How to Combat the Cyber Pandemic
The Covid-19 pandemic has driven countless organisations to pivot towards digitalisation to warrant business continuity. Rapid digitalisation creates cybersecurity risks and increased vulnerability, especially if organisations do not have the right measures in place to mitigate those risks.
Many experts claim the world is in the midst of a “cyber pandemic.” With many people working remotely, ransomware attacks have risen dramatically and will continue to accelerate in 2021. Below are some of the statistics that clearly show the impact of the pandemic in the business landscape:
- In the United States alone, cyber attacks have increased by as much as 300%
- Over 60% of ransomware attacks affect industries with critical infrastructure including utilities, manufacturing, and healthcare
- In Singapore, online scams, ransomware incidents, and Covid-19-related phishing incidents have dominated the 2020 cyber landscape
- In 2020, there is a staggering 154% growth in ransomware incidents in Singapore
- US utilities have been attacked at least 300 times weekly (with an increase of 50% every two months)
Cyber attacks on essential infrastructure services are observed to be on the rise (i.e., the public health service attack in Ireland and the Colonial Pipeline hack in the United States). Hackers are exploiting the use of the Internet of Things (IoT) vulnerabilities to commence their cyber attacks on critical infrastructure.
It is recommended that the private and public sectors establish greater consensus on the IoT security standards and create trust in security across critical infrastructure.
Ways to Combat the Cyber Pandemic
To combat data breaches and other sophisticated cybersecurity threats, below are some measures to keep in mind:
Governance, Risk Management, and Compliance (GRC)
In essence, GRC is a business strategy designed to enable organisations to achieve regulatory compliance. The objective is achieved through effective governance and risk management.
Currently, GRC certification courses are offered to help course participants develop a strategic GRC plan to implement efficient, effective, and agile GRC processes. Among other things, it also discusses the role of technology in GRC today.
A GRC certification is considered an ideal credential for compliance professionals, GRC professionals, legal professionals, board members and executives, internal auditors, risk management professionals and IT professionals.
Collection, Usage, Disclosure and Storage (CUDS)
Re-evaluating risk areas periodically is also essential for organisations. This is to ensure that most organisation-wide risks are properly documented and reported to management at regular intervals. In today’s digital environment, where companies handle such large amounts of personal data, it is important that companies re-examine how they collect, use, and store personal data.
From the perspective of information security, controls need to be in place to ensure there is no unauthorised data access within the organisation. Some examples of controls include:
- Frequently updated passwords
- Two-factor authentication
- Robust internal network and IT infrastructure
- Using remote monitoring tools to ensure all company devices are patched and updated
- Constant educational updates, training and briefings
Innovative Data-Protection-As-A-Service (DPaaS)
One tool that allows DPOs (data protection officers) to determine risks in organisations (from project or process risks to inventory and compliance risks) is the DPOinBOX software.
There are also modules included in the software designed to help the data protection officer through the process of managing the organisation’s data protection management programme.
DPOinBOX helps organisations by:
- Assessing and collating various risks into a report after identification
- Ensuring there are data protection controls in place that are designed to mitigate various security risks
- Sustaining the various initiatives through monitoring, auditing and communication
- Operationalising a response plan in the event of data breach requests and incidents