Another Mounting Fear: Cyberattacks

Remote work due to COVID-19 has strained organizations’ cybersecurity capabilities to new levels, a new study shows.

Eight in 10 corporate officers cited it as a high risk. Seven in 10 said they weren’t prepared. Welcome to a world where a global pandemic and cybersecurity struggle to coexist.

Since COVID-19 began, when the huge uptick in remote working started weighing down firms’ technology, chief technology officers have been growing increasingly worried about protecting their firms from everything from data breaches to attacks on third-party suppliers. Indeed, in a recent Wall Street Journal survey, nearly 80% of organizations cited ransomware as high risk, but less than 70% of them said they were prepared to deal with such an attack.

Jamey Cummings, coleader of Korn Ferry’s Global Cybersecurity practice, says the results underscore the strain that the COVID-19 pandemic and the shift to remote work is putting on cybersecurity capabilities. More remote workers means more access points into an organization’s internal network, which in turn means more opportunities for hackers to breach the system. Not surprisingly, cyberattacks across industries are up since March as hackers look to exploit the increased use of video conferencing and personal computers to gain access to confidential information.

“It doesn’t mean that organizations aren’t prepared, it just means that given the increasing frequency and sophistication of cyberattacks, they aren’t as prepared as they’d like to be,” says Cummings.

In fact, even as organizations look to curtail the financial damage wrought by the pandemic with layoffs, hiring freezes, and budget cuts, they are increasing investments in cybersecurity both in terms of technology and talent, says Aileen Alexander, who coleads Korn Ferry’s Global Cybersecurity practice with Cummings. “Organizations are still moving forward with cybersecurity hiring plans and increasing funding for education, awareness, and other cybersecurity training programs,” she says.

Cyberattack preparedness varies by industry. Manufacturing, retail, and government all lag in terms of having a cybersecurity program, offering training to employees, and protecting confidential data, according to the survey, while financial services and healthcare excel on those parameters. The more money an organization makes, the more prepared it is likely to be as well. Among companies with $1 billion or more in revenue, 81% have a cybersecurity program, whereas just 63% of companies with less than $50 million in revenue do, for instance. 

Mark Polansky, a senior client partner in Korn Ferry’s Information Technology Officers practice, says the level of preparedness also depends on where organizations are in their digital transformation. Those organizations that have fully transitioned to digital or are further along in their journeys are likely to be more prepared than their peers. Conversely, those organizations that are less digitally mature are less likely to provide the funding and talent support needed to shore up cybersecurity, taking what Polansky calls a “we’re fine until we’re not” approach to readiness.

Put another way, “organizations that were prepared to defend against cyberattacks before the pandemic are just as prepared now, while those that were unprepared before are even more unprepared now,” says Polansky.