Owned by the C-suite: a new approach to security is needed as cyber risks multiply

Post-Covid-19, security is no longer an ‘IT issue’ – it’s a C-suite item and a fundamental strategic priority

One of the clear effects of the Covid-19 pandemic has been a dramatic shift in the cyber threat. With the rapid move to remote working, the relative safe haven of the corporate network has mutated to include kitchen tables, studies and living rooms. The attack surface has geometrically grown.

In this year's Harvey Nash/KPMG CIO Survey, 83 per cent of tech leaders report an increase in spear phishing and 62 per cent have seen an increase in malware in the wake of Covid-19. A wide variety of threat actors and organised criminals have capitalised on the rush to enable remote working and to scale cloud solutions, and have proved themselves, as ever, quick, adaptable and effective. In particular, attacks on collaboration platforms and remote access infrastructure have increased, along with more sophisticated and persistent ransomware.

Remote working and BYOD

For some organisations that routinely have significant numbers of people working flexibly or away from the office, remote working has not been too dramatic a shift. Organisations that were largely digitally-native or employed cloud-first architectures proved more resilient. However, for the majority of companies, it has represented a massive overhaul of how they operate. Whereas normally they may only have perhaps one in ten people working remotely at any one time, that grew to anywhere from 80-100 per cent in a matter of weeks.

A shortage of corporate equipment - or challenges in getting it to staff - meant that bring your own device (BYOD) approaches have hugely increased, bringing new risks. What was seen as a temporary solution has rapidly become the de facto new reality. According to the research, 86 per cent of companies have moved the majority of their workforce to remote working and many are likely to work largely from home for at least the next 6-9 months. Nearly half believe that the majority of the workforce will remain permanently remote.

From an IT security and privacy perspective, the implications are considerable. In normal times, rolling out these services would be a project lasting many months complete with milestones, checks and balances, and a communication and training programme to ensure users are aware of all necessary protocols. Through Covid-19, it all had to happen overnight.

Businesses have had to think not only about securing their own systems, data and people, but the extended ecosystem of service providers they rely upon across the supply chain who have equally come under massive pressures. As architectures and service delivery models are shifting on both sides, the importance of reassessing and aligning risks, policies, controls, and security protocols across a multitude of suppliers and contracts is critical.

A zoom in collaborative technologies

One of the most common areas that businesses are needing to focus on is cloud-enabled, SaaS-based collaborative technologies, especially on vulnerable configurations of Office 365, email servers, and poorly routed VPN traffic. Stressing the importance of dual factor authentication, device checks, and data encryption are amongst the first steps. Further questions to consider: Are the appropriate access rights and permissions in place, for the right people? Are these services configured to allow the IT security team visibility and do they comply with regulatory requirements? Have the appropriate controls been put in place to manage risks such as data protection, privacy and records management in a hybrid multi-cloud environment?

Plugging the gaps

The 2020 CIO Survey shows that cyber skills are the top shortage, the first time in over a decade that a security related skill has topped the global list. To complicate the demand on an already small pool of available talent, cyber skills now require cloud security, integration, and mobile device experience.

It's a challenging outlook. With cyber risks increasing, companies will increasingly turn to outsourced or managed services to help keep their systems robust against attacks.

Collaboration and a new security team at the top

The risks have multiplied - so what is the solution?

Digital transformation and Covid-19 have ripped up the old cyber rulebook, where security was an often-adversarial process as part of multi-year projects and slowly evolving IT operating models. Over the last several months, IT and the business have collaborated as never before, embracing truly agile methods, breaking down perceived barriers between teams to achieve common, urgent goals. This collaboration and sense of being all in it together must continue. What has occurred has given the business more ownership of the risk than they ever used to have. This shared mindset has been talked about for years - now it has actually arrived and must be maintained and built upon.

Crucially, it has to stretch all the way up to the very top of the business. According to the CIO Survey, security and data protection remain amongst the most strategic technology investments. Digital leaders are twice as likely to deliver on the promise of customer trust - they do this by embedding risk, security and assurance competencies across the IT value chain. For these leading companies, partnerships exist not only between the CISO and CIO, but the CEO, Chief Risk Officer and the board.

In the new reality post-Covid-19, security is no longer an ‘IT issue' - it's a C-suite item and a fundamental strategic priority.

Steve Bates is principal, KPMG in the US and global lead at the KPMG International CIO Centre of Excellence, and David Ferbrache is global head of cyber futures at KPMG International.