20-20 HINDSIGHT — FROM THE 1920s TO 2020 — WHAT CAN WE LEARN?
In 1929, the vibrant U.S. economy went through the greatest shock it had ever received when the stock market crashed. A frightened and bewildered Congress, flaying for answers, summoned the economic chieftains of the day to testify as to if they had manipulated the crisis.
The venerable JP Morgan was called to task before the US Senate. “You know what the stock market is going to do, don’t you Mr. Morgan?” the story goes. To which JP admitted, “Yes Senator I do know.” “You have an obligation to share it with the nation Mr. Morgan,” the Senator demanded, “What is the stock market going to do”? “It is going to fluctuate,” said JP.
On March 11, 2020, the coronavirus struck, and the vibrant U.S. economy went into its greatest shock since the Great Depression. Overnight, the virus ushered in the largest alteration in how humans do work in history. In less than one week, we went from a workforce wherein about 21% of workers at least occasionally used online facilities to work from home to a workforce wherein approximately 80% of the workforce did roughly 100% of their work online at home. Since then, the US economy has fluctuated.
The stock market fell precipitously, then recovered, then began to drop again and steadied — and no one really knows what the stock market or aspects of it are going to do. The more things change, the more they stay the same.
To use another tried but true adage. We have learned again that the only constant is change. But there is a difference now. In the digitally based economy of 2020, change comes much faster, and so do the business by products — for better or worse — of the pandemic. There was not too much to loot in the throes of the Potemkin like economy of the 1920s, but there are billions and billions of dollars at risk in the wake of the robust pre-pandemic economy, and cyber thieves, and they are coming after it with a vengeance.
American business was largely unprepared to fend off cyber criminals before the virus hit; we are now immeasurably worse off. Metaphorically, we have gone from leaving the door ajar to cyber criminals before the pandemic, to throwing the door wide open and laying out a welcome mat for them now. The criminals are going to be quick, we need to be quicker.
THESE ARE THE GOOD OLD DAYS
Prior to the virus hitting the U.S., online work was typically part of a carefully managed system. Chief Security Officers were generally distrustful of allowing important work to be done outside the normal system of operations and security. Remote work generally was carefully planned, and tested, and training to assure security procedure was adhered to and were standard operating procedures. That basically all went out the window post-virus. Now, virtually everyone is working at home. Whereas most workers were part of the system in the office, now essentially everyone needed their own system. The networks and tools were not designed for this immediate overload. Moreover, the managers of the systems, outside of the 20% who had prior training, now were essentially “ad-hocking” how to manage their online workforce and developing workarounds for many of the security issues that tended to slow them down and impede productivity.
The criminals have responded to the dinner bell and are feeding themselves like gluttons. Google has reported 18 million phishing and malware schemes related to COVID-19 every day. Millions of workers untrained in cybersecurity for the remote space are working from home and using insecure personal devices and increasingly falling, unwittingly, prey to cyber attacks.
A CrowdStrike study revealed that intrusions were already up in Q1 of 2020 with the expectation of even higher numbers in Q2. Unfortunately, half of business leaders surveyed say they do not think they will see an increase in cyber-risk. They are wrong, very wrong. A recent PWC post-pandemic survey of cybersecurity experts said that 98% feel the need to alter their cybersecurity strategy post pandemic to account for increased risk. Who are you going to believe?
Things are only going to get worse. With any luck, we will eventually (soon?) emerge from the virus-dominated era. We will be faced with a crippled economy. Unemployment surpassing depression levels and many businesses on life support at best — through no real fault of their own. We all know the medical crisis generated an economic crisis, but it has also generated a technology crisis, at the very time we have become totally dependent, and many of us thought were already too dependent, on insecure systems, we are now even more reliant on these systems.
Once we have moved past the immediate pandemic environment, there will be a necessary and intensive effort to re-engage the full U.S. economy. However, virtually no one believes that we will return to the central office dominated structure of the pre-pandemic world. Most estimates are that at least half the workforce (as opposed to the pre-pandemic 20%) will continue to work remotely.
We have seen this movie before. When there is a special emphasis of maximizing productivity, security always gets short changed. Private enterprises, especially smaller businesses, many forced to operate at lower capacity due to resilient virus risk, will put their peddle to the mettle to maximize productivity and profits. Security, despite the best efforts of pro-security advocates, will be typically seen as an impediment to speed, productivity, and profit — it actually often is — and will get short shrift.
A massively weakened system, increasingly emboldened cyber criminals, and an almost universal, and understandable, desire to maximize profit quickly to repair both personal and the national economy, is a perfect storm for increased cyber-attacks. In the past couple of months, Congress dumped $2 trillion plus into pandemic aid. The Federal Reserve System contributed about another trillion dollars. Concern about budget deficits seems not to be a major concern due to the medical, and to some more importantly, the economic issues resulting from the pandemic.
For some reason, cybersecurity support seems to be nowhere in the calculus. When the government’s initial advice for returning to work was published, cybersecurity was not mentioned. This is ironic since the economic nexus with cybersecurity is fairly obvious. Multiple studies over a period of several years have indicated the major obstacle to improving cybersecurity is neither technological nor attitudinal, it is economic.
According to the McAfee 2018 Cyber Crime Report, the chief motive for cyber-attacks is economic. According to the World Economic Forum, pre-pandemic losses from cybercrime currently total about two trillion dollars a year, will grow to six trillion in a couple of years — and those are pre-pandemic estimates.
