Cyber threats in the Covid-19 environment present an unprecedented level of reputational risk to organizations. The combination of a widespread work-from-home/remote workforce and threat actor ingenuity means no company or sector is immune. Online attacks linked to Covid-19 increased by 475 percent in March 2020 alone compared to the previous month.
We’re also witnessing already-present threats like ransomware become even more severe in the Covid-19 environment, especially for organizations in critical infrastructure functions; almost one-third of the Covid-19-related attacks targeted public authorities and healthcare institutions. Plus, hacking groups like Maze have publicly outed companies that have not paid the ransom by posting on their public website data they copied from these organizations, essentially turning a ransomware situation into a data breach. This means ransomware is creating a possible one-two punch for organizations that could impact both customer data / IT systems, and their ability to deliver essential services.
Beyond security risks, companies have also been scrutinized for issues related to data privacy, as we move toward increasing usage of telehealth/telemedicine, thermal scanning, contact tracing and e-learning services—as a few examples.
Against the backdrop of the still-present Covid-19 landscape, it is imperative for all organizations to double down on re-building their cybersecurity resilience. Here are a few critical steps companies can take in the short term to help pre-empt, prepare and mitigate reputational damage over the long term:
1. Refresh Internal Communications and Employee Engagement Initiatives
As many companies still have majority remote workforces, employees are viewed by many as the biggest vulnerability for cybersecurity. To mitigate this risk, it is imperative for companies to increase efforts to educate and train employees who are working remotely to be vigilant in identifying and reporting potential cyber threats, as well as to understand new expectations related to data privacy.
Key aspects of effective Covid-19/cyber employee communication/education programs:
- Communicate regularly with employees to deliver frequent guidance on IT security as the Covid-19 environment continues to evolve, even as companies shift to re-open strategies
- Re-train employees on the process for identifying and immediately reporting IT security issues or concerns while they’re working remotely
- Instill a reputation risk mindset amongst internal stakeholders with regards to emerging issues of data privacy (e.g., telehealth, telemedicine, e-learning)
2. Reassess Vulnerabilities and Enhance Communications Preparedness
It’s unlikely most organizations adequately considered a global pandemic as part of their incident response and crisis communications plans. As a result, it’s paramount that brands conduct a refreshed threat mapping exercise to identify and re-prioritize risks related to the dual cyber/Covid-19 environment, as well as to audit their current communications preparedness.
When performing a Covid-19 gap analysis on their incident response crisis communications plans and processes, organizations should ask themselves whether they have…
- …the right individuals on their crisis communications teams and back-ups assigned for critical decision makers in the event of illness
- … secure internal communications channels – e.g., video conferencing technology – to share confidential information and maintain legal privilege
- … alternate written communications vehicles available in the event their email system is compromised
- … outlined communications approaches and messaging for scenarios related to emerging cyber threats (e.g., Maze ransomware) and evolving data privacy issues (e.g., related to telemedicine/telehealth/e-learning)
- …a process in place to equip both internal stakeholders who are dispersed geographically and external call center partners with communications and messaging guidance in advance of a significant public announcement
This exercise should inform efforts to refresh existing incident response crisis communications plans to ensure they take into account the operating realities presented by the pandemic and, ultimately, enable organizations to respond nimbly and affectively to a significant cyber event in the current environment.
3. Test and Train in New Ways to Build Muscle Memory
Enhancing resilience requires building and sustaining muscle memory. In addition to refreshing crisis communications plans related to cyber risk in the Covid-19 environment, it is critical that organizations test and train against those plans through tabletop and crisis simulation exercises to expose any gaps in plans or processes in advance of a significant issue. This is even more important in an environment in which incident response and crisis communications teams are operating remotely.
Elements of effective cyber crisis communications training programs in the Covid-19 environment:
- Testing how incident response communications teams operate, communicate and coordinate with each other in a remote capacity
- Incorporating operational impacts of the cyber crisis that put additional pressure on organizations’ ability to meet service and product needs in the Covid-19 environment
- Involving participation from executive leadership to assess decision-making and ensure buy-in
The risks that cyber threats in the Covid-19 age present do not discriminate in terms of industries, and their financial, operational, and reputational impacts are only anticipated to increase over the course of 2020 and beyond. (The global costs of ransomware are expected to reach $20 billion by 2021, an increase from their estimated damages of $11.5 billion in 2019 and $8 billion in 2018.)
But unlike a global pandemic, this is a crisis every brand can, and should, see coming. And there is no time like the present to prepare for the inevitable.
Jamie Singer is Senior Vice President, Crisis & Risk Management, U.S. Data Security & Privacy.