Top Security and Critical Event Management Challenges of the Post-COVID Era

Security and critical event management in the post-COVID era

COVID has had a disorienting effect on the business world. Organizations, unprepared for a long-lasting public health event, quickly went into crisis mode.

Remote work became king. Many organizations, formerly accustomed to sporadic work from home arrangements, had to accommodate their entire staff to working remotely.

IT was front and center, facilitating the transition admirably.

Unfortunately, though, there were bumps along the way.

Rates of cyberattacks skyrocketedⁱ in the first months of the COVID crisis. Attackers sensed the opportunity unleased by a broad new attack vector replete with unsuspecting, untrained victims.

Nor did the extended new normal of COVID offer much succor to firms. Ransomware, for one, became a keen threat, with the potential to cripple organizations.

In too many instances, this potential became reality. High-profile attacks shut down the Colonial Pipeline, JBS USA, Kronos workforce management services, and many, many, more.

Coming into the post-COVID era, there’s hope that ransomware attacks themselves have abated. In 2022, for instance, analysts reported a steep decline of 24 per cent in ransomware detections from early 2021.ⁱⁱ

Problem solved? Not quite.  

Experts might concede a reduction in the number of ransomware attacks, but the post-COVID security and critical event management picture, they caution, is likely to be marked by an increase in attack sophistication.

Indeed, cybercrime is becoming a business – a big business at that. The World Economic Forum in its Global Risks Report puts the cost of cybercrime north of USD 6 trillion.

That price tag will only grow has hackers develop techniques to extract maximal pain from targets. For instance, analysts have noted a change in business model towards “extortion without encryption,” i.e., simply exfiltrating sensitive data and demanding ransoms to keep that data private; this is what we saw with the Optus incident at the end of 2022.

Ransomware as a service (RaaS) is also becoming increasingly popular. For those who aren’t aware of this security and critical event challenge, RaaS is the offering of pay-for-use malware.

The author of the ransomware makes that software available to customers dubbed affiliates, who themselves often lack technical skill, but can use the software to hold people’s data hostage.ⁱⁱⁱ

The advantage, here, is that the malware author can scale earnings from the purchased software while off-loading personal risk to those who perpetrate the final crime.

In fact, it’s the scaling of potential criminals that’s of greatest concern to organizations. Not just from private criminals, either. Cyberattacks are also being conducted by state actors, perpetrating operations to achieve geopolitical objectives.^iv

Per expert opinion, the volume of cybercrime will continue to rise alongside geopolitical tensions, as well as increasing access to cryptocurrencies and dark money, and the generalized instability unleashed by the pandemic.^v

If only this business model were the only security and critical event management challenge organizations face in the post-COVID world. It’s not, though. The guide will detail the remaining challenges.

Cyber compliance grows more complex

The rise in cybercrime, particularly attacks on critical assets, has provoked a backlash from policymakers and regulators, who have stepped up efforts to keep sensitive data safe.

Many of these efforts predate the pandemic, such as the data privacy regime. These regulatory regimes, however, are expanding precipitously and including more and more organizations, such that if forecasts bear out, we shall soon see two thirds of the world’s population covered by data privacy regulations.^vi

In 2023, for instance, five states will roll out their comprehensive consumer privacy laws.^vii The previous year, at least 40 states and Puerto Rico introduced or considered more than 250 bills or resolutions that deal significantly with cybersecurity, according to the National Conference of State Legislatures.^viii Of those, 24 states enacted at least 41 bills in 2022.

National regulators like the Securities and Exchange Commission (SEC) are increasingly proposing new disclosure requirements on regulated entities, as well.^ix

Overstretched cybersecurity personnel

Some of these requirements are simple to adhere to, e.g., disclosing policies and procedures to identify and manage cybersecurity risks. Others are more onerous. The timely reporting of material cybersecurity incidents and follow-up reporting come to mind.

Many organizations, after all, don’t know when they’ve been breached. Which brings us to another security and critical event management challenge – a lack of manpower and capability among overstretched cybersecurity personnel.

