Posted: 11 Mar. 2021 5 min. read

Managing Corporate Security in an Uncertain World: COVID-19

Travelex entered administration due to the combined multi-million pound damage caused by a ransomware attack and the financial consequences of the COVID pandemic. The impact of security risks has magnified, as seemingly rare and high impact events such as environmental disasters, terrorist attacks and pandemics merge, creating unprecedented challenges to businesses globally. Traditional security controls may no longer be enough and can result in a false sense of security. Corporate security teams need to evolve and change their ways of working to be able to detect, respond and recover from high impact events more effectively. 

The evolution of corporate security

Corporate security threats have focused traditionally on man-made, predictable, high-likelihood but low-impact events; the lines of defence were limited to physical asset protection within the building perimeter. Corporate security has rarely been seen as a business enabler, and more often it has been perceived as an expendable business cost with the corporate security risk management function first in line for budget cuts in time of organisational difficulty.

For corporate security professionals, the risk management approach is no longer exclusively about the man-made and controllable events. Although threats have not changed markedly over recent decades, the changing profile of organisations and technological advancements have created a range of new vulnerabilities. Traditional physical security vulnerabilities are now coupled with digital and environmental risks, resulting in often unpredictable and catastrophic events for an organisation. 

The COVID-19 threat landscape:

COVID-19 has altered the attack surface of organisations by forcing the workforce away from the office and established security controls. In April 2020, almost 50% of the UK workforce were recorded as working from home in some aspect and 86% were doing so because of COVID-19. With such significant numbers working in potentially unprotected environments, organisations are open to new vulnerabilities in the areas of security culture, physical security and insider risk. Vulnerabilities, which if left unmitigated, could have catastrophic consequences to the business. 

Security culture 

Employees have been pushed away from their controlled office environments and the effective embrace of a security culture, into our unprepared and unprotected ‘work from home’ settings.  Existing security risk management approaches must evolve to defend organisations in this new risk environment. One need look no further than the phishing attempts that have been recorded on an unprecedented scale since the start of the COVID-19 crisis as an example of this heightened risk. In 2020, Google detected 18 million malware and phishing attempts a day.

Organisations need to evolve their security culture to centre on remote working and make use of previously unused tools, such as a security champions’ networks and the gamification of e-learning, to help employees stay fully aware and informed of cyber risks, mitigation measures and their own role in protecting the organisation’s assets.  

Physical security

During the current pandemic there have been reports of a rise in break-ins at commercial sites and even a case of asset theft from the European Parliament, as criminals took advantage of depleting guard forces and unoccupied sites. By turning to technology such as intelligence led machine learning supported by facial recognition, corporate security teams can cover wider parameters with less of a physical presence on-site and without compromise of the levels of coverage.  

Insider Risk

The pandemic has resulted in individuals facing unique economic and health challenges, increasing the potential for insider threats. Job security has decreased and redundancies have soared, potentially leading to a rise in financial crimes committed by employees, who turn to illicit activities to cope with financial pressures. To prevent data theft or exploitation of financial procedures, organisations must update their business and information security controls. Examples of measures that should be considered include detailed network analysis and calibrated behavior detection software.

Preparing for the future

Contagion is the new scenario that can inflict damage in both our physical and cyber world. As shown by the case of Travelex, the interconnectedness of the modern organisation means a breach in one area could cripple an entire organisation.

How will organisations survive? Corporate security teams must enhance their ability as a predictor of risk and influence organisational strategy accordingly, utilising technology to help mitigation planning and scenario modelling. How is your Corporate Security team going to become the business leading function your C-suite needs you to be? Contact us, if you would like to discuss more. 

To find out about SecureHub, Deloitte’s digital security risk management solution, click here.

Key contact

Jagdip S Gill

Jagdip S Gill

Consultant

Jagdip is part of the UK Cyber Risk Services practice, with experience in corporate security. He has worked across industries including Financial Services, Insurance, Critical National Infrastructure (CNI) and the Public Sector, supporting clients with large scale rapid risk reduction and transformation programmes. Jagdip’s academic background includes a Masters in Diplomacy and an undergraduate degree in International Politics, with work experience ranging across politics and journalism.  

Agnieszka Eile

Agnieszka Eile

Director

Agnieszka leads our Corporate Security Team within Risk Advisory. She has over 10 years of experience delivering projects in security risk management, helping clients evaluate the maturity of their security functions, design and implement security strategies, develop security risk management frameworks and enhance organisations’ overall security culture. Agnieszka has led and delivered several corporate security projects for organisations across a range of industries, including Financial Services, Technology and Media, Retail, Critical National Infrastructure (CNI) and the Public Sector. She helps companies prepare for and respond to known and unforeseen disruptive risk events.