[EY Market Perspective]
Rising risk of cyber-attacks puts Asia-Pacific enterprises on maximum security alert
as COVID-19 sparks surge in working from home and online consumption
As the COVID-19 pandemic sweeps the world, cyber-attacks and the risk of critical data loss are on the rise as the world sees unprecedented levels of online activity. Citizens and businesses have rushed onto the internet with surging teleworking and the use of virtual collaborations tools, plus spiking demand for all things online, such as media and gaming. This has led to the rapid increase in the risk of cyber-attacks, exposing vulnerabilities to the confidentiality, integrity and availability of key information systems.
Additionally, with more people spending time online for consuming and accessing information and services, this is forcing C-suite leaders to pay more attention to cybersecurity to safeguard company data, employee and consumer data privacy. Chief marketing officers (CMOs) in particular are in the spotlight as they must be more alert to heightened consumer sensitivity around suspicious online marketing activities arising from the current extreme situation.
Kris Lovejoy, EY Global Advisory Cybersecurity Leader and Richard Watson, EY Asia-Pacific Cybersecurity Risk Advisory Leader reinforce that enterprises have to be cyber resilient to adapt to changing workspace needs and consumer behavior in the face of COVID-19, and in the post COVID-19 era. To learn more about their views, please see below and the attached one-pager.
If you have any questions for Kris or Richard, do feel free to contact Vikki Tang (T: 3756 8641 / E: Vikki.Tang@edelman.com) or Coco Ma (T: 2837 4794/ E: Coco.Ma@edelman.com).
Many businesses in Asia-Pacific have now moved to a fully work-from-home model, which has created challenges:
• Lack of hardware and devices for employees, students and teachers
o Companies that don’t usually work from home, or households that do not have electronic devices for all family members, will find it difficult to secure safe devices and training for secured electronic activities.
• Insufficient virtual private network (VPN) bandwidth for the number of people working from home
o There is a risk for employees to start using home devices and storage due to the insufficiency, which are not secured and put corporate data at risk.
• Unsecured work environment
o Asia-Pacific has a greater proportion of people living in apartments, often with parents or roommates. This work environment can also be a risk, allowing sensitive and confidential information to be overheard or overseen by non-employees both in public or private spaces.
• Increased cyber-attacks under fear and uncertainty
o Many cyber attackers are capitalizing / exploiting on the public’s fear of COVID-19, luring them to phishing emails, fraudulent news update and malicious sites.
Top five risks on remote working:
1. Failure of service delivery due to breakdowns in end-to-end processes and access to information and systems, including the extended service delivery ecosystem.
2. The shift from “bricks and mortar” to “virtual” ways of working may lead to an unsupervised and demotivated workforce, impacting productivity, as well as a breakdown in effective decision-making and delivery of staff support functions.
3. Network performance impacted due to the significant shift of the workforce working remotely, affecting the ability to execute processes and deliver customer outcomes.
4. Data privacy and security controls not appropriately in place, increasing risk of security breaches.
5. Insufficient and underutilized remote working devices and tools, limiting the ability of the workforce to perform critical day to day operations and deliver services.
To support businesses in alleviating cyber risks, EY has identified five steps to mitigate risks and defend against opportunistic cyber attackers, these include:
1. Centrally manage and promulgate robust teleworking solutions to empower and enable employees, customers, and third parties
2. Leverage role-based rather than location-based identity and access management solutions, analytics, and controls
3. Establish second-factor authentication for formerly in-person processes, such as manual phone calls, a system of shared secrets, or other authentication controls relevant to the formerly in-person process
4. Provide links to official resources for pandemic-related information to avoid the spread of disinformation within your organization
5. Establish formal and transparent channels for corporate messaging to highlight what the enterprise is doing to address this pandemic
EY has also adapted to the new ‘business as usual’ model:
To test out remote working and ensure cybersecurity is guaranteed at all levels, EY has:
• Conducted a 24-hour dry run test for EY’s VPN and network system with more than 8,000 remote workers
• Utilized Microsoft Office 365 products to reduce the burden in EY’s remote connect software, allowing staff to continue to perform their best without having to log on to the VPN, at the same time maintaining high cybersecurity and privacy standards within the Microsoft system
• Changed the idle period timeout on the VPN from eight hours to two hours
• Increased the license for EY’s remote connect software
Transformation in the role of chief marketing officers (CMOs)
With more people spending time online for consuming and accessing information and services, the chief marketing officer (CMO) of all enterprises will have to reassess their role as they shift from a campaign-focused to a more customer-focused style of working. A low-risk environment must be guaranteed as the market evolves and rely more on digitalization and data-driven strategies. In addition to maintaining close communication with their chief technology officers (CTOs) and chief information security officers (CISOs) to ensure market development does not disrupt critical services and information security, the new age CMO must understand:
• Importance of data privacy: From a cyber point of view, the CMO’s chief responsibility is to ensure their teams understand the value and privacy of the data they are handling. Often marketing teams have access to the “crown jewel” of the business – the customer relationship management (CRM) database – and have the ability to access personal information of customers. It is critical that that personal information remains in the corporate cloud and is accessed remotely via VPN, and that is it not downloaded to home computers to design, create and run campaigns.
• Unstable cloud operations: Separate, non-IT approved clouds should not be set-up – this only fragments customer data more, and potentially exposes it to an insecure environment, and can even breach regulation if the cloud is not in your home country.
• Third-party risks: CMOs should always think: with whom are you sharing your company’s most trusted data? No matter if it is contracted firms or temporary employees, make sure their cyber controls are as good as yours.
Kris Lovejoy, EY Global Advisory Cybersecurity Leader:
“COVID-19 is proof again that cybersecurity has to be maintained across all sectors at all times, and businesses must constantly review and ensure maximum levels of preparedness. If, the next global emergency comes again, we hope that all businesses can adapt and be ready for the next major challenge to come.”
Richard Watson, EY Asia-Pacific Cybersecurity Risk Advisory Leader:
“Remote working has led to an increasing risk of scams, ransomware, malware sites or multiple cyber threats. If some organizations are not set up well for remote working, there is a risk that people start to forward confidential data to their home computers or printers, which are used by all the family, and may not be up to date from a virus protection point of view.”
“COVID-19 is currently challenging organizations across the globe to adapt and reprioritize critical business functions. An organization’s ability to protect its remote workforce, valuable information assets and respond quickly to a cyber incident will be vital for navigating this period of uncertainty.”
“The rise of remote working and online consumption have triggered a new wave of cybersecurity risks, endorsing C-suite and senior leaders to form much closer relationships to improve overall business understanding of cybersecurity. As chief marketing officers (CMOs) connect marketing with customer experience by possessing sensitive personal data, they are creating more value than ever in meeting the mark of security by design to earn trust from customers.”
EY | Assurance | Tax | Transactions | Advisory
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. For more information about our organization, please visit ey.com.
© 2020 EYGM Limited. All Rights Reserved.
EYG no. 001915-20Gbl
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.