Even before the pandemic, “Security Officer Turnover/Retention” had become a top five issue for security leadership, with security leaders decrying a lack of deep relationships with personnel.

In the post-COVID world, there’s an added wrinkle. The sharp rise in cyber-attacks has produced an even sharper rise in data alerts that security personnel must triage.

Indeed, more than half (56 per cent) of large companies handle at least 1,000 alerts per day.^x Not all data alerts are created equal, though.

The data in the alerts is often considered too granular to be actionable. Coming from noisy sources, the data is often wrong or misleading, leaving responders tilting at windmills or jumping at shadows.

And one of the more acute challenges is the frequency of data alerts. The increasing pace of automatic notifications has created alert fatigue among overworked personnel.

How bad has the issue become?

In 2021, the International Data Corporation (IDC) issued a report on the effects of escalating cyber alerts on cyber response.

The numbers weren’t pretty. Well over eight in every ten cyber security professionals say they are struggling to cope with the sheer volume of security alerts.^xi

That’s no surprise. Surveyed staff reported spending more time (32 minutes) on alerts that turned out to be false leads than on actionable alerts.^xii

As a result, more than a quarter (27 per cent) of all alerts were ignored or not investigated in mid-sized corporations.^xiii Slightly larger organizations (1,500 to 4,999 employees) saw personnel ignore nearly a third of all alerts.

Beyond that, alert fatigue is further complicating recruitment and retention of security personnel. Employees, particularly Security Operations Center (SOC) staffers, acknowledge not wanting the thankless task of wading through innumerable data alerts, many of which turn out to be red herrings.

Physical security

The varying permutations of the cybersecurity challenge are likely to have already been on everyone’s radar. Less likely, though, is the reality that cyber threats exacerbate human threats.

Corporate security budgets were slashed at the beginning of the pandemic. And despite subsequent increases, budgets have yet to reach 2019 levels.^xiv The threat of recession is likely to exert downward pressure on budgets, as well.

Commercial building security funding has also atrophied with less demand for tenancy.

Corporate security, as such, is expected to perform its function with fewer resources, even though fewer workers in offices only increase the relative level of risk to the lone workers left behind.

Just like lone workers, (more) isolated physical assets are more challenging to secure, as well.

Indeed, things have always been this way. Goods are often stored in sprawling warehouses and lots, in older spaces not designed with modern threats in mind.

These vulnerabilities have long represented an alluring target for property crime and burglaries.^[ii] In the U.S. construction industry alone, anywhere between USD 300 million and 1 billion a year is lost due to the theft of equipment and other high-value materials, according to the National Insurance Crime Bureau.

Already last decade, a drug-trafficking group was able to exploit lax physical security at port facilities in Antwerp, Belgium. Physical access to the port facility then allowed the group to install tracking software from the inside.^xvi

Supply chain

Such stories throw into relief the overlap between security and critical event management challenges and broader issues of supply chain integrity, as supply chain disruptions and attacks soar.^xvii

Suppliers have become disintermediated and logistics networks more complex. As a result, it’s much harder to gain insight into the security processes at the higher rungs of a given supply chain.

Indeed, 90 per cent of firms do not formally quantify risk (security or otherwise) when sourcing production; only a quarter of companies’ end-to-end supply chains are being assessed in any way for risk.^xviii

The vulnerabilities were there even before the pandemic-induced, supply chain crisis.^xix     

But the supply-chain challenge isn’t just about physical assets, though. Organizations also use third-party platforms which might carry vulnerabilities that attackers can exploit to gain access to victim environments.

The challenge is clear; Garner predicts that 45 per cent of organizations will experience attacks on their software supply chains – three times as many as in 2021.^xx

The challenge of complex crises

The greatest security and critical event management challenge of them all, however, is the likelihood of a complex crisis, which we saw realized with the aforementioned Optus incident.

