Why boards of private businesses must prioritize cybersecurity

Carlo Kristle G. Dimarucut

Imagine getting a frantic call from your head of IT. Your accounting personnel have reported that they have not been able to access your accounting system, and that they have been working on the issue for several days now. You have been the target of a cyberattack, resulting in the loss of many records.

This situation is not uncommon. Over the past year, we have seen a significant rise in similar attacks that have been targeting private, and generally smaller organizations. These attacks, while less sophisticated than the well-publicized bank heists and the government-backed intrusions into key infrastructure, make up a large portion of the cybersecurity issues that threaten organizations. They need to be managed.

INCREASINGLY MOBILE WORKFORCE
The current pandemic has changed the way people work almost literally overnight. Businesses temporarily closed their doors, and in-office employees instantly became a virtual workforce. This change has boosted online interaction, opening up companies to increased risk. In some cases, employees have taken matters into their own hands because of the perceived inflexibility of in-house IT organizations. Many have turned to cloud-based, usually consumer-grade digital solutions that they have grown accustomed to in their personal lives. In-place cybersecurity controls and protocols are being tested like never before, while threat actors are exploiting this new work environment and intensifying their activities.

Dealing with cybersecurity in smaller organizations is oftentimes not easy. There usually isn’t a technical solution that would fix all issues and keep attackers out. More often than not, the solution is a painful process of educating users of what and what not to do, or upgrading an old system so that it can be appropriately supported by current vendors. However, these protocols and reminders are usually things that most board members and employees alike have grown tired of hearing about.

A recent EY survey (conducted prior to the pandemic) of over 1,100 private company leaders, revealed that only 17% of those polled had made or planned on making significant investments in technology to reduce risk, including cyber risks. Additionally, 50% feared the reputational or operational disruptions caused by cyberattacks even as they began to invest in digital solutions. This is further exacerbated by the mindset of many smaller private organizations that do not pay particular attention to cybersecurity concerns until it’s too late.

Since embedding a culture of cybersecurity in an organization needs to flow from the top, boards need to be more vigilant with their oversight of cybersecurity risks in today’s new work reality. They should consider the following questions:

• With increased remote access, how is the company’s overall cybersecurity posture being optimized, and is the company evaluating whether additional technology and operations are secure?

• Has management reviewed and tested all security features (e.g., point-to-point encryption, data protection) associated with the company’s videoconferencing tools, including patching, and are vulnerabilities mitigated if patches are not available?

• What changes have been made to security monitoring procedures given the increase in remote workers? Are changes to user accounts with administrative or privileged access being more vigorously monitored?

• Are security personnel effective while working remotely? What physical (in-person) security requirements are not being performed?

• What are the contingency plans if key IT or security personnel require time off?

• How is management maintaining an effective incident response and recovery function considering the need for additional remote access technology and operations?

• Are there additional needs for software, technology, personnel or other resources to augment existing controls?

• Are system updates and patching current?

• Are employees reminded of security awareness protocols because of the increased risk of COVID-19 phishing e-mails or similar tactics?

• Is management communicating with critical suppliers to determine if they are evaluating additional steps to assess and protect their networks?

• Are incremental insider threats being evaluated, including revising print-from-home capabilities?

• What security risks might there be that are related to employee layoffs and furloughs? Are the human resources and IT security teams aligned so that user-access privileges are immediately removed?

• How is the IT security function affected if furloughs or budget cuts are executed or contemplated?

• Should the company’s security personnel review or update board members and C-suite home networks for appropriate security?

Cybersecurity in this unprecedented new work environment is an enterprise-wide concern that critically requires board mandate, support and oversight. The board needs to set the tone and the urgency of cybersecurity enhancements and preparation. As widespread remote working and increased online interactions become the new business “normal,” companies will need to reimagine and reinvent their business models.

A company’s ability to adjust and strengthen its cyber resiliency in response to the dynamics of this health crisis will position the entire organization for a more secure future as new and varied challenges arise.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views reflected in this article are the views of the author and do not necessarily reflect the views of SGV, the global EY organization or its member firms.

Carlo Kristle G. Dimarucut is a Consulting Partner of SGV & Co.

Leading the way in business

Other SGV News and Publications