All industries face the threat of cyberattack. According to a prior McKinsey survey, 75 percent of experts, across many industries, consider cyberrisk to be a top concern.
Until recently, financial firms were the primary targets. Risks for banks arise from diverse factors including vulnerabilities to fraud and financial crime inherent in automation and digitization; massive growth in transaction volumes; and greater integration of financial systems within countries and internationally.
Today, due to digitization and automation, the threat is universal. Added to this, the recent COVID-19 pandemic has intensified the danger of cyberattack, across all industries. Changes in working conditions have made it harder for companies to maintain security. Large-scale adoption of work-from-home technologies, heightened activity on customer-facing networks, and greater use of online services all present fresh openings, which cyberattackers have been quick to exploit.
The overarching challenge for chief information security officers (CISOs) and cybersecurity teams will be protecting their institutions against cyberthreats while maintaining business continuity.
Digitization increases the risk of cyberattack, and this is exacerbated by the COVID-19 pandemic
All industries face greater exposure to cyberthreats due to increasing digitization. For example, in the airline industry, digital innovation across the value chain—combined with the sheer volume of customer data airlines possess—has made them a hot target for cybercriminals. Various cyberincidents have demonstrated the need for airlines to upgrade IT and operational technology systems to reduce risk and build resiliency into their heavily digitized operating models. In 2019, the United Kingdom imposed a $230 million fine on a European airline for a breach caused by security vulnerabilities in its website. And in 2018, hackers penetrated unpatched servers and access controls of an Asian airline to steal the personal data of 9.4 million customers.
Additionally, more airlines are moving to the public cloud, for example, to harness data analytics and optimize customer experience and operations. As airlines integrate a wider array of ecosystems—such as those facilitated by the International Air Transport Association New Distribution Capability Standard—to personalize their offerings further and exchange more granular information with partners, they may have less control over the security environment and become more prone to digital attacks.
Exhibit 1 shows a snapshot of recent, publicly reported IT and cyberincidents in the airline industry.
According to Identity Theft Resource Center statistics for the United States, despite a recent decline in the total number of data breaches to about 1.2 billion, the number of records exposed has grown by about 15 percent a year since 2005 to more than 447 million in 2018 (Exhibit 2).
Given the industry’s low margins, airlines also continuously look for cost-cutting opportunities, including in IT. Many try to optimize vendor contracts for unit costs rather than acquire the agility or innovation required to evaluate new business concepts and respond quickly to new threats or opportunities.
The response to COVID-19 has increased cyberrisk
Physical distancing means many workers are staying home and making greater use of videoconferencing services, collaboration platforms, and other digital tools to do business. In their free time, they are also going online more frequently to shop, read, chat, play, and stream. All these behaviors put immense stress on cybersecurity controls and operations. Several major vulnerabilities stand out:
First, a broad shift toward work-from-home arrangements has amplified long-standing cybersecurity challenges and opened multiple vectors for cyberattacks (Exhibit 3). Second, social-engineering ploys—to gain information, money, or access to protected systems—are on the rise, such as attackers posing as help-desk teams, health workers, or investors in virus-related response activities. Finally, cyberattackers are using websites with weak security to deliver malware, in some instances using domains and websites created to spread information and resources to combat COVID-19.
As the COVID-19 outbreak progresses and alters the functioning of our socioeconomic systems, cyberattackers will continue their efforts to exploit our fears and our digital vulnerabilities. To remain vigilant and effective, CISOs will need new tactics, particularly in two areas: securing work-from-home arrangements at scale; and supporting high levels of consumer-facing network traffic.
How leaders can manage cyberrisk
Given the gravity, complexity, and growing number of risks that businesses face, executives need ways to set priorities and sequence their cybersecurity and digitization investments. Based on our experience in serving leaders in industries from consumer lending to national defense, we recommend that senior teams step back and consider their overall situations from a business perspective. Digitization requires a powerful, reliable backbone that has security and resilience built in. Managing cyberrisk requires focus in four main areas: assessing vulnerabilities with a quantitative risk analysis; reviewing cloud architecture and security capabilities; muscling up incident response and recovery capabilities; and prioritizing a cybersecurity budget, including building a skilled talent pool and optimizing resources through automation.
Assess your vulnerabilities by performing a detailed quantitative risk analysis
Cybersecurity should be central to every strategic decision and an essential component of every IT product in the organization. Cybersecurity initiatives should be prioritized based on business-risk scenarios. By looking across the business through a cybersecurity lens, companies can transform their decision making and make wiser investments based on risk. Reviewing potential attack vectors from a risk perspective and evaluating the effectiveness of current cybersecurity activities could help identify areas that put the company at risk but are not yet covered by existing cyberactivities.
