So, what changes has the office exodus brought to our cyber threat environment.
In addition to the cyber-crime challenges before the crisis, more than four in ten organisations (41 percent) have experienced an increase in cyber-security incidents according to the 2020 Harvey Nash/KPMG CIO Survey.
Last year’s edition of this research, the largest global survey of technology leaders, suggested a positive trend when it came to cyber-crime.
It showed that as the board’s attention to cyber-security grew and investment increased, cyber-attacks had topped out and even started to decrease. In responses collated before the pandemic, major attacks had fallen yet again.
Unfortunately, no amount of board attention could have predicted or compensated for the unexpected mass relocation of office workers from corporate networks to home networks. Eighty-six percent of survey respondents moved a significant percentage of their workforce to remote working.
The attack surface of organisations expanded exponentially, with IT departments struggling to support and secure the myriad of new, personal devices accessing networks.
Overall, three-quarters of respondents indicated the importance and role of cyber-security increased as a result of COVID-19. But how has the attack landscape changed? Globally, the biggest rise was in spear phishing (83 percent) and malware (62 percent), followed by denial-of-service attacks (21 percent).
The jump in phishing and malware indicates the growth in risk has come mainly through cyber criminals targeting newly remote-working employees.
Perhaps unsurprisingly, security is now the top technology investment priority, listed by 47 percent of respondents. And, for the first time in this survey’s history, cyber-security expertise has become the most in-demand skill set.
As well as remote access from personal devices, the rapid scaling of cloud-based software and the management of vast amounts of data and documents across a complex technology environment all represent new pressures on security and privacy.
Customer experience and engagement, the second highest priority tech investment, will rely heavily on a cloud-based digital infrastructure, so cloud security becomes paramount.
There are some core activities that organisations can undertake to protect themselves from increased threats:
• Dynamically evaluate risk including the context of the changing operating environment. For example, threats and risks deemed low in a pre-COVID world, may now be high.
• Strengthen education and awareness of staff, who may be prone to increased phishing and malware attacks.
• Reassess the effectiveness of cyber controls protecting critical systems and data and new delivery platforms.
• Re-evaluate controls with your third parties. There have been recent cases of infiltration occurring via third parties, who have had weaker security controls in place.
• Update and test Business Continuity processes and programs and have confidence in the ability to recover from an incident.
With cyber risks increasing, companies will turn to outsourced or managed services to help keep their systems robust against attacks.
With every home router now a potential weak point, a security rethink is needed for the new ‘hybrid work’ environment, where significant numbers of workers will remain outside traditional workplaces, part or all the time.
First published by Gordon Archibald, Partner, National Lead, Cyber Security Services KPMG Australia and Mark Tims Partner, Technology Risk, KPMG Australia on KPMG Newsroom on 1 October 2020.