
recognised.’’
CARLOS MORALES
PARTNER, HLB DIGITALHLB CYBERSECURITY REPORT 2020 19
ANALYSE DIGITAL INTERACTIONS
IN AND OUTSIDE OF YOUR
81% OF BUSINESS
LEADERS ARE EXPLORING
COMPANY
MORE FLEXIBLE WORKING
Gustavo Adolfo agrees with Bourke ARRANGEMENTS3
and adds that risk assessments
need to rely on data analysis
to determine if rules have been
broken or if unusual activity or BUILD CYBERSECURITY INTO
abnormal parameters in business YOUR BUSINESS STRATEGY
occurred. Because it’s possible that
respondents who reported no data According to Abu Bakker,
breaches or changes in activity cybersecurity isn’t just about
that could lead to a breach, simply protocols; it needs to be part of
haven’t noticed them. Moreover, your overall business strategy.
our business ecosystem and current CEOs must work closely with
events highlight the dependencies their CTOs and IT consultants,
we have with vendors. These third- and recognise the investment
party companies are embedded in needed in this area. Organisations
our supply chain or daily operations, require the right technology, so
making them more critical than in cloud adoption is critical. But your
previous years. It can be possible for teams must know how to use it,
cyber criminals to find a way into making training equally important.
your organisation via your vendors. By combining all facets into your
strategy, you’ll present a consistent
and comprehensive approach to
cybersecurity.
3. HLB International, 2020. HLB Survey of Business Leaders: The
Execution Challenge for New Decade20 HLB CYBERSECURITY REPORT 2020 NEXT STEPS: IDENTIFY YOUR CYBERSECURITY RISKS AND COUNTERMEASURES So are you one of the 53% of IT professionals who’ve noticed an increase in activity that could lead to a data breach? Or could it possibly have gone undetected in your organisation? As attacks continue to increase globally, executives must adjust operations to account for changes while finding innovative ways to build resilience into every aspect of a business. Take your next steps by: • Start with a Cloud risk assessment checklist. • Assess third-party vendor risks. • Analyse data sets to see if any breaches already occurred. • Identify the role your cybersecurity measures play in your business strategy. • Develop cybersecurity training for remote workforces.
CONTACT US
Our cybersecurity experts are ready to help identify
risks and secure your business in today’s remote
working environment. We operate across 158
countries wordwide. Get in touch:
Abu Bakkar
Global Chief Innovation Officer
a.bakkar@hlb.global
Jim Bourke
Global Advisory Leader
j.bourke@hlb.global
Gustavo Adolfo
Partner, HLB Digital
g.solis@hlbdigital.global
Almerindo Graziano
Partner, HLB Digital
a.graziano@hlbdigital.global
Carlos Morales
Partner, HLB Digital
c.morales@hlbdigital.globalwww.hlb.global
TOGETHER WE MAKE IT HAPPEN
Endnotes
1 gartner
2 oracle
3 HLB
© 2020 HLB International Limited. All rights reserved.
HLB International is a global network of independent advisory and accounting firms, each of which is a separate
and independent legal entity, and as such HLB International Limited has no liability for the acts and omissions
of any other member. HLB International Limited is registered in England No. 2181222 Limited by Guarantee,
which co-ordinates the international activities of the HLB International network but does not provide, supervise
or manage professional services to clients. Accordingly, HLB International Limited has no liability for the acts
and omissions of any member of the HLB International network, and vice versa and expressly disclaims all
warranties, including but not limited to fitness for particular purposes and warranties of satisfactory quality.
In no event will HLB International Limited be liable for the acts and/or omissions of any member of the HLB
International network, or for any direct, special, incidental, or consequential damages (including, without
limitation, damages for loss of business profits, business interruption, loss of business information or other
pecuniary loss) arising directly or indirectly from the use of (or failure to use) or reliance on the content of this
Website or any third party website, or from your use of any member’s services and/or products. Any reference
to a member’s services or products should not be taken as an endorsement.
HLB refers to the HLB International network and/or one or more of its member firms, each of which is a
separate legal entity.You can also read
