Right now, cyberthreats present an unprecedented level of reputational risk to organisations. The combination of a widespread remote workforce and ingenuity among cyber attackers means no company or sector is immune. Online attacks linked to Covid-19 increased by 475 percent in March 2020 compared to the previous month.
We’re also seeing ransomware threats become more severe as a result of the Covid-19 pandemic, especially for organisations in critical infrastructure functions; almost one-third of the Covid-19-related attacks targeted public authorities and healthcare institutions. Hacking groups like Maze have publicly outed companies that fail to pay their demanded ransom, posting their data online and essentially turning a ransomware situation into a data breach. This means ransomware is creating a possible one-two punch for organisations that could impact both customer data / IT systems and their ability to deliver essential services.
Beyond security risks, companies are also under major scrutiny when it comes to issues related to data privacy, driven by the coronavirus-induced acceleration towards digital tools such as telehealth/telemedicine, thermal scanning, contact tracing and e-learning services.
Against this backdrop, it is imperative for all organisations to focus on re-building their cybersecurity resilience. Here are three key steps you can take in the short-term to help pre-empt, prepare for and mitigate any reputational damage to your organisation in the long-term:
1. Refresh internal communications and employee engagement initiatives
With the majority of employees still working remotely, they are viewed by many experts as the biggest vulnerability for your organisation’s cybersecurity. To mitigate this risk, you should increase efforts to educate and train your workforce to be vigilant in identifying and reporting potential cyberthreats and to ensure they have a clear understanding of data privacy expectations. This includes communicating updated guidance on IT security frequently as the Covid-19 environment evolves.
2. Reassess vulnerabilities and enhance communications preparedness
It’s unlikely most organisations adequately considered a global pandemic as part of their incident response and crisis communications plans. As a result, it’s paramount you conduct a refreshed threat mapping exercise to identify and re-prioritise risks related to the dual cyber/Covid-19 threat, as well as to audit your current communications preparedness in light of the operating realities presented by this pandemic. When performing a Covid-19 gap analysis on your incident response crisis communications plans and processes, ask yourself whether you have:
- the right individuals on your crisis communications team(s) as well as back-ups assigned for critical decision-makers in the event of illness
- secure internal communications channels – e.g. video conferencing technology – to share confidential information and maintain legal privilege
- alternate written communications vehicles available in the event your email system is compromised
- outlined communications approaches and messaging for scenarios related to emerging cyberthreats and evolving data privacy issues
- a process in place to equip both internal stakeholders who are dispersed geographically and external call centre partners with communications and messaging guidance in advance of a significant public announcement
3. Test your processes in advance
In addition to refreshing crisis communications plans related to cyber risks in the Covid-19 environment, it is critical you use crisis simulation exercises to expose any gaps in your plans or processes in advance of a significant issue. This is even more important in an environment in which incident response and crisis communications teams are operating remotely. The key elements of an effective cyber crisis communications training programs are:
- testing how incident response communications teams operate, communicate and coordinate with each other in a remote capacity
- incorporating operational impacts of the cyber crisis that put additional pressure on your organisation’s ability to meet customer service and product needs
- involving participation from executive leadership to assess decision-making and ensure buy-in
Cyberthreats in the Covid-19 environment do not discriminate in terms of industries, while their financial, operational, and reputational impacts are only anticipated to increase over the course of 2020 and beyond. (The global costs of ransomware are expected to reach $20 billion by 2021, an increase from their estimated damages of $11.5 billion in 2019 and $8 billion in 2018.) But unlike a global pandemic, this is a crisis every brand and business can, and should, see coming. There is no time like the present to prepare.