The COVID-19 cyber risk increase is temporary - 15 Dangerous Cybersecurity Myths - Day 10

Hello there. Did you know that small businesses are extremely vulnerable to attack from cybercriminals right now and that most don't survive for more than six months after a cyber incident?

John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber. My goal is to help small business owners and managers like you get to grips with this complex subject of cyber risk.

15 Dangerous Cybersecurity Myths

You may be struggling now, to clearly see the big picture but once you separate the myth from the truth, you can begin to significantly reduce your risk over the next 15 days through this series, I'm going to walk you through "15 Dangerous Cybersecurity Myths You Probably Believe". I'll explain the thinking behind each myth, why it's dangerous to believe it, and the truth you need to hear so that your small business can stay safe.

Now, before we dive in, I want to give you access to my free cyber resilience workshop. It's a 60-minute video workshop that will show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link to register now.

Myth Number 10 - The COVID-19 cyber risk increase is temporary.

Now, today, as we continue the series, we're going to explore myth number ten: "The COVID-19 cyber risk increase is temporary.”. I hope you're ready to dive in. I'm John Byrne, and this is "15 Dangerous Cybersecurity Myths You Probably Believe". Let's explore the thinking behind this myth that the COVID-19 cyber risk increases are temporary.

  • All the evidence indicates that cyber risks increased dramatically during the COVID 19 pandemic, which is still very much with us. The thinking goes as follows: “I've heard that cyber risks of my business grew dramatically when the pandemic struck but we've survived with minimal change to our company and with our people doing whatever was needed”. So, what this is really saying is: “We've managed to survive. Cyber risks may have increased dramatically, but we've changed our way of working in whatever way we needed to, and we can now continue as we are”. This is effectively arguing that the pandemic hasn't been a big deal from the point of view of business risk. I often hear this view from companies that didn't invest significantly in their COVID-19 defences but have luckily survived. 

  • A second view often expressed is a form of wishful thinking that says: “The sooner we get back to the way things used to be the better. My employees will all be back in the office soon and we can continue operating as we were before COVID-19 began. Then, I will have control over my employees’ work environment”. There’s a little wishful thinking going on here hoping that the world will go back the way it was before. The reality is that the world will not go back to exactly the way it was before. Many experts expect hybrid working to become part of our normal way of working going forward, as we face rolling pandemics or a crisis of a different type. It would be comforting for small businesses to think that business life will go back to the way it was before the pandemic but that's unlikely to be the case. There will be changes in business operating models that will most likely be permanent, and hybrid working is one of those changes.
  • Finally, we often hear the slightly desperate view that says: “I'm not well prepared, even now, for allowing working from home or remote working in a hybrid model. I don't have the expertise to plan the cybersecurity needs of my remote workforce, and I can't afford to implement it, even if I did have the expertise”. I can understand the thinking here.

 It's clear that planning this hybrid working environment is a challenge for small companies and many small companies have simply done what was needed in order to survive. That included widespread use of personal PCs for business purposes, use of unsecured home Wi-Fi networks, storing of corporate data on personal machines; in short a whole variety of weaknesses that have been tolerated during COVID-19, out of necessity.

The truth is that the world moved to this hybrid working environment overnight with little or no planning. Now that we are well into this new environment, it's difficult to accept that even small companies haven't considered how their business model has changed and what's needed to happen to make them more cyber secure.

A Dangerous Myth

Believing the myth that the COVID-19 cyber risk increase is temporary is dangerous because it seeks to ignore this dramatic increase in cyber risk that was brought on by COVID-19 and seeks to absolve the small business from responsibility for managing the increased risks from this changing operating model.  

Truth Number 10 - the COVID-19 cyber risk increase provides an opportunity for small companies to re-evaluate their cybersecurity needs.

So, let's look at the truth behind this myth which is that the COVID-19 cyber risk increase is not temporary, but it provides this opportunity for small companies to re-evaluate their cybersecurity needs. While most small companies won't want to invest a lot of expense and a lot of time, it's essential that they re-evaluate this new environment.

  • The first point to make is that the world has changed dramatically, especially in the last five years. Even before COVID-19 struck, digital change was well underway, and it is unstoppable. The pace of change has dramatically increased since the pandemic and as a result, the work environment has radically changed causing cyber risks to dramatically increase. Sadly, small businesses are more vulnerable now than they've ever been to cybercriminals and the enemy knows that that is the case. So, failing to adapt to this new environment is a serious error. 
  • An exercise should be carried out by small businesses now to assess the cyber risks that are posed by this hybrid working environment, and the resources that are needed to meet the business needs. That would include considerations such as:

          o   Do I get my employees to use a corporate laptop rather than their personal laptop? 

          o   Do I provide a VPN (a virtual private network) for access to the corporate system? 

          o   Do I allow employees to use cloud-based applications on their own devices? 

These basic questions need to be asked by small businesses in order to continue working remotely in a safe way, even on a part-time basis. It's true that a certain amount of external consulting might be helpful to small businesses as a one-off consultation to review the current environment.

Special efforts should be made with employee training for the hybrid work environment because people working from remote locations have no access to IT support, or to other colleagues who may be better informed about cybersecurity matters. All those social supports are taken away. Cybersecurity is not intuitive, and people need to be trained to learn how to deal with this change in the work environment.  

Special risks will arise when people do return to the office. If they've been using personal devices and personal networks, while working remotely, then when that data is brought back to the office, and perhaps those laptops are brought into the office, there's an obvious risk that an infected machine could infect the entire office infrastructure. So, thought needs to be given as to how this risk is going to be managed and it may require a special effort in small companies.

  • Finally, the final part of the truth really is that hybrid working is the new normal for most businesses. For at least some of the staff at least some of the time, and we're unlikely to go back to the way things were prior to COVID-19 appearing in all our lives.

Free Cyber Resilience Workshop

Thanks so much for reading today's post. I hope you found it helpful in exploding this myth and revealing the truth. Don't forget to register for the video workshop using the link I hope to see you tomorrow as we dive deeper into "15 Dangerous Cybersecurity Myths You Probably Believe" so we can uncover the truth of how to keep your small business safe.