Q: How is the COVID-19 outbreak affecting companies from a cybersecurity perspective?
A: Many organisations haven’t really adopted agile or remote working before, but are now effectively being forced to tell employees to work from home. One of the big risk factors, especially when companies share data with external parties, is the security of end-devices. If a device is within your corporate policy, it hopefully has the basics such as patching, anti-virus, monitoring and a secure VPN already configured. But if staff or suppliers are connecting from a third-party device, including personal computers, they are much less likely to have the same protections. This can open companies up to the same range of threats as home users, such as unsecured wifi and routers that haven’t had their default passwords changed. By doing so, companies are increasing their potential attack surface and are increasingly vulnerable to the kinds of opportunistic cybercriminals who look for easy targets.
Q: How important is it that organisations consider cybersecurity a core business risk, rather than just something IT is worrying about?
A: We’ve been saying for some time now that businesses should always think of cyber as a core business risk, not just something for IT to worry about. Our own research found that three out of four mid-market firms have suffered some kind of cyberattack in 2019, and that was prior to COVID-19. The board must view cybersecurity as an ongoing risk and be aware that 80 per cent of all known threats can be fixed with basic cyber hygiene. This isn’t about telling companies they need to spend millions on expensive software. People tend to be the soft underbelly of organisations, so it’s simply about making sure those who are working remotely have sensible, pragmatic and proportional controls in place and are aware of the threat.
Q: What is your advice to companies in terms of what controls should be?
A: The natural response will often just be to make sure everything is available remotely, but blanket access could have damaging consequences. On the flip side, trying to lock down access to everything is not the right approach because employees still need to be productive and many will find ways around it anyway. Instead, companies must think carefully about what access they really need to provide and how they’re monitoring that. They also need to ensure they have an incident response plan in place. The cyberthreat level is likely to increase further before it returns to normal, but if you have a strong incident response plan that can work remotely then you’re in a much stronger position.
Q: Beyond these physical controls and systems, how can organisations ensure staff are aware of the right things to do while working from home?
A: Awareness is vital. The entry point to many attacks or breaches is staff simply not paying attention to a password policy, not patching their systems or falling for various phishing emails. We’re seeing a big increase in cybercriminals enticing people to open links posing as important information relating to COVID-19, so it’s important they know how to spot them. A lot of this must come from top-down leadership and impactful messaging. You have to find ways to efficiently communicate with and engage your staff, and make sure people are leading by example. It may be that a short phone call from seniors or team leaders is much more effective than emails that are going to be ignored.
Q: How is Grant Thornton helping companies deal with cybersecurity through this challenging period?
A: We’re absolutely advising prudence, not panic, and we’re able to support companies both proactively and reactively. Proactively, we help them understand their risk and identify pragmatic and proportionate steps to reduce this. On the reactive side, we have a large incident response team to help people who think they may have been hacked. The key is quickly understanding if there has been a real compromise and, if so, what data has been affected. Our experienced investigators use forensic techniques to tell you exactly what has been touched. However, it’s most important to reiterate that COVID-19 is not the first major risk businesses have faced and it won’t be the last. This just reinforces the importance that cyber is aligned to core business resilience at all times.
For more information please visit grantthornton.co.uk/services/risk/cyber-advisory