Amid the past month’s coronavirus disarray, one of the most impressive achievements has been the IT sector’s remarkable success in moving a huge slice of our workforce into teleworking.
One CEO I spoke to this week had been planning for a big move to telework that would occur over many months; instead, his IT department moved half the organisation to teleworking in less than a week. "And it’s fine," he said, in a tone of mild shock.
He’s right, mostly. I hear from many senior corporate figures that they are seeing some people in their business working more productively from home than they did in the office. That reinforces a conclusion I’ve mentioned in this column already: our sudden new teleworking boom will outlast this temporary crisis.
But the work is not all done. Among many other tasks, organisations need to quickly move to shore up their suddenly weakened cybersecurity.
A jump in risk
Because the move to teleworking has dramatically raised organisations' cyber-risk profiles.
Not only that, but it has happened in many cases without any explicit change in organisational policy.
If you’re surprised by this – well, what did you expect? IT staff hate risks. But organisations had to move wholesale into teleworking within one week in March 2020 or die. So, their IT staff made it happen.
And of course, they cut corners to do so. That’s the difference between "five months from now" and "by the end of the week".
Deloitte Cyber Strategy and Governance partner Tommy Viljoen is one of the most organised and articulate people I’ve heard speak about these new cyber-risks. "The speed at which this change has occurred," he says, "has meant that in order for organisations to continue businesses, their business has had to relax some of their controls."
In just a fortnight, we’ve seen an unacknowledged "stealth" easing of cybersecurity all around the world.
And as Viljoen points out, cybercriminals have begun trying to take advantage of this new environment. McKinsey says it has already seen cyberattacks on government organisations and a major European hospital.
This poses two huge challenges for organisations of every size.
The first challenge is to fit what you're doing into the available bandwidth. "A lot of organisations just don't have the networking infrastructure to be able to cope with their workforce working from home," says Viljoen. It's vital for managers to understand that organisational IT staff have had to find new solutions in an enormous hurry – and many of those solutions weaken security dramatically. That inevitable raises the risks in your network.
The second challenge is to enforce good security behaviours, in an environment where people are newly disconnected and thirsty for knowledge. Says Viljoen: "Some of those good behaviours that we've entrenched in people … are suddenly going out the window".
The new threats emerging in recent weeks are led by malware embedded in emails that address coronavirus threats – often phishing emails that purport to come from an organisational leader. People want to click on them to find out what's going on. And the McKinsey cybersecurity team point out that normal security warnings may not cut through because staff are deluged in new information.
The best answer, say both Viljoen and the McKinsey cybersecurity experts, is a sort of digital triage:
- Increase the exposure for systems where people really must use them to keep the business going.
- Favour platforms where you can quickly implement multi-factor authentication (MFA).
- Consider virtual private network access for some users.
- In all cases, prioritise security measures for people with the highest access levels and the most sensitive data.
- Roll out measures at modest scale before implementing more broadly.
Cyber-security fixes will need to be simple to implement, because "IT staff are slammed" with requests for things like simply installing new apps, Viljoen says. And you'll need people to talk your new home workforce through what they need to do to implement anything you roll out. As the McKinsey team says: "Scaling up multi-factor authentication can be challenging … The protection it will add calls for a surge in short-term capacity."
The big change
Over the months and years ahead, Viljoen expects that this episode "will fundamentally change the way we operate". Decentralisation of IT will accelerate, he says. More and more organisations will invest more money in cloud solutions, which will help decentralise organisational IT, but will also bring its own security challenges and a need for new types of controls – notably, monitoring of a more diverse collection of IT tools.
"I don't think anyone envisaged that we would be where we are today, even a week ago", Viljoen said to me at the end of March. "We have to change at speed. And so, we're not going to get everything right immediately. What we do need, is to go back and check what we've done is appropriate."
This is the new world. More than ever, we need to be at our best and brightest.