CyberCube - Cyber Insurance Analytics

Coronavirus & IT risk - Is the pandemic creating new IT norms? (Part 2 – Business change)

Written by Darren Thomson | Apr 28, 2020 7:30:00 AM

In my previous blog, I focused on how the Coronavirus pandemic might influence IT behaviours at the level of the individual. This blog will zoom out a level and explore how these behaviours could change at the level of industry, across all vertical markets..

Firstly, I think that it is important to recognise that positive changes can come out of adversity and history provides plenty of evidence for this. Brands such as Netflix, Lego, Amazon (we’ll come back to them later) “innovated through” the 2008-2009 recession and came out the other side ready to dominate. Going further back in time and to the last major flu pandemic of 1918, this nightmare scenario actually spawned many of the national health services in Europe.

The general consensus amongst experts today seems to suggest that the tech industry may be in for some short-term hardship (particularly in the consumer markets) but that this should be followed by longer-term positivity from the perspective of both innovation and growth.

So, let’s dive in. What good, bad and just “different” behaviours might we see in terms of technology trends in business and how might they affect the risk landscape?

As we saw from the previous blog, individual behaviours as they pertain to technology are likely to change fairly significantly in the coming months and, particularly as they relate to remote working, working practices (such as “hours of work”) and the use of cloud applications. These dynamics, possibly more than any other, are going to affect the way that businesses need to manage technology and, in particular, how they manage cyber risk.

“My users are more productive, but I can’t control them”

The business of cyber security strategy, governance, risk and compliance are going to need a re-think post-pandemic. Actually, they needed a re-think in any case as, prior to the crisis, working norms were changing in many industries already and reliance on technology (particularly, cloud technology – see this previous blog) was already becoming deeper and more complex in almost every vertical market.

Changes here will not simply need to be “tweaks” to existing practices so as to simply “allow” for cloud-usage, flexible working hours and remote working. Fundamental changes to security strategy will need to be implemented. As is very often the case, this will likely start with the mature organisations such as those in the financial services sector. I predict that “zero-trust” security models (essentially, a system of denying all access to networked resources until users have proven their credentials) will gain traction and will start to get proven-out through specific use cases. In addition, new security platforms and associated best practices will emerge that are built from the ground up with a remote workforce and the cloud in mind. Processes such as cyber forensics incident response and remediation will be as capable and mature in handling security incidents remotely as they were in handling data centre-based incidents. Cyber threat intelligence, too, will expand on its traditional scope and will be enriched with data and analytics that specifically show remote workforce trends in the context of cyber risk.

All of this will need funding of course and this funding will not be easy to find on the back of the pandemic and associate financial limitations that are bound to exist. However, over time, I predict that business (particularly larger ones) will find that an increase in remote working will reduce operating costs and some of these savings will be directed toward the improvement of cyber security practices (probably after the first couple of major breaches involving remote workers). As is often the case, smaller businesses will follow suit in years to come and will benefit from “economies of scale” here.

The situation here will get worse before it improves with many businesses avoiding the issue in favour of spending money to dig their way out of a financial hole, caused by the pandemic. Slowly, though, boards of directors will realise that, whilst cyber security rarely increases revenues, it does protect and sustain them.

Trouble in the small business sector

It seems likely that small business, in particular, is going to be hit hard from an economic standpoint by the Coronavirus pandemic. Early indicators show many small businesses struggling to survive and, of course, these businesses are more susceptible to failure in comparison to larger enterprises. Post-pandemic, I think that we are likely to see a number of things happening in the “Small & Medium Business” (SMB) segment, related to cyber risk.

Firstly, any business trying to find ways to make ends meet and reduce operational expenditure is likely to look for savings in security expenditure. It is just an unfortunate reality that cyber security is still viewed by many organisations as a secondary contributor to business value and this tends to be especially true in small business. In many such companies, the “security team” is one or two individuals and a staff reduction here basically means “no security team”. Cyber crime and criminal organisations who target the small business sector will, of course, greatly benefit from these changes.