That incident begged the more global question of whether at-risk organizations are making the necessary improvements to their resilience capabilities to mitigate the effects of complex security and critical event incidents.

The data tell a mixed story.

Resilience surveys, such as that published by BCI in 2022^xxi, bespeak increased adoption of resilience practices. When polled, over three quarters of organizations reported either having or developing an operational resilience program.

But far from keeping pace with the deteriorating security and critical event risk climate, the preparations many of these companies have in place remain inadequate.

In turn, resilience practitioners are sounding the alarm, worried that staffers don’t have the requisite knowledge or resources to lead the necessary transition to a more strategic, customer-centric resilience approach.^xxii

One reason why is that significant risk is being ignored.

In the case of the Optus breach, for instance, media sources contend that crisis simulations at Optus focused on the network outage scenario to the detriment of the data breach scenario.^xxiii That’s even though Optus’ own fillings called out cyber security as a significant risk, too, with a major data breach likely to trigger customer backlash, litigation, and fines.

Strategies to mitigate the challenges to security and critical event management

This failure to prepare for complex disruptions is becoming a signal challenge to security and critical event management. Again and again, organizations pay lip service to the risks posed by complex disruption but fail to plan adequately.

How to avoid getting caught flat footed in the post-COVID world?

One step is to make a security and critical event management plan to act proactively. And to this end, firms should look to companies who’ve done things right as models of resilience best practice.

One such company is Toyota. In the aftermath of the 2011 Fukushima disaster that crippled its production and supply chains, the automaker updated its contingency plan, requiring suppliers to stock anywhere between two and six months’ worth of chips.^xxiv This left the automaker better prepared for the post-pandemic supply crisis than its competitors.

Pursuing such a proactive resilience strategy in security and critical event management is possible for all organizations.

How to go about?

It’ll take a mindset shift away from preparing exclusively for short-term security incidents and critical events toward getting serious about foreseeable, complex disruptions, especially those likely to last for long durations.

Following from this shift, companies can implement common-sense measures to safeguard security and provide effective critical event management. The measures include:

• Tackling complex scenarios (whether large data breaches, pandemics, thorny reputational crises, or others) as standalone threats, i.e., by developing dedicated scenario plans for each.
• Treating the resulting plans as living documents, i.e., testing plans regularly (at least every two years or after a major organizational change) to ensure they will be effective in a disruption and that staff knows how to use them. 
• Ensuring all business continuity and/or resilience plans adhere to international best-practice, to be focused, concise, specific, and easy to use.
• Ensuring plans highlight organization-wide priorities and strategies and adjusting as those priorities and strategies shift.
• Ensuring plans include clear activation criteria, so practitioners don’t lose critical time when disruption happens.
• Ensuring plans always reflect the current operating environment.
• Ensuring plans cover prioritized services and address the need for additional or surge resources where relevant

Finally, companies can ill afford complacency in the post-COVID world. Security and critical event management challenges are only becoming more complex, with the disruptions they precipitate becoming longer and more costly to handle.

Mitigating these challenges, as noted, will take a policy shift away from preparing exclusively for short-term security incidents and towards complex, compounding, and often concurrent disruptions.

Here, though, companies can’t afford to wait. As too many companies have learned, the security and critical event threat waits for no one.

Managing complex risk, therefore, calls for integrated resilience management software to expedite implementing best practice. These integrated platforms serve the purpose of managing any business or community disruption within one system, cutting down cost and increasing familiarity.

Sources

ⁱ Fintech News: The 2020 Cybersecurity stats you need to know. Available at https://www.fintechnews.org/the-2020-cybersecurity-stats-you-need-to-know/.

ii ESET Guest Blogger, Informa: The Ransomware Threat: Is It Decreasing — Or Retargeting?. Available at https://www.channelfutures.com/from-the-industry/the-ransomware-threat-is-it-decreasing-or-retargeting#.

ⁱⁱⁱ Sean Michael Kerner, Tech Target: Definition: ransomware as a service. Available at https://www.techtarget.com/whatis/definition/ransomware-as-a-service-RaaS.