We recommend that cybersecurity leaders assess their organization’s current vulnerability through a quantitative risk analysis including patch management practices; and build metrics and a dashboard to report regularly on the identified vulnerabilities and patch releases to the CISO.
Review cloud architecture and security capabilities
A company should build an IT architecture and operating model that best supports its growth, digitization, and business model. In reviewing cloud architecture, it is important to first understand what data you are putting in the cloud now and to minimize the presence of sensitive information there. CISOs should also implement a holistic cloud security strategy—emphasizing access management, threat monitoring, and incident response. Additionally, it is advisable to conduct regular penetration and vulnerability testing and audit reviews to ensure your cloud environment is secure.
Muscle up incident response and recovery capabilities
The tragic COVID-19 pandemic has shown that it is critical for companies to have robust incident response and recovery capabilities. All companies should have systems in place for monitoring and developing a response plan for supply chain cyberdisruptions. It is also advisable to continuously assess and refresh the incident response and recovery program based on your particular business risks and emerging threats, for example by hosting regular table-top exercises on emerging threats, and conducting comprehensive resilience exercises to test response and recovery capacities.
In the context of the pandemic, new tactics can help cybersecurity leaders to safeguard their organizations. The COVID-19 response has presented CISOs and their teams with two immediate priorities: One is securing work-from-home arrangements on an unprecedented scale; the other is maintaining the confidentiality, integrity, and availability of consumer-facing network traffic as volumes spike—partly as a result of the additional time people are spending at home. Recent discussions with cybersecurity leaders suggest that certain actions are particularly helpful in fulfilling these two priorities, in three areas: technology, people, and processes.
Technology
Work-from-home arrangements. Make sure required controls are in place—for example, accelerate patching for critical systems, scale up multifactor authentication, and install controls for facility-based applications that have been migrated to remote access.
Consumer-facing network traffic. Ensure sufficient capacity by putting in place technical building blocks such as a web-application firewall, secure-sockets-layer (SSL) certification, network monitoring, anti-distributed denial of service, and fraud analytics.
People
Even with stronger technology controls, employees working from home must still exercise good judgment to maintain security. To help employees understand the risks, businesses need to communicate effectively and creatively. Focus on what to do—rather than what not to do—and increase awareness of social engineering ploys. Also identify and monitor high-risk users such as those working with confidential data.
Processes
Work-from-home arrangements. Few business processes are designed to support extensive work from home, so most lack the right embedded controls. Promote resilience by supporting secure remote-working tools, testing and adjusting IR and BC/DR capabilities, and securing physical documents. Also, take steps to expand monitoring and clarify incident-response protocols.
Consumer-facing network traffic. Customers, employees, and vendors all play some part in maintaining the confidentiality, integrity, and availability of web-facing networks. Integrate and standardize security activities, by, for example, integrating fraud prevention capabilities with the SOC, and offer guidelines to help consumers solve some problems themselves, particularly during periods of peak use.
Prioritize cybersecurity budget, build a skilled talent pool, and optimize resources through automation
Post pandemic, it will be even more critical for organizations to find ways to cover the rising costs of IT to meet innovation and cybersecurity requirements. To generate true cost savings, the operating model needs to be adjusted. In the case of public cloud, standardizing and automating IT-infrastructure operations can significantly reduce costs.
To keep their organization on track and make the right investments, cybersecurity executives should ask and answer the following questions regarding budget, talent, and automation:
Budget
-
How do we focus on the right topics and spend the right amount of money?
By evaluating cyber spending against key risks and its impact on them, making sure this is proportional.
-
How do we measure effectiveness and evaluate how much our cyberefforts reduce our actual cyberrisks?
By assessing ROI for cyber investments based on risk reduction.
Talent
-
How do we know we have the right team to meet the cybersecurity challenge?
By reviewing your cyber and risk teams’ RACI, the complexity of your solutions and identifying skillset gaps. Also, by providing continuous learning opportunities to help employees adapt to new tools and technologies.
Automation
- What is our future IT-infrastructure strategy, and what are its implications for the business areas?
-
What benefits can the business expect from modernization, and are we set up to meet these expectations?
To answer these questions, identify operational processes that can be transformed through automation to reduce human overhead.
All businesses, across all industries, face the risk of cyberattack. The COVID-19 pandemic may have exacerbated this risk as changes in working conditions have made it harder for companies to maintain security. But there are steps businesses can take to manage security breaches, increase cyberresilience, and improve operational stability. Tactics to help businesses safeguard their organizations while ensuring business continuity center on two priorities: securing work-from-home arrangements at scale; and supporting high levels of consumer-facing network traffic.