These criminals are also likely to benefit from the fact that many small businesses are generally unprepared for secure home working. Unpatched operating systems, lack of security awareness training, use of unsecure home devices and poor security hygiene (poor passwords, for example) are all likely to manifest in the small business sector as more people are forced or choose to work from home in the future.

Lastly, even small businesses which had good intentions of improving security prior to the pandemic will likely change their plans and re-route any allocated budgets away from security improvement programs. According to some sources, 40% of small businesses in the US feel that economic uncertainty will prevent them from making necessary cyber security investments.

Advanced information sharing becomes second nature

If some good has come out of the Coronavirus crisis so far, it’s been our society's ability to communicate more effectively whilst we are remote from one another. Of course, technology has been the enabling factor here and we always have to bear in mind that new platforms for communication provide new opportunities and threats in fairly equal measure.

It seems to me that many business sectors may take a lead from what is going on in healthcare right now in terms of global information sharing. Defeating Covid-19 is going to rely on global cooperation at a level that is unprecedented (and that would be impossible if it were not for modern technology). Micro-organisms such as viruses have huge evolutionary advantages over humans with new generations coming into existence every 24 hours, as opposed to the roughly 25 years it takes us. Viruses cannot communicate globally, however. When we look back at the Coronavirus pandemic and the things that helped us to overcome it, it will be technology-based communication and cooperation that was the primary deciding factor in determining our fate. Lessons will be learned and replicated here in other vertical markets. If I reflect on the cyber security landscape, for example, one of the areas where this industry could have performed better in the past would have been to cooperate more fully and more effectively share information across its various constituents so as to deliver better outcomes to its business clients in the context of cyber risk reduction. I wonder what practices from healthcare, for example, the security industry could glean in the future?

A “re-think” on disaster recovery

Traditional IT disaster recovery (D.R.) strategy (sometimes referred to as “IT continuity”) involved thinking about all of the critical technology resources that the business relied upon and replicating them to ensure that, should a major physical disaster occur at a critical location, redundant IT infrastructure was on hand to take up the load. I spent a fair proportion of my career as an engineer designing such systems which were very well funded subsequent to the attack of the World Trade Centre in 2001.

Of course, this traditional method of considering D.R. was already showing signs of age. As more and more businesses move their technology resources away from their own data centres, Cloud Service Providers (CSPs) and Managed Service Providers (MSPs) have been taking up the slack here and building disaster recovery capability into their offerings.

I think the new pressures will emerge here, post pandemic. Many of the CSP and MSP disaster recovery and resilience offerings focus on looking after a customer’s infrastructure (servers, storage, networks and so on) and less on the integrity of their data. Of course, infrastructure really means nothing to a company, it’s data that is the “lifeblood” of any organisation. New service levels agreements and capabilities are going to need to come into play to ensure that, should the worst occur, data is available and is left with its integrity, regardless of where it is accessed from and where it resides.

From crisis comes innovation

As discussed at the beginning of this blog, previous crises in history have shown us that good can come from bad. As I write this blog in April, 2020 (and pretty much at the centre of the storm in terms of the Coronavirus pandemic) it is already incredible how much technology innovation is occurring in response to the current crisis. Not only are existing applications being stress-tested by huge volumes of users in the cloud but it is likely that new communication-based innovations such as 5G networks will see an acceleration, in terms of adoption (and, “no”, I do not hold any truck with conspiracy theories connecting 5G to the pandemic).

Already, advanced technologies such as artificial intelligence and machine learning are being leveraged in the search to find remedies and cures for the COVID-19 disease. The technology sector and innovation will likely get a boost from this focus on Coronavirus. Many technical innovations came out of the NASA space programme of the 1960’s and 1970’s. Products that we all take for granted today (from memory foam to DustBusters and CMOS image sensors) came from the innovations associated with space exploration. Similarly, it seems likely that the tech sectors focus on assistance in healthcare right now will likely lead to improvements in the way we do things in IT (not least of which, in security).

As discussed in this blog and in my last one, we are going to see behavioural change happen in quite fundamental ways at both the level of the individual and at the level of business and commerce. The cyber security community should be poised and ready to both take advantage of the innovation that manifests and to defend its stakeholders in ways that were unnecessary or difficult to foresee prior to this global pandemic.