The COVID-19 crisis will become either a cybersecurity and privacy nightmare or an opportunity for organizations to adapt to a new level of the digital economy.
Those were the poles that emerged from an online town hall Tuesday hosted by Ryerson University’s Rogers Cybersecure Catalyst, a suburban campus that delivers cyber training, public education programs, acts as an accelerator for startups and supports cybersecurity R&D.
On the deeply negative side was Jordan Kendall, who has worked in several areas of cybersecurity and now has a consulting firm called Starman Cybersecurity in New York City. He says he worries enterprises will throw away cybersecurity and privacy policies to stay alive in a struggling economy.
More COVID-19 coverage here
Before the crisis, firms tried to balance risks like cybersecurity with business rewards. But with many employees working from home “all of a sudden everyone is doing who knows what over what endpoints over what networks, accessing what resources … and a lot of controls like identity and access management we put in to mitigate the risks have gone out the window.
“The risk-reward equation now is totally out of balance because the reward is ‘I get to stay in business. So I’m going to take on a lot of risks to allow that to happen … We’re going to do things now that a few months ago we might have said, ‘That’s a stupid decision. It’s not worth the risk.’ Today it’s different.”
He worries the supply chains of organizations will do the same, throwing carefully crafted risk management projections out the window. “Trying to solve for that if you’re a CISO is like trying to find a black cat in a dark room where there is no cat. It’s not just difficult, it’s impossible.”
But his biggest fear is the collapse of critical industries, in particular, the food manufacturing and distribution network. It’s “cracking” because workers are getting ill, he said, adding there are nation-states willing to launch cyber attacks on the sector to take advantage of that.
If that happens, Kendall said it’s “going to get ugly very quickly.”
At the other end of the spectrum was Carole Piosevan, co-founder of the Toronto legal consultancy INQ Data Law and one of a team of leaders of the federal consultation on digital and data transformation.
“We are seeing unprecedented experiment with going virtual” with more people working online, consulting with doctors online and getting online products delivered shopping online. Overnight the so-called fourth industrial revolution is here, she said. And, she added, organizations that either were prepared or are adapting on the fly will be the winners.
“This is an unprecedented opportunity in a lot of ways,” Piosevan said. “Those companies that are seizing the opportunity to do this right, to move to digital without having a major security breach or using personal information in a way that will harm the trust with their customers or clients, they will benefit tremendously down the line.”… will solidify many processes they should have done before the crisis and will show they managed this crisis and are responsible for the way they handled the information.”
Almost all the organizations Piosevan speaks with are struggling with this, she admitted. Some have good cybersecurity and governance plans, but most don’t.
‘Time to accelerate transformation’
She got some support from Ira Goldstein, a cyber expert a member of the Cybersecure Catalyst board. On the one hand, he worries that carefully crafted identity and access management policies may suffer during the crisis. But, he added, organizations who before the crisis had IT architectures that can quickly adapt to zero trust will find it easier and will survive.
For others, “this is a time to accelerate that digital transformation,” he said.
Need to balance privacy with use of tech
But Brenda McPhail, who leads the privacy, technology and surveillance project at the Canadian Civil Liberties Association, worried the biggest problem facing the country are people, companies and governments willing to trade privacy rights for alleged health benefits.
The greatest risk to the country now is people’s wish to find an app for what ails us, she said. Citizens want “a silver bullet technology tool to somehow help us achieve more perfect social control for people who are or might be infected.”
We shouldn’t fear using technology to help solve this problem, she added, but we should hesitate to give up privacy rights “just in case it might be helpful for somebody to do something sometime during this crisis.”
There needs to be a discussion of how we can create tools to solve a clearly identified problem that will have a demonstrable public benefit in a way that’s transparent about how technology is used — and include safeguards including assurances only the minimal amount of personal data is collected, it is held securely for a limited amount of time.
In other words, there is a balance.
All of the panellists agreed the crisis will permanently change the percentage of Canadians working remotely. Smart companies should ask how quickly they can adapt to the new reality, said Kendall, predicting that like 9/11 more crisis will come.
Finally, to meet immediate cyber risks, Piosevan urged organizations to get their security plans in order to meet the new remote workforce — including how to access and handle corporate data responsibly — then communicate it to staff.
This was the first in a series of online town halls dealing with cybersecurity and privacy issues to be hosted by Ryerson. The next will be April 14th.