CyberCube - Cyber Insurance Analytics

Coronavirus & IT Risk - Is the Pandemic Creating New IT Norms?

Written by Darren Thomson | Apr 21, 2020 7:45:00 AM

As mentioned in previous blogs, myself and my colleagues at CyberCube are currently conducting research to model the likely effects of the coronavirus pandemic in both the short and the long term through the lens of IT-related (cyber) risk.

In this blog, I want to explore the idea that some things may not return to the way they were prior to the Coronavirus outbreak. In particular, I want to examine the use of digital resources and the application of IT to our work and personal lives and how the pandemic could change the way that we use technology in the long term. In researching this blog, the sheer quantity of affected domains turned out to be larger than I had first imagined, and, for that reason, this blog will be spread over two parts. This first part will explore potential changes to individual behaviour (how we, as individuals might change our technology-related habits). Part two will focus on how businesses might use technology differently.

So, to the subject at hand. What good, bad and just “different” things might come of the current pandemic from a behavioural standpoint and at the individual level?

“I quite like it at home, I think I’ll stay”

As discussed in one of my previous blogs, the current pandemic has forced many individuals to self-isolate and, as a result, to do their work from home. This brings with it certain security and risk challenges and requires a new way of thinking in terms of keeping these users and their data secure. Although home working has been “a thing” for large numbers of workers in the past (a 2018 survey suggested that around 70% of professionals globally worked from home at least once per week prior to recent events), it seems that home working is here to stay even after the coronavirus crisis subsides.

In a 2019 survey, 99% of people said that they would prefer to work from home. It seems likely that those who worked from home from time to time prior to the pandemic might realise that this can be an effective way of working on a more regular basis. More significantly, those who never worked from home have now been forced to find ways of doing so (and some may even like it)! There is a proven psychological principle behind all of this - “behavioural immune systems” have evolved with our species and are triggered in times of pandemic. These systems of behaviour evolved to help us to modify our social interactions to minimise the spread of disease instinctively and the “better safe than sorry” response associated with this type of behavioural change can be quite crude (like staying at home).

It is likely that any increase in the volume of remote workers that is seen in the coming months will not be matched by new IT and security governance from their employers. Most companies will likely support home working by simply “allowing it”. This is not the same as the creation of extended governance to ensure alignment of risk to preferred risk tolerances. We should expect cyber criminals to move rapidly to take advantage of these swings in behaviour.

Interestingly, “flexible working hours” are the attribute of home working that most people are attracted to. That brings us neatly to our next point…

“The 9 to 5 is so 2019”

With increased remote working comes increased flexibility in working hours. As organisations realise that they can often derive more productivity from employees who are working from home, they also realise the quality and timeliness of deliverables are more important than the specific times used to deliver them. At the individual level, remote workers will take advantage of this dynamic to improve their work/life balances and to ensure that they work when they are most able. However, there can be disadvantages here for the individual. Many existing home workers complain of not being able to switch off from work and of working hours bleeding into personal time.

From the perspective of cyber risk, there are potential consequences here, too. For one, more limited differentiation between “work” and “play” can decrease the level of attention given to keeping systems and data secure. Furthermore, too many hours worked with too few breaks can result in fatigue which, in turn, can lead to mistakes being made. Hackers have been known to attack at times where targets are at their most vulnerable and this expertise is likely to be applied in innovative ways when attacking a remote workforce.

I love my cloud…. my way”

As individuals have moved to self-isolation and, therefore, to increased usage of cloud resources, they have also been exploring the possibilities that cloud computing brings. Importantly, they have been doing this largely without oversight or governance from their employers. My previous blog focusing on home working highlighted some of the issues here. Within weeks of the coronavirus “lockdown” and just within the confines of my own house, a whole host of cloud applications that I had never heard of were under discussion and in use. Of course, as far as the teenagers in the house were concerned, many of these innovations were old news (sometimes, over three weeks old)! Some applications were fairly pointless and others were actually pretty useful. Applications, in particular, that allowed the exploration of new and interesting ways to share information became very attractive and it’s easy to see how, over time, these could become part of an individual’s working practices.

So, what’s the problem here? Innovation in the cloud has allowed us to become more communicative and productive, right? Maybe. Very likely, the applications adopted will have fallen outside of what an employer would deem secure and reliable (one only has to look at the recent security issues experienced with the “Zoom” application to see this dynamic first-hand). Post pandemic, individuals are going to have taken cloud usage to a new level of breadth and complexity and corporate governance will be found trailing behind. This will likely lead to many applications being used by employees falling outside of normal corporate standards and testing and, as a result, they will fall short from a security and risk perspective.

“I’ll just pop upstairs to the shops”

Prior to coronavirus, the high street was already under immense pressure to compete with online retailers. In 2019 alone, high-street giants such as Mothercare and Debenhams either closed up shop for good or fell into administration whilst others (including Tesco, HMV and Boots) made significant cuts to their stores and staff numbers. The current pandemic is predicted to further exacerbate this dynamic and online retail is expected to grow as a result. There will likely be a distinction here between food supply and “non-essential retail”. The food retailers are currently experiencing “a second Christmas” with demand outstripping supply significantly. Predictions are that this will largely return to normal once the pandemic is over with perhaps a slight uptick in online food retail numbers.

Non-essential retail will be a different story. It’s likely that this part of the retail sector will be hit hard as people “hunker down” and reduce their expenditure to a minimum. As we emerge from the pandemic, however, people are likely to shop for non-essential items with new vigour and they will now be experts online, carrying high expectations related to online shopping for favourite brands. My prediction is that retailers in this sector will need to innovate early in order to prepare for this change in consumer behaviour.

What does this mean for cyber risk? Well, very well-established cyber-criminal behaviour such as “formjacking” (the “scraping” of credit card information from web-forms), “spoofing” (taking consumers to a malicious site that looks identical to the retailer) and “phishing” for financial credentials should be expected to grow both in severity, frequency and complexity as we move through and out of the coronavirus pandemic.

“It will be great to see you, gran. What’s your Skype ID?”

The elderly, perhaps more than any other demographic, are terrible victims of the coronavirus outbreak, not just from the perspective of physical health but also from the perspective of mental welfare. A lack of connection with family and friends and an awful consequence of self-isolation for the group in particular and, in many cases, technology will have come to the rescue. Digital adoption within the 65+ demographic has always been relatively small with technology being seen as too complicated to use and interest in devices such as tablets and smartphones generally being lower than other age groups. Of course, the coronavirus pandemic and associated lock-down is changing all of that. In many cases, family members are purchasing devices for their older relatives and putting the effort in to get them up and running in order that they can communicate with pictures as well as words. As a consequence of all of this, it seems likely that this demographic will gain more and more competence through the use of digital devices and will, themselves, leverage technology to a far greater degree.

Once again, this is an “in'' for the cyber-criminal. They will know that the older among us will often struggle enough in just learning to use technology for advanced communication and online shopping. Layering on security and privacy training will often not happen quickly, if at all. It seems, likely therefore, that we could see a new wave of financially-motivated cybercrime targeting this part of the population through and on the other side of the pandemic.

From a great crisis typically comes great change, sometimes for the better and sometimes for the worse. Hopefully, there are some topics here to think about as you plan for your future and protect yourselves and your loved ones in an increasingly disrupted and digital world.