An adequate cyber risk management enables organizations to recognize and control a risky and an uncertain situation. An organization’s risk self-awareness empowers the organization to control its risk through activating a risk response and assuring the organization’s capability level. This includes assuring an organization’s resilience capability against events with a high uncertainty.
One major category within risk management scope is a natural crisis. This category might have a low probability, but the risks associated with such a category could have a severity of critical risk.
A natural crisis has various impacts on businesses in various industries. In addition, we could witness this impact through COVID-19 pandemic period. These effects mandate major obligations and amendments to attain the business objectives.
Cybersecurity practitioners observed an increase in the percentage of conducting urgent risk assessments by business owners during the pandemic period. Business owners aimed to accommodate required technologies for the urgent alteration of the new business-operating model to keep up with regulations and safety requirements.
A major example is the upsurge in percentage of video communication technologies’ utility in order to maintain social distance with the necessity of conducting meetings, conferences, and dynamic discussions. Also, cybersecurity practitioners observed an expansion in the usage of Mobile Device Management (MDM) to facilitate the business operating requirements.
From a cybersecurity practitioner view, COVID-19 was an event with unknown probability and unknown impact. This event usually does not have an assigned mitigation plan. We do not know the unknown, but cybersecurity practitioner shall anticipate risks through common elements. An unknown event shall be controlled to a certain extend through a contingency plan.
During the COVID-19 pandemic, positive and negative risks and risk responses were observed. Risk can be positive in a way that can be referred to as an opportunity. For example, an increase in remote services has been noticed.
Technology companies responded to the pandemic by exploiting the positive risk of enhancing remote services, enhancing services’ promotions, and altering resource allocation in favor of remote services. Negative risk exploitations have been observed through the raise of attempts in compromising remote services for various malicious business reasons.
The year 2020 had new vulnerabilities and threats such as Zerologon and Emotet. A threat actor could use Zerologon to inject ransomware into a network for blackmailing purposes. Also, a threat actor can exploit the lack of email services security controls for acquiring Command and Control (C2) through Emotet Trojan.
An adequate program of cyber risk management shall cover a mechanism to indicate the magnitude of risk due to uncertainty. COVID-19 have introduced many lessons in cyber risk management and raised the focus on the uncertainty domain.
Nawwaf Alabdulhadi is an IT security expert, where Nawwaf’s experience in IT field involved more than 7 years in executing IT security projects, providing consultation, and assessment in various countries, roles, and companies. Nawwaf has Computer Science Bachelor degree from Northumbria University, UK, Master Degree in Information Security Policy and Management from Carnegie Mellon University, US, and leading industry certificates such as CISSP from ISC2 and CPT from IACRB. Nawwaf currently works as a senior IT Security specialist in a leading enterprise (Saudi Aramco).