When COVID-19 swept across the globe in 2020, it also exposed businesses to an epidemic of cybersecurity and data privacy threats, with criminals taking advantage of the chaos to attack vulnerable targets. These once-in-a-generation developments have major implications for audit executives charged with protecting corporate assets.
What began as a public health disaster swiftly turned into a financial and societal cataclysm, impacting businesses on four important fronts:
- Business models. Organizations have had to navigate a seismic shift in how they operate to enable a primarily remote workforce while managing the intersection of this virtual workplace and a world of cyber threats targeting their employees. At the same time security leaders must continue to strengthen their lines of defense against the risks and vulnerabilities that accompany digital transformation.
- Security safeguards. Businesses need to button up their security safeguards to reflect the vulnerabilities. This includes hardening software applications and networks while educating employees on how best to defend against sophisticated attacks, using better training, innovative technologies, and overall good decision-making practices.
- Privacy compliance. Privacy regulations and legal mandates across the US and around the world keep moving forward, with many calling for more stringent requirements in the wake of COVID-19.
- Global cyberthreats. Organizations have also been forced to step up monitoring and enabling business resiliency in the face of global threats, including a nation-state cyberattack of unprecedented scale, which has penetrated scores of US federal agencies and tens of thousands of private entities.
Adapting Your Business Model to Support a Remote Workforce
A remote work environment is here to stay. And as COVID-19 restrictions are lifted, many businesses are expected to adopt a hybrid remote work for their return-to-office strategy.
Even before the pandemic, many businesses had begun evaluating and adopting tools and technologies to enable a virtual workplace, driven by business operations moving to the cloud and the almost universal desire among employees for more flexible work arrangements. In 2019, nearly half of US employees worked remotely at least one day a week,1 and 98% of US employees sought some type of telework arrangement for the remainder of their career.2
With the hyper-spread of COVID-19, the demands placed on company networks, bandwidth and digital infrastructures exploded practically overnight. Most IT departments did not have enough time to set up remote workers—at least to the degree necessary—before everyone was sent home. IT infrastructures that historically focused on customer-interfacing and supply chain management capabilities, now have the added challenge of enabling a virtual workforce.
Stepping Up Security Safeguards
The sudden disruption to work environments not only expedited digital transformation plans by three to four years, but also created a virtual playground for cybercriminals by exponentially increasing the number of potential targets.
Malicious actors are exploiting employees to gain access to personal data and corporate intellectual property by compromising individuals’ access controls and credentials—with hackers now attacking computers and networks every 39 seconds.3 This new environment has also triggered a 600% spike4 in email phishing attacks, which subsequently led to a 139% uptick in ransomware attacks5.
Based on our 2020 Cybersecurity Audit observations, many organizations were simply not prepared for the cybersecurity impact of the COVID-19 pandemic. For example, remote work policies and processes were outdated or hastily drafted. And many business continuity plans (BCPs) were not properly set up or adequately tested. (If you haven’t done so already, now’s a good time to revisit your own BCP.)
Other weaknesses include:
- Lack of data inventories and/or lack of details within inventories to enable regulatory compliance
- Lack of policies and standards for identity and access management
- Lack of controlled use of admin privileges or segregation of duties
- Lack of standards and procedures for periodic review of third-party/vendor access credentials
Keeping Pace with Privacy Regulations
As organizations pivoted rapidly to a remote workforce, many hoped there would be a reprieve from the deadline for California Consumer Privacy Act (CCPA) compliance. The timeline not only remained tightly in place, but additional requirements followed with the passage of the California Privacy Rights Act on November 3, 2020. As a result, many businesses struggled to defend their networks and applications from the growing threat of cybercriminals while concurrently attempting to move their privacy compliance strategies forward.
Global Cyberattack Compromises an Already Treacherous Landscape
As if a global pandemic causing the largest remote workforce in history and a rise in cyberattacks weren’t enough, the discovery of a foreign nation-state’s attack on the US federal government dealt another devastating blow.
By the end of 2020, a supply chain cyberattack exploiting software from three US companies was also discovered. Hackers—believed to be backed by the Russian intelligence agency—used multiple attack vectors to gain access. Among them, they accessed SolarWinds network software, Microsoft cloud services, and VMWare products by inserting malicious code into SolarWinds’ Orion software update, which unknowingly packaged the Sunburst malware inside a trusted product.
Later called the worst cyber-espionage assault on the US in history, given the targets and the sensitivity of information compromised, the SolarWinds attack had gone undetected for 8-9 months. It caused a ripple effect across US federal departments and agencies, as well as thousands of private-sector systems using the Orion software. At the time the attack was discovered, SolarWinds had about 300,000 customers—nearly all of the Fortune 500 companies. The gravity of the cyberattack and the impact on all facets of US government and corporate operations will take months to fully realize.
Auditing Your Cybersecurity Posture
After a year of COVID-19, remote working trends, cyberthreats and other emerging issues of 2020 are influencing how chief audit executives finalize their 2021 audit plans from three viewpoints.
- Businesses will continue to heed some level of remote work requirements in the near-term, even as COVID-19 restrictions begin to lift. That said, understanding the impact of a hybrid approach of telework and return-to-work strategies may require reviewing an evolving set of cybersecurity and human resources policies, processes and standards for employees and IT departments.
- Now that employees (and businesses) have demonstrated their ability to remotely deliver products and services to the marketplace, organizations need to consider how employees have reshaped the work environment and its impact to the threat landscape, including vulnerabilities and risks that accompany it.
- With cybercriminals attempting to hack networks every 39 seconds—not to mention more brazen foreign nation-state cyberattacks—it’s critical that organizations routinely stress-test their cybersecurity controls associated with people, policies, processes and technologies to protect their corporate “crown jewels” and critical assets.
Top 10 Audit Considerations for 2021
We now have a much clearer picture of what the 2021 threat landscape might look like—and how audit executives should prepare 2021 audit plans to test the efficacy of cybersecurity safeguards and controls. Based on the cyberaudits we performed in 2020, here are our top considerations for 2021 audits.
- Physical and logical access controls
- Hardware and software asset inventories
- Data inventory management
- Identity and access management controls
- Virtual private network (VPN)/remote access
- California Consumer Privacy Act and California Privacy Rights Act
- Third-party risk management and vendor contract management
- Patch management
- Business continuity planning
- Role-based and remote work training
To fully benefit from lessons learned during the pandemic, your 2021 audit plan should not only reflect the new landscape of vulnerabilities, threats and risks, but also identify opportunities to enhance controls and provide greater confidence in their efficacy.
1 in 2 employees won’t return to their job post-COVID unless they can keep working remotely. – Owl Labs4
After a year of shelter-in-place orders and employers managing virtual workforces, we’re seeing signs of a permanent shift in the way we work. Nearly 77% of US employees are now working from home full time. And half say they don’t expect to return to their job post-COVID if it doesn’t offer attractive remote work options.6 Let that sink in for a moment. Make no mistake, it’s a historical shift that’s here to stay, impacting the corporate landscape. Strengthening IT strategies and cybersecurity programs will play a critical role in ensuring future success. And the sooner steps are taken, the better.
Need help with your 2021 cybersecurity audit planning? Let’s talk.
1 Owl Labs, State of Remote Work 2019
2 Buffer, State of Remote Work, 2019
3 University of Maryland study
4 IT Security Guru, 600% increase in COVID-19 related phishing attacks
5 Tripwire, The State of Security, Review of Ransomware in 2020
6 Owl Labs, State of Remote Work 2020