The COVID-19 pandemic has changed the way many businesses do business – for some, irrevocably. It’s also made them more aware of the need for resiliency and the role cybersecurity must play in ensuring that an organization can continue operations in the face of disruptive events.
While many regulatory bodies around the world are relaxing enforcement during the crisis, newly critical organizations need to plan for longer-term regulatory compliance, because stronger enforcement will return once we go back to life the way it was. Data security and data management will both be challenges after the crisis – in some cases, newly critical organizations will need to dispose of data that they no longer need.
The first step for all critical infrastructure companies – both new and traditional – is to reassess their cyber risk. Processes will change (the work at home model being an excellent example), and habits developed during the pandemic (such as ordering groceries online) are likely to become permanent for many people. These changes will have a corresponding impact on each organization’s risk footprint, requiring an evolution of both security and compliance technologies and processes.
Newly critical organizations are under tremendous stress right now because they are not accustomed to operating in a world where failure is not an option. By taking steps to implement proven security frameworks and adopting best practices, they can not only reduce the risk of business interruptions during the pandemic; they can also support potentially greater business agility and cyber resilience in the next normal.
Here are 4 key lessons from cyber resilience experts.
- Broaden your approach to resilience
A recurring issue among organizations has been distinguishing between cybersecurity and cyber resiliency. TMX Group CISO (Chief Information Security Officer) Bobby Singh explained that cyber resiliency is being able to deliver critical business services when a negative security event is taking place. It’s the ability to be nimble and agile, while building modularity into your architecture.
Some organizations believe that their disaster recovery plans cover their resiliency needs. That’s not the case. It goes beyond business continuity plans (BCP), too. Singh explained that when businesses do a BCP, they assume that anywhere from 10% to 50% of their staff will still be onsite to perform operations. That wasn’t the case when COVID-19 began to spread. “During the March pandemic,” he continued, “it was just literally 99% of the people that were offsite.”
- Cyber resilience does not happen overnight
To achieve cyber resiliency, a business needs to understand its full value chain. It must know how its business services get to its clients or customers and what that entails, as well as how diversified its suppliers are.
- Prepare for the ‘next normal’
During the first stage of the pandemic, many businesses were scrambling to enhance their network capacity to accommodate remote workers, explained Christina Richmond, program vice president for security services at IDC. After dealing with initial capacity issues, they moved on to capacity optimization. They continued enhancing their network capacity and remote working capabilities, as well as looking at how to secure people working from home. They also started to consider recovery.
Finally, they started to look at resiliency and how they could prepare for the future. That accelerated migration to the cloud and digital transformation. “Companies are changing rapidly to embrace cloud in a way that they never thought they would, even if they were on that path to embrace cloud,” Richmond said. “They’re embracing digital business in ways that they never thought they would. Suddenly, it was an urgent necessity.”
Now bitten by the digital bug, as organizations move toward the “next normal,” they’re going to spend more aggressively, she predicted. And they are going to start to innovate again, she said. “They’ll focus on technologies that advance their digital capabilities in ways that they really didn’t think about before. Or if they had thought about it before, they’re accelerating those plans.”
- It takes the right team
As digital transformation takes hold in more and more companies, resiliency will play a vital role in securing business operations. But resiliency will require workforce, which seems to be in short supply these days. “You’re not going to fill them by hiring propeller heads or coders or developers or people in network security. We’ve got to broaden the horizon,” Singh said.
A cloud-first, zero trust security architecture offers solutions to companies looking for efficient ways to enable workers to be productive remotely while maintaining security, increasing flexibility and cost efficiency. A successful cloud-first, zero trust architecture requires key components that include effective identity and access management, remote access to internal applications through identity-aware proxies, and cloud-first security tools like host-based firewalls. As remote work looks to continue for the near future, companies must ensure that their cyber security strategy remains effective in meeting their security needs.