COVID-19 has accelerated the digital transformation of business as people work remotely and conduct more of their lives online. But the change is also posing profound questions about how companies boost cyber resilience and improve data security and commitments to build trust with clients.
There are at least two reasons for urgency. First, with COVID-19 far from beaten, there are clear indications that remote working is here to stay: a survey in June by Gartner, the research and advisory firm, showed that almost half the companies surveyed intended to allow employees to work remotely full time1. Remote work gives cyber criminals added opportunity to penetrate corporate defenses because every time employees log into company networks using their home connections and personal devices, they create a potential entry point for criminals. Home networks and personal devices are typically far less secure than office connections, and the more they are used for work, the more a cyber criminal's so-called attack surface expands.
The second factor is that cybercrime is on the rise. Attacks on individuals have skyrocketed, rising from less than 15 per cent of cybercrime in January to more than 35 per cent in May, according to CYE2, a cybersecurity company. In April, as the COVID-19 pandemic was ripping through Europe and beyond, there was a spike in ransomware attacks, according to an Interpol report3.
In response to these challenges, the World Economic Forum (WEF) has defined three dimensions for mitigating cyber risk, including a need for greater global co-operation through public and private partnerships and addressing the gap in skills and leadership on cyber security within organizations4.
"Investment in cyber security personnel is crucial for today’s environment," says Lori Bailey, Global Head of Cyber Risk, Commercial Insurance, Zurich Insurance Group.
"Cyber expertise is fundamental to managing this risk at all levels of the organization.”
The WEF's third dimension for mitigating cyber risk is understanding future networks and technology - both in terms of the opportunities they bring but also the risks that they create.
The next wave of technology in the fourth industrial revolution stands to transform the world as we know it, allowing companies and individuals to tap into new opportunities. According to PwC, the accounting and consultancy firm, the advent of Artificial Intelligence (AI) alone stands to boost global growth 14 per cent by 20305.
The Internet of Things is expanding rapidly. Cisco, the US technology company, last year pointed out that the number of connected devices is set to reach 75bn over the next five years compared with less than half that number today6. Each one of those devices collects and shares data that is highly sensitive for individuals, companies and states.
To complement and build on WEF's guidance, Zurich Insurance Group (Zurich) highlights two additional dimensions that companies, organizations and individuals should follow to mitigate cyber risk.
Bailey of Zurich says that companies must take clear steps to prevent potential liability from multiple data-privacy laws that have come into effect, such as Europe's 2018 General Data Protection Regulation and the California Consumer Privacy Law which took effect in 2020.
These regulations are applied based on customers' locations, which means that even relatively small companies that do business abroad could find themselves having to comply with numerous jurisdictions.
“Privacy legislation is evolving at a rapid pace.” Bailey says. “Regulations are consistently being implemented with varied notification and enforcement requirements which can make it challenging for companies operating in multiple jurisdictions.”
In response, companies should set out a plan, including investing in personnel dedicated to the challenge. They should also improve security via ongoing training programs to teach employees about opening email links and attachments, phishing and by improving knowledge of corporate processes and procedures.
Zurich's second dimension focuses on data commitment as a way of earning trust with clients. It is a theme the insurer has adopted itself. And it is one that fits squarely into the group's wider aim of taking actions to help people and organizations feel more confident in a digital society. As Rui Ferreira, Zurich's Chief Data Governance Officer, explains,
"we decided to go beyond regulatory compliance to ensure that when we collect, use and share client data, we do so in a transparent and ethical way."
The approach, which it recommends other companies follow, is based on four promises to clients:
- To never sell personal data
- Not to share data without being transparent
- To keep data secure
- To put data to work for the benefit of the customer
All of that requires investing in new technology to ensure that data is secure - investments that benefit its customers and form part of a long-term sustainability strategy. It also requires training staff at all levels of the organization so that data is handled safely and responsibly.
Yet for all the effort, Ferreira says that there are two clear benefits. One is that the approach goes above existing regulations, which avoids having to address each privacy law individually.
"As a global organization, it is quite challenging to manage the different levels and standards of data protection and data privacy laws," he says. "By going beyond, we are setting a common denominator for all the business units in all the different regions."
The second benefit is that setting high standards raises internal awareness of the need to mitigate cyber risk and establishes best practice throughout the organization.
"It is important to have all of the principles of cyber risk mitigation and cyber risk resilience working together," Bailey says. "You need a holistic approach to manage cyber risk."
- Cyber risk is on the rise, with cyber-attacks multiplying in the wake of the COVID-19 pandemic
- Companies are well advised to understand and anticipate future networks and technology for the opportunities they will bring as well as the risks they will create
- Data-privacy legislation is growing, and companies must take immediate steps to ensure they elevate their commitments on data privacy
1 Gartner, 'Survey reveals 82% of company leaders plan to allow employees to work remotely some of the time', July 2020
2 CYE and partners; UK and Australian government reports
3 Interpol, 'report shows alarming rate of cyber-attacks during COVID-19', August 2020
4 WEF, 'Shaping the Future of Cyber Security and Digital Trust'
5 PwC, 'Sizing the Prize Report', 2017
6 Cisco, 'The future of IoT miniguide: the burgeoning IoT market continues', July 2019