In the final installment of this three-part series on risk management, let’s look beyond the business crisis scenario of Covid-19. Consider this: are we simply experiencing a seasonal shift that returns to the norms of a pre-quarantine world or is this a climatic shift in the way we do business and view cybersecurity priorities going forward?
eSentire manages over $6 trillion in assets under management, a term we borrow from our hedge fund customers. In 2012, this industry segment was the core of our customer base. Together, we learned from Hurricane Sandy, the deadliest storm of the hurricane season. The storm killed 233 people in eight countries, affected 24 U.S. states, caused major flooding in Manhattan streets and subway tunnels and was responsible for $64 billion in damage.
That storm taught us two lessons. The first was that criminals take advantage of the havoc caused by natural disasters and other crises. Our security operations team studied traffic analytics for a three-month period around Hurricane Sandy. Data showed a 30 to 40 percent drop in network traffic across our client base located in New York City for the two weeks during and after the hurricane. However, the level of threats remained constant throughout. In fact, the week following the hurricane, attacks spiked by 30 percent!
Cybercriminals quickly moved to take advantage of chaos caused by the storm. Employees couldn’t get to work, blocked by flooded subway lines. And massive power outages ensured office buildings in Lower Manhattan were vacant. All that data just sitting there without the usual contingent of IT security supervisors … the world’s bank vault was open and the guards were stuck at home.
The second lesson was that disastrous events often reset the bar by which we define acceptable business operational policies. Disruption caused by Hurricane Sandy instantly became the new standard that business continuity (BCP) and disaster recovery (DR) plans were measured against. As the American Bar Association’s Cybersecurity Handbook puts it: “If a client’s disaster recovery plans cannot pass the ‘Hurricane Sandy test,’ such plans might also fail if cyber incidents caused prolonged disruptions.”
And most plans failed during Sandy. The majority of the client data for major financial institutions resided in data centers located in New Jersey, a quick ferry ride across the Hudson River. Turns out, category 2 hurricanes don’t follow state lines, operations were crippled and data was exposed during the cleanup. In hindsight, it’s an obvious flaw in any BCP/DR plan.
When the waters of Sandy, as well as Katrina receded, they left stains behind that marked the depth of the flooding. And Covid-19 will not only leave its mark as a worldwide human tragedy, but also will likely drive new models for business risk management. At this time, many of use are still working remotely, so we still don’t know if this is a seasonal migration or a climatic shift. When world economies open for business again, have we changed the way we do business more permanently?
For instance, are we moving into a world where banks are virtual? What constitutes a bank? Is it the physical structure, its assets, or its customers’ data? Similarly, at a conference last year, the head of the Harvard Law School posited that the concept of the court was no longer an imposing building in the town square. Now, it’s the economic and quick disposition of legal decisions. It’s not about a building, it’s about its value to society. Likewise, the office tower may no eventually no longer serve as a vanity metric for successful companies.
I’ve often joked that we’ve shifted from the bring your own device (BYOD) model in which we use personal smartphones for business purposes to a broader spectrum of personal property for shared business operations. Now it’s BYOH: bring your office home.
How many firms will embrace the financial benefits of work from home? Assuming their business model survives to support remote workers (such as knowledge workers, customer service, call centers, etc.) and easily adapted to the quarantine. How soon will it be before the bean counters question the necessity of brick-and-mortar overhead?
From a risk management perspective, how would this shift affect security programs? For BYOD, mobile device management (MDM) tools were developed to better secure personal phones. You can bet venture capital firms already are looking to fund security startups that can better secure personal routers, provide the home office equivalent of easy-to-use commercial firewalls, etc. Endpoint suppliers also will ride this wave with brands such as CrowdStrike and VMware Carbon Black in the catbird’s seat.
If this shift is climatic, then the pandemic will have truly served as a forcing factor. Cybersecurity is no longer about perimeters. The analogy of a bank building with guards and a vault doesn’t work when the employees are not resident in the building, nor is the money (data) that has migrated to the cloud. It means cybersecurity professionals must shift their focus and thinking.
Embracing cybersecurity as a factor in corporate risk management means firms can adapt quickly. Risk management isn’t wedded to specific security paradigms or technologies … it is a fabric that expands to cover the full spectrum of a business. Companies that view security through the risk management lens can expand the aperture to focus on a wider field of view. Companies that view security through a static paradigm of rigid perimeters or physical structures will fail to adapt. And there are plenty of predators and criminals ready to pounce on those that fall behind the pack.
For more “how tos” on risk management and successful incident response planning, use this Pragmatic Security Event Management Playbook to identify possible gaps and ensure crucial steps are followed to contain and control damage and quickly return to normal operating conditions.