The finance executive wasn’t used to reviewing a corporate merger proposal from a coffee shop. But since worries about an outbreak of the coronavirus closed corporate headquarters—and contractors were doing repairs at his house—he took a laptop to a place with friendly baristas and good pastries. He didn’t think it was a problem when he got in line for another cup of coffee—leaving his computer on and unsecure, letting anyone see his firm’s very confidential M&A strategy or, worse, steal the computer itself.
Of course, it is a problem—and one of a myriad of scenarios to that corporate security leaders worldwide must know cope with, as they cope with keeping data safe in the new out of office surroundings the outbreak is creating. In all, companies and governments spend an estimated $124 billion on information security alone and more than $1 trillion on overall cybersecurity a year. Now, with a mounting number of staffers asked to work from home as a health safety concern, a new batch of hacking and data protection concerns grow.
“It reinforces that chief security officers have to think about far more than bits and bytes,” says Jamey Cummings, co leader of Korn Ferry’s Cybersecurity practice. “Everyone really needs plans ahead of time.”
To be sure, corporate security has been dealing with data concerns with people working outside the office for years, of course. But many workers who are used to an office network are now logging in from unfamiliar places on devices that may not be fully up to date with security features. Experts say leaders need to remind people to use technology security policies that are already likely on the books—but not many workers’ radar—such as use multi-factor identification, lock a computer screen after 2 minutes, and other features.
Corporate leaders may also need to increase vigilance at an organization’s security operations center, monitoring abnormal behavior since more employees are mobile, says Bill Mayville, a Korn Ferry consultant and retired US Army lieutenant general who served as deputy commander at US Cyber Command. “Be extra cautious with emails and spear-phishing attempts using coronavirus themes,” he says.
A less visible issue, however, involves how companies handle changes to their supply chains. As companies look for back-ups to shuttered factories or furloughed employees, there’s the temptation to overlook how secure an alternative supplier or vendor is. After all, companies want to actually want to continue operating.
But some of the most well-publicized security breaches haven’t originated at the companies themselves, but from one of its third-party suppliers. In these cases, security and supply chain executives can’t just say no, Cummings says, but they have to make their concerns known. “It’s come down to really good security leaders who can speak about the business risk and tradeoffs,” he says.
It’s an area that many companies might not necessarily be ready for, says Seth Steinberg, a Korn Ferry principal and member of the firm’s Supply Chain Center of Expertise. Korn Ferry recently conducted a survey asking supply chain executives how ready they were if their supply chain network underwent a major shift. Only 3% said they were fully prepared. “The balance had done absolutely nothing. There’s a lot of overconfident people from a security and supply chain perspective,” Steinberg says.
In any case, experts say the urgency over work/security is heating up, as headlines about the health impact (more than 90,000 cases across more than 70 countries) mount. “For many corporations, “This is the first week where it’s really hitting home,” says Cummings.