Fri, May 8, 2020

Maturing Your Cyber Security Program During COVID - 19

During these challenging times, it is crucial to protect ourselves against the coronavirus (COVID-19), and so we are working from home where possible, practicing social distancing measures, and wearing masks and avoiding contact with others as much as we can. It is also crucial for organizations to remain focused on protecting themselves from cyber threats and to that extent, continue their risk assessment and remediation plans, despite the challenging physical limitations.

However, you don’t want third-party vendors entering your offices and holding security workshops with large groups of staff, violating social distancing norms, to conduct an assessment and test your cyber controls. The risk of COVID-19 spread is still real and the apprehension amongst staff to get together face-to-face is justified.  

So, how do you ensure those plans to conduct cyber security risk assessments are still progressing? How do you ensure the remediation actions are being implemented effectively? Ultimately, how do you prove to regulators, board and management that your cyber security risk profile is maturing and highlight the areas that require attention and investment? It would be all too easy to use the current situation as a get-out-of-jail-free card—we cannot conduct the required remediation or assessment due to the physical restrictions placed upon us by the pandemic. Nonetheless, the threats associated with the pandemic will not wait for more convenient times and neither will those seeking to exploit cyber vulnerabilities.

We’ve included some best practices below to ensure your cyber plans continue to receive the necessary focus during this challenging time:

Use Reliable Cyber Threat Intelligence to Reevaluate Existing Plans

The COVID-19 situation is resulting in a real escalation of threats designed to take advantage of the situation. Is your organization at increased risk now from COVID-19-related attacks? We see increasing use of phishing attacks designed to look as though they come from legitimate sources such as the WHO, charities and local authorities. In addition, phone scams where banking customers are targeted by scammers pretending to be from health authorities. Evaluate your cyber plans to ensure such scenarios are covered and appropriate controls have been implemented. 


If you don’t have one already, set up an emergency response team/incident management team and have them hold an online workshop to review cyber plans based on increased threat vectors linked to COVID-19. Organizing such tabletop exercises is a great way to test capability across these governance structures in handling the new risk scenarios of the pandemic and cyber risk. Online crisis exercises are appropriate currently and help you identify any gaps in your capability.

Establish Short-, Medium- and Long-Term Risk Mitigation Plans

Pandemic plans have commonly been overlooked and rarely tested properly. It is important now to take stock and review the strategic response and organization, workforce, business operations and supply chain, customers and communications. The planning process for these domains should envisage requirements in the short-, medium- and long-term of this global crisis. Establishing these important risk mitigation plans now will not only help you in the current situation but potentially be a vital resilience response when we are faced with a new wave of the outbreak.


Conduct detailed online workshops on scenario planning and mitigation with senior management, response teams and trusted third-party experts. Identify the worst-case scenarios and risk and mitigation plans across each domain within a short-, medium-, and long-term outlook.

Align Security Goals to Enable Business 

As economies worldwide head towards a recession and businesses take a downturn, what role can security play to not only protect assets and reputation but also actively develop to be a business enabler? Isolation and quarantine at home have shifted work and entertainment online significantly, with the use of videoconferencing, online learning, gaming, video streaming and online food delivery benefiting from this. Sure, this increases security risk but also opens up new potential revenue streams for business. Traditional security processes need to become more agile in enabling this, and security practitioners should take the opportunity to research new technologies (such as 5G, artificial intelligence, biometrics, 3D sensing cameras, etc.) and the security implications surrounding them.


CISOs and security teams to hold research discussions on ways in which they can become business enablers, including the revamp of certain security procedures to fit a more agile way of working. Additionally, take this time to attend online webinars and seek out other training/briefing sessions to learn about new technologies and their security considerations.

Demonstrate the Value of Key Security Investments, Be Flexible on Others

Undoubtedly, many CISOs will be facing tough calls to deprioritize certain investments or to demonstrate with new urgency the need for security solutions. This is, of course, not a new challenge information security is faced with, but during a downturn in business, it becomes more amplified.  Demonstrating the value of security solutions through clear risk assessment profiles, business enablement or regulatory mandates will be critical.  


Ensure you have the right security metrics that can demonstrate the value of your investment strategy. Consider metrics such as “security spending as a percent of overall IT expenditure,” “security spending as a % of revenue,” or “security spending per employee.” These metrics will allow you to demonstrate trends and benchmarking to your board or management teams to help justify security investments.

Embrace Online, Collaborative Risk Assessments Frameworks

Workshops via videoconference and online sharing of materials will be common for most organizations now. However, sharing files and notes of online discussions is certainly challenging.

A more effective approach would be to conduct the security risk assessment fully online via a questionnaire approach. This would allow multiple parties/departments to participate in the risk assessment at their convenience, provide their views and evidence, as well as directly contribute to the associated remediation plans.  All tracked within the questionnaire assessment itself rather than gathering notes from videoconference meetings. 


Consider online security risk assessment platforms such as Kroll’s CyberClarity360© which is aligned to trusted standards such as the NIST Cyber Security Framework.  In addition to performing the risk assessment, it enables the attachment of evidence against each control, risk score and anonymous industry benchmarking of results, comprehensive dashboards and reporting, as well as options to share results with designated third parties.

In this new paradigm of remote working because of COVID-19, we must adapt to the challenges of telecommuting. That includes responding to increasing cyberattacks while ensuring your risk profile is continually assessed and actioned. Kroll is uniquely positioned to deliver proactive risk assessment services to help bolster cyber resilience and elite incident response services in the event of a compromise.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

Data Protection Officer (DPO) Consultancy Services

Kroll's data privacy team provide DPO consultancy services to help you become and stay compliant with regulatory mandates.

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.