^iv Madeline Lauver, Security Magazine: Security budgets may double or triple in 2022. Available at https://www.securitymagazine.com/articles/96802-security-budgets-may-double-or-triple-in-2022.

^v Ibid.

^vi  Gartner: Gartner Says By 2023, 65% of the World’s Population Will Have Its Personal Data Covered Under Modern Privacy Regulations. Available at https://www.gartner.com/en/newsroom/press-releases/2020-09-14-gartner-says-by-2023--65--of-the-world-s-population-w.

^vii Gary Kibel, Reuters: New privacy laws in 2023 — considering draft regulations. Available at https://www.reuters.com/legal/legalindustry/new-privacy-laws-2023-considering-draft-regulations-2022-11-16/#:~:text=November%2016%2C%202022%20%2D%20There%20are,%2C%20Colorado%2C%20Utah%20and%20Connecticut.

^viii National Conference of State Legislatures: Cybersecurity Legislation 2022. Available at https://www.ncsl.org/technology-and-communication/cybersecurity-legislation-2022.

^ix U.S. Securities and Exchange Commission, SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies. Available at https://www.sec.gov/news/press-release/2022-39.

^x Staff, Dark Reading: 56% of Large Companies Handle 1,000+ Security Alerts Each Day. Available at https://www.darkreading.com/risk/56-of-large-companies-handle-1-000-security-alerts-each-day.

^xi Paul Kelly, Open Access Government: Cybersecurity strategies: fighting alert fatigue and building resilience. Available at https://www.openaccessgovernment.org/fighting-alert-fatigue-and-building-resilient-cybersecurity-strategies/139904/.

^xii Edward Segal, Deloitte: Impact of COVID-19 on Cybersecurity. Available at

https://www.forbes.com/sites/edwardsegal/2021/11/08/alert-fatigue-can-lead-to-missed-cyber-threats-and-staff-retentionrecruitment-issues-study/?sh=1f2f3c9135c9.

^xiii Ibid.

^xiv Madeline Lauver, Security Magazine: Security budgets may double or triple in 2022. Available at https://www.securitymagazine.com/articles/96802-security-budgets-may-double-or-triple-in-2022.

^xv European Institute for Crime Prevention and Control, Affiliated with the United Nations 2010. Available at https://www.unodc.org/documents/data-and-analysis/Crime-statistics/International_Statistics_on_Crime_and_Justice.pdf.

^xvi BBC News 2013, Police warning after drug traffickers' cyber-attack. Available at https://www.bbc.com/news/world-europe-24539417.

^xvii ICAEW Insights, ICAEW: How to manage the cyber security risks lurking within supply chains. Available at https://www.icaew.com/insights/viewpoints-on-the-news/2022/oct-2022/how-to-manage-the-cyber-security-risks-lurking-within-supply-chains.

^xviii Lisa Harrington, University of Maryland 2017, Supply Chain Security & Risk Management: New Thinking. Available at https://www.acq.osd.mil/log/MR/.PSM_workshop.html/2017%20Files/Day2/05_Supply_Chain_Security_Harrington.pdf.

^xix Ibid.

^xx Susan Moore, Gartner: 7 Top Trends in Cybersecurity for 2022. Available at https://www.gartner.com/en/articles/7-top-trends-in-cybersecurity-for-2022.

^xxi BCI: BCI Operational Resilience Report 2022. Available at https://www.thebci.org/resource/bci-operational-resilience-report-2022.html.

^xxii Ibid.

^xxiii Tim Burrowes, Unmade: Optus writes a new chapter in the crisis handbook. Available at https://www.unmade.media/p/optus-writes-a-new-chapter-in-the.

^xxiv Norihiko Shirouzo, Reuters: How Toyota thrives when the chips are down. Available at https://www.reuters.com/article/us-japan-fukushima-anniversary-toyota-in-idUSKBN2B1005.