Small businesses are the enterprises that are the soft underbelly of cybersecurity both as a target for attack and an entryway into larger organizations they interconnect with to undermine their security. More people are employed in small companies than any other element of the economy. Small firms are also the ones that have been most impacted by the pandemic with sales down 75% on average.
THINK FAST AND KEEP THINKING FAST
Corporate managers need to understand that they do not live in the 20th century anymore — in fact, they do not live in the first quintile of the 21st century. The game has changed overnight, and they need to change with it and fast. New thinking needs to begin at the top of organizations, the board of directors, not always thought if as the bastion of corporate innovation, but they need to be now.
At a June conference on cybersecurity, sponsored by the National Association of Corporate Directors (NACD), the directors were urged to begin to think differently about their workforce especially with respect to cybersecurity. The NACD members were advised to follow three principles:
- Think outside the enterprise
- Think in terms of people, information, and machines
- Think in terms of balance
THINK OUTSIDE THE ENTERPRISE
Organizations need to understand that the boundaries of their enterprise have expanded. In fact, what used to be known as the perimeter of the enterprise has now completely disappeared. Whereas organizations were beginning to understand that they needed to secure not just their own organization but their entire supply chain of vendors, partners, and clients, they now must realize that functionally, from a cybersecurity perspective, virtually the entire workforce is the “supply chain.” In addition, COVID-19 is a systemic issue. Cyber threats can also be systemic. The defining characteristic of the internet is its interconnection. Entities can’t think just in terms of securing their enterprise but in terms of the entire ecosystem. It is not just an issue if “our internet” goes down, suppose the whole internet — systemically — goes down? Corporate emergency planning (already an underappreciated and supported function) may now have to take the prospect of a systemic cyber event — akin to the systemic medical event that has been COVID-19 — into consideration.
THINK IN TERMS OF PEOPLE, INFORMATION, AND MACHINE
The very nature of communication is changed with the new environment. An excellent article in the National Law Review pointed out that people, information, and machines are inseparable in the new environment: “To be more secure, employers should think in terms of how information flows over the internet from employee to employee, employee to customer, machine to machine, system to system throughout the communication process.” Virtually every communication is now a real-life version of the old game “telephone” where messages are whispered down a line of individuals and content always winds up massively altered by the time it reaches its destination. From a cybersecurity perspective, this again heightens the ability for malicious insiders, or simply sloppy employees (and managers) to exacerbate cyber risk in ways difficult to detect using the old (“old” meaning since March 2020) methods.
THINK IN TERMS OF BALANCE
Organizations see technology disruption as the greatest strategic opportunity; hence, digital transformation is a top goal. This will naturally be intensified in the post- COVID-19 economy. However, the careful system of checks and balances that even the better-secured organizations had in place need to be rethought. Not only are not we in Kansas anymore, no one is in Kansas anymore. This will be especially important as the post-pandemic urge to recapture lost value of time economically become almost irresistible, and neat new tech may seem to be the best way to recapture lost revenue. Organizational leaders need to think in terms of balance. Tech innovations can be tremendously attractive in terms of immediate payoffs, but virtually all digital tech enhancements such as cloud computing, Internet of Things, artificial intelligence, etc., while potentially great for productivity and growth, can also generate increased cyber risks. Use of these tools may be absolutely necessary for organizations to compete in the post-COVID economy, but they could endanger intellectual property, financial record, business plans, not to mention personal data. Organizations need to be agile, but be smart.
THINKING IS FINE, WHAT ABOUT ACTING?
In one of the largest post-pandemic studies so far, ESI ThoughtLab found that “digital transformation continues to expose companies to greater risk. The COVID-19 pandemic is accelerating this trend as companies embrace remote working and supply chains while consumers ramp up their use of digital shopping and banking as well as remote medicine communications and entertainment.” ESI’s prescription for the growing cyber infection: more investment on security will enhance ROI.
ESI found that “on average, firms see an overall Return on Investment (ROI) of 191% from their cybersecurity investments. That means for every dollar of investment generates $2 in benefits.” Not surprisingly, ESI found smaller companies were less mature, including investing less, than larger ones with respect to cybersecurity, but they also found that “the least mature firms recognize the highest ROI since they have more to gain.”
ESI found that training programs and process enhancements are among the most cost-effective of cybersecurity programs. The ROI for cybersecurity investments in people averaged 283% and 164% for investments in cyber process and only about 178% for investments in technology. However, the ESI study also found that one third of cybersecurity investments resulted in negative ROI.
So, even assuming organizations will appropriately balance their post-pandemic resources, they still need to invest in people, process, and technology that will be effective and agile. While, there is no way to attest which investments are best for individual businesses, the NACD conference on cybersecurity suggested enterprise leaders ask the following questions in order to assess their ever-changing business and security environment.
- How has our threat picture changed post-COVID-19?
- What is our plan to prevent a “remote” cyber incident?
- Do we have written incident response and continuity plans for the new workforce?
- How has our supply chain security been affected post- COVID-19?
- How does our security budget change post-COVID-19, and why?
- How have our compliance requirements changed?
- Do we have Multi Factor Authentication (MFA) as our default for all equipment?
- Have we installed encryption for all work machines?
- Have we gotten strong confidentiality agreements and acceptable use policy statements from our remote employees?
- What are our plans for dealing with a systemic cyber incident?
By thinking not just in a 2020 mindset, but a post-March 2020 mindset, balancing economics in security for the new worked order and asking the right questions, agile organizations will put themselves in the best position to survive and thrive.