For Sean Zadig, chief information security officer at Verizon Media, COVID-19 has mandated all kinds of urgent cybersecurity chores, from defending the company’s networks against increased hacker attacks to educating the company’s largely remote workforce about phishing scams.
The company, which oversees such brands as Yahoo, Engadget and TechCrunch, found that getting widely dispersed employees to pay closer attention to security required something more compelling than the usual webinars and FAQs about safe practices. So the security staff, known internally as “The Paranoids,” ginned up a company-wide rivalry over best security habits.
The group created a dashboard that managers could use to track employee use of password management software and to compare their performance with that of other managers’ groups. Interest in the competition was so high that some executives recruited security staffers to help team members boost their usage. The extra attention was “unexpected,” Zadig says.
For many companies, coping with the pandemic has paid some unexpected cybersecurity dividends. Securing digital systems has always been considered important, but in many organizations it is one priority among many — and not always a high one. Cybersecurity teams still scramble for resources and executive attention, and information technology and business departments have often seen security as a hindrance to smooth and efficient operations.
All-hands urgency for cybersecurity
Today, with staff working remotely and hackers stepping up attacks, companies are tackling security issues with more seriousness, organizationally and culturally. Top executives are devoting more attention to making sure that security initiatives get fast-tracked, and security teams are finding new opportunities to collaborate with other departments.
COVID has even had the unexpected benefit of helping to bridge some of the institutional differences between IT and security teams. In a July 2020 survey by the Information Systems Security Association, one-third of companies said they had experienced significant improvement in the coordination between security executives, IT and other business leaders because of the pandemic.
Companies are starting to understand that security is an enterprise-wide risk management issue.
“The way that people have historically viewed cybersecurity is that it is a technical problem — there’s something wrong with a widget in the system,” says Larry Clinton, president of the Internet Security Alliance, a Washington, D.C., trade organization. “Companies are starting to understand that it’s something much larger. It’s an enterprise-wide risk management issue.”
The pandemic has also persuaded some companies to give CISOs greater access to top business leaders. At a large insurance company, according to Keri Pearlson, executive director of a cybersecurity consortium at MIT Sloan School of Management, the CISO switched from reporting to the chief information officer to the chief operating officer. This allowed the security chief to work more closely with HR managers to promote cybersecurity awareness more broadly to employees. It also enabled the CISO to collaborate with the operations staff and tighten security practices with the company’s many vendors.
At the rapidly growing Brazilian digital bank C6, the CISO recently gained direct access to the CEO and no longer reports through the company’s chief technology officer, Nelson Novaes. According to Novaes, the change helped the CISO ensure that the top boss was modeling good practices, such as using facial biometrics to access company systems.
Playing catch-up in a crisis
Mountains of evidence over the years has shown the escalating cost of cybersecurity risks: Global corporate losses from cybercrime surpassed $1 trillion in 2020, according to a McAfee report. Here’s the cruel irony: Most of those costs could be reduced dramatically with simple block-and-tackle tactics, such as staying on top of security patches. Four in 10 companies that suffered a breach in 2019, for example, were already aware of the vulnerability before it occurred, according to a Ponemon Institute survey; 60% already had the available patches, but couldn’t install them in time.
With the pandemic, these dangers have only multiplied, and long-neglected issues, such as making sure remote workers can securely access corporate networks, became harder to put off.
During the first six months of 2020, hackers launched more intrusion attempts on corporate networks than in all of 2019, according to a threat report by CrowdStrike. Threats are also much more distributed than before. Hackers have targeted both employees and supply chain partners with sophisticated COVID-related phishing emails and malware attacks. Those include fake lists of infections in a person’s neighborhood purportedly sent from the Centers for Disease Control and Prevention, websites with embedded malware selling fake face mask exemption cards, and appeals from the boss to help someone in need, to name a few.
“Security now involves so many more areas,” Clinton says. “Your legal department has to put the right security procedures into contracts to make sure your partners aren’t vulnerable. Your auditors have to check with their auditors and so on.”
Planning for the future
The pandemic has also helped to speed the rollout of new security tools, such as zero trust systems that typically require employees to use two types of authentication (such as a password and unique mobile code) when accessing company systems. A Forrester report from October 2020 found that 75% of IT decision-makers planned to accelerate or begin a shift to a zero trust security because of the pandemic, and nearly 40% said they had initiated a zero trust pilot in 2020.
“If you asked me a year ago, ‘Could you roll out a zero trust network if a pandemic hit and the company had to switch within a few weeks?’ I would have said: ‘No, that’s impossible,’” says Kevin Curran, a professor of cybersecurity at Ulster University in Northern Ireland.
Closer collaboration between IT, business and security teams has also brought some nontraditional talents into the security field. A large financial services company took the unusual step of hiring a marketing expert with no tech background for the new role of “cybersecurity evangelist,” says MIT Sloan’s Pearlson. Her assignment: find more effective ways to communicate why everyone should care about cybersecurity, especially while working at home during a pandemic.
In one simple change, the marketing chief has rebranded “cybersecurity” in her presentations, videos and emails as “data protection” to recast it as something that conveys clear value to the company, not just as an abstract concept.
“The pandemic has shined a light on the need for everybody to have a role in cybersecurity and feel empowered that they can do something,” says Pearlson. “It’s about changing hearts and minds.”