Coronavirus Covid-19 and the Future of Cybersecurity

Briefing

The global covid-19 pandemic will have lasting effects. It will transform information security practices and cybersecurity.  These adjustments and the pace of change will depend on individual business sector norms, end user demands and workforce demographics. Seismic changes are now inevitable in the medium to longer term because of the shift in working practices, the rise in cyber threats and the economic challenges that will face many companies and organisations. Although there will be various overarching themes, the following five trends stand out:

  1. The rise and rise of Working from Home and Teleworking

For the largest companies and organisations that now allow hundreds and thousands of staff to work from home, by default, the cybersecurity challenges are enormous and ever evolving. The rise in ransomware and phishing attacks have been the most obvious challenges requiring new forms of training, policies and procedures and closer network monitoring. The rise in network access points and endpoints and the use of personal devices (Use Your Own Device) to access corporate networks have expanded the threat surface, increased the likelihood of human error and created stocks of unpatched and less-secure endpoints. While cybersecurity teams can find ad hoc solutions in the short term, the medium to longer term will require the increase in zero trust practices and the intensive use of new data loss prevention policies, services and tools. Specialised training in remote-working data protection compliance and staff training to avoid social engineering will need to be imbedded.

  1. The unlocking of Video Collaboration

One clear effect of Covid-19 has been to greatly increase the use of video conferencing and multimedia collaboration tools. Applications and services that are white-listed on corporate networks and adapted by companies and organisations do not pose unmanageable risks. However, the main risk arises from collaboration and video conferencing software and applications that sit outside of corporate networks, but are readily available, easy to use and popular. A number of these applications were not built for the enterprise but were consumer-focussed products and services which have poor data protection, General Data Protection Regulation (GDPR), California Consumer Protection Act (CCPA), information management and weak cybersecurity standards and practices. Information security teams will need to have an answer to staff and teams that use these services and rely on the utility and convenience. Organisations should actively test these products and services against relevant industry standards and the organisation’s own cybersecurity risk appetite. New governance standards and rules should be applied to mitigate risks. Vigilance is key, even for services that sit outside the corporate network, but are increasingly used for business activities.

  1. Cyber Resilience

Covid-19 has brought cyber resilience to the forefront, both as a tangible corporate aim and as an ongoing state of dynamic vigilance. Resilience is no longer a distant intention, but results from blending cybersecurity strategy, business continuity and disaster recovery objectives into a holistic set of principles and measurable outcomes. This analysis must also include considerations of the insurance in place for physical assets, cyber assets, intellectual property assets, data assets, know-how and personal data. The pandemic is also a signal that companies and organisations must see cybersecurity resilience through the prism of multiple emerging threats such as climate change, unusual weather events, terrorism, future epidemics, wars, civil unrests and high value persistent state-sponsored hacktivism.

  1. Scrutiny of Future Supply Chain Security

Covid-19 has exposed the frailties of just-in-time supply chains and the reliance of excessively long supply routes. Future supply chains will be judged for their cybersecurity resilience, cyber insurance protections and effectiveness. Cloud services and hosting will be asked to provide greater cybersecurity assurances and evidence of their business continuity and disaster recovery plans. Information security teams will increasingly develop second and third preference suppliers and explore the ability of new providers to step in, augment, or take over information technology services. It is also inevitable that information security suppliers will be held to higher standards of compliance to international information security certifications, cybersecurity best practice, sector norms, information management and data protection standards. Supply chain information security risks will receive greater scrutiny from boards and senior leaders.    

  1. The Future of Digital Transformation

The focus of digital transformation will move way from broadly defined aims of efficiency, innovation and cost savings. The new and emerging metrics driving digitisation will be elasticity, scalability, cybersecurity resilience, ease of adoption and maintenance (leading to long term savings). The adoption of Cloud services, especially Infrastructure as a Service (Iaas) are set to increase, driven by cybersecurity concerns and the need to increase cyber resilience. 

Cybersecurity: Focus on Ireland’s National Cyber Strategy

Briefing

Ireland is an important player in the global digital economy. According to the Commission for Communications Regulation (“ComReg”) and other estimates, 30% of the European Union’s data are hosted in Ireland. The Republic of Ireland ranks 7th out of 28 EU member states in the European Commission Digital Economy and Society Index (DESI) 2019. It is a leading country in the EU for the adoption and use of digital technologies. Several of the world’s largest technology companies are headquartered in Ireland, where many of their data centres are located. At the end of 2019, the Irish government published its second National Cyber Security Strategy for 2019 – 2024, to increase its cybersecurity readiness and resilience. Security of Ireland’s network and information systems is important for economic growth, investment, trust, national security and innovation.  

A cybersecurity Journey  

A key proposal is to develop Ireland’s National Cyber Security Centre (NCSC), increase incident monitoring, respond to incidents and threats and work with the Defence Forces and the Gardai (Police) on critical national infrastructure issues. There is also a growing realisation that cybersecurity resilience, national security and critical national infrastructure should embrace new partnerships between the public sector and private sector. ComReg recommends allowing intelligence on threats to national security to be shared between Irish state agencies and the private sector. Access by private companies to intelligence on national security risks is seen as the best way to guarantee and secure telecoms networks in Ireland.

Key elements of Ireland’s National Cyber Security Strategy 2019-2022

The strategy’s main objectives are to:

  • Continue to improve Ireland’s ability to respond to and manage cybersecurity incidents, including those involving national security
  • Identify and protect critical national infrastructure by increasing its resilience to cyber attacks and ensure that operators of essential services have appropriate incident response plans to reduce and manage disruptions to services
  • Improve the resilience and security of public sector IT systems to better protect data and the services that people rely on
  • Invest in educational initiatives to prepare the workforce for advanced IT and cybersecurity careers
  • Increase business awareness of the need to secure their networks, devices and information and to drive research and development in cyber security in Ireland, including new technology investment
  • Continue to engage with international partners and international organisations to ensure that cyberspace remains open, secure, unitary, free and able to facilitate economic and social development
  • Increase the general level of skills and awareness among private individuals about basic cyber hygiene and support them with information and training.

The strategy’s other key deliverables include the appointment of Cyber Attachés to Ireland’s key foreign diplomatic missions, ratification of the Budapest Convention on Cybercrime, expanding the current Threat Sharing Group (TSG), refining existing arrangements with the UK on information sharing and incident response and providing support to Cyber Ireland to develop a Cyber Security Cluster of industry, academia and government.

Action Plan: Monitor progress, review outputs and evaluate results

Companies, organisations, the public sector and investors must monitor the implementation of the strategy. The Irish government’s overall budget for this strategy has not been published. Priorities within the strategy for each major objective has not been fully outlined. The role of Small and Medium Sized Enterprises (SMEs) and their position in supply-chain cybersecurity resilience, should be monitored as this is underdeveloped in the strategy. The key question is whether Ireland’s NCSC will become a larger, more confident and technically well-resourced cybersecurity champion in the coming years. 

Ireland’s data protection approach should also be monitored in conjunction with the National Cyber Security Strategy. Ireland’s Data Protection Commission (DPC Ireland), the data protection and General Data Protection Regulation (GDPR) regulator received a total budget allocation of €16.9 million for 2020, which included a less than requested budget increase. The quadruple challenges of Brexit, coronavirus covid-19, the post-election uncertain government and a cooling Irish economy in the second half of 2020 will directly affect the immediate implementation of the strategy.

1 7 8 9