In this series, CUBE, in collaboration with the Canadian Regulatory Technology Association (CRTA), speaks to industry experts about cyber strategies in the ‘new normal’. As the coronavirus pandemic has swept the globe, businesses have been forced to re-examine their approach to cyber. In the final blog of the series, Vignesh Krishnamoorthy, explores the third-party risks presented by the ‘new normal’.
Are you ready for the #cybernewnormal?
Work from anywhere. Cyber everywhere.
The COVID-19 pandemic forced business leaders worldwide to respond with unprecedented speed and efficiency to the new ways of working, innovating, responding, collaborating, transacting… and surviving. Now, as organizations begin to plan for a post-pandemic world, they must ask themselves, “how can we make new ways of work productive, sustainable, secure, and safe?”
As COVID-19 spread from person-to-person, country to country, and beyond, Cyber delivered the integrity and availability of the networks needed to “work from anywhere” and the confidentiality to transact and transform with confidence across geographies. For the world to continue to thrive in this new remote and virtual environment, even as COVID-19 wanes and surges in various regions, organizations will need to:
- Establish a foundation of trust,
- Adopt a “Cyber Everywhere” mindset,
- Embrace a culture of perpetual resilience,
- And lead from the front.
Many organizations already have determined they will never return to “business as usual” or “business before COVID” because they have seen increased productivity from allowing employees to work from home and they want to lock in those benefits. However, to thrive in this next normal, organizations need a sound strategy for managing Cyber risk. A “Cyber Everywhere” mindset is required. It means understanding the pervasiveness of Cyber and meaningfully embedding it in innovation, strategy, and process to ensure that Cyber enables the success of every initiative, allowing organizations to move more quickly, effectively, and securely.
The Impacts to Third-Party Supplier Risk
Within every industry, organizations face challenges to both support their remote workforce and rapidly adopt online services and customer support channels. To address these challenges, organizations may now rely more on suppliers that provide remote access technologies or support essential services. However, the supply chain also introduces increased risk to these organizations as they serve as an extension of their operations.
Organizations need to understand the full landscape of risk third parties pose including, but not limited to, reputation, business continuity, financial viability, and privacy. From a Cyber risk specific lens, suppliers that lack the appropriate security controls for remote work expose their clients to Cyber-attacks that could compromise data or create system downtime, resulting in operational disruption and financial loss.
To reduce risk exposure from the supply chain, organizations must enhance existing risk frameworks to assess suppliers from a remote risk perspective. Clients should focus on the following three principles to ensure risks in their supply chain are effectively mitigated.
- Identify and re-prioritize critical suppliers.
The massive shift towards remote working requires organizations to prioritize suppliers that have a direct connection into their environment or provide a critical process for their operations. Suppliers that connect directly to any infrastructure should be assessed to verify that their security controls protect their remote workforce and do not create any additional risks for the organization. The suppliers an organization may have de-prioritized due to the lack of strong organizational controls may now be at higher risk as those controls are no longer enforceable and controlled by the parent organization.
- Accelerate the review of critical suppliers.
With the changing risk landscape post-COVID-19 – organizations have accepted a degree of risk with the shift to employers and suppliers remotely working from home. It is recommended that organizations accelerate the review of these critical suppliers. Focus and priority should be put on suppliers at the top of the revised prioritized risk ranking as this will help the organization get a more accurate view of its supplier risk. This would also be a good time to catch up on the backlog of suppliers that may not have been assessed in a timely manner – particularly if they have been prioritized as a higher risk.
- Enhance the supplier risk frameworks.
Organizations should anticipate key entities within their supply chain establishing a permanent remote working environment as organizations observe continued productivity and lowered costs. Through its key clientele in all key industries, Deloitte anticipates a shift towards permanent remote working for a majority of the organization’s employees. Organizations can use the shift towards remote working as an opportunity to enhance their supplier risk frameworks and establish a methodology that considers risk associated with remote working at the forefront. In doing so, they can take a proactive approach to their risk management by anticipating a future state of work where the majority operate remotely.
Accelerating security imperatives of the future
As we are experiencing changes in our societal values, how businesses operate, and what customers demand, many leaders are thinking about the longer-term impacts of the pandemic and how their organization can achieve results in the future. In this new reality, organizations will serve customers differently, engage their workforce through evolving delivery/employment models, and face an increasingly complex threat landscape – and businesses have the opportunity to use cyber as a strategic differentiator to create a resilient enterprise of the future.