The year 2020 has been like no other, with Covid-19 having devastating, profound effects. When it comes to cybersecurity, the pandemic tested the resilience of organizations around the world. It is no longer enough to be secure. Now there is added pressure to be agile and flexible enough to adapt to new ways of working...
As the year draws to a close, it would be useful to reflect on the many lessons of 2020. We made some predictions last year about how we thought the year would shape up from a cyber risk perspective. Looking back our expectations were pretty accurate. So what did our experts anticipate and how did that compare to what actually happened?
Prediction 1 - Increased board interest in cybersecurity risk: We recommended that firms engage more closely with their boards around cybersecurity matters and communicate cyber risk information in financial, quantitative terms. Covid-19 amplified this recommendation as the need to justify expenditure rocketed in importance. This was because cyber risks increased during the pandemic while budgets were being slashed.
Prediction Trend 2 – Higher need for vendor risk management: Our recommendation was that organizations manage vendor risks consistently, thoroughly, and frequently. The recent attack on SolarWinds has been a major wake-up call for organizations on this topic. This state-sponsored attack was a prime example of why the management of vendor risks will continue to be essential.
Prediction 3 - Ever-growing data protection and privacy regulations: We noted that in 2020, various privacy regulations would come into force (including Canada’s PIPEDA and Brazil’s LGPD) and suggested many organizations would have to play catchup to make sure they were compliant. We also saw GDPR continue to bite offenders: Marriot International were fined £18.4million and British Airways were fined £20million. Though these fines were both reduced due to the impacts of Covid-19, they are the biggest penalties to date.
Prediction 4 - Greater adoption of flexible integrated risk management platforms: Due to the budget cuts already mentioned, it is more cost-effective to centralize cyber risk information. We encouraged organizations to consolidate risk management systems wherever possible. This has and will continue to provide various benefits to organizations, including efficiency, accuracy, and availability.
With everything mentioned above, it is clear that organizations need to take cyber risk management seriously and continue to find new ways to improve. This doesn’t mean buying every silver bullet, but rather taking more of a focus on existing risks and using that information to navigate the complex decisions that lie ahead. Only then can organizations build resilience and agility which will be vital to surviving the uncertain future.