Cyber security is currently one of the most urgent priorities for senior management (see Swiss Edition «24th Annual CEO Survey», PwC, 2021). Never before has the media reported so often about cyber attacks and their financial consequences than in 2020 – the year COVID first appeared. There are various reasons behind the explosive nature of this topic, which was first intensified by the pandemic and then served to mutually reinforce it. The increased focus on cyber risk monitoring and the willingness to invest in cyber security are strongly underscored by PwC studies.

What has happened so far

COVID-19 forced companies to set up home-based offices and remote working and establish new forms of cooperation. As a result, they had to quickly update and equip their IT landscape. Many companies switched to cloud services – particularly for digitalisation. This means new and additional interfaces were added to existing platforms, applications and databases. These new options stoked an interest in collecting, aggregating and processing more data. Due to time considerations, all too often regular quality assurance and control processes were omitted.

As a result of this digital development, weak areas and security gaps have arisen – and these are a welcome opportunity for cyber criminals and threat actors. In recent months they have become increasingly more professional. They take advantage not only of new technologies, but more frequently they also target the currently decentralised work situation, unfamiliar environments and the inattentiveness or weaknesses of employees.

Promising opportunities for change

This change, which was driven by COVID-19 and the rate of digitalisation, has created both new opportunities and new challenges for companies. For many companies, the pandemic has fundamentally changed how and with whom they do business. Online retailing is booming. Companies that up to now had a store front and delivered to distributors are now involved in consumer business; they have expanded to selling their products online and home delivery has become the norm. Most have adapted the way they deal with customers to the communication and consumption habits of these customers. Innovations are currently focused primarily on digital solutions. These newly acquired business areas and technologies are here to stay, and they provide robust additional revenue streams. Here, too, data security and protection come into play.

Trends with long-term impact

In order to prepare for the singularity of a post-COVID world, it's worth taking a look at three of the main trends to have emerged recently. They have permanently changed the business world and by extension the cyber environment and will determine the new framework.

a) The power of data

Currently a ruthless competition is under way to possess the right data and to exploit its added value. Cloud services, infrastructure/platform/software/function as a service, remote access to devices – these are just a few of the technological manifestations of this trend. Since the lockdown and repeated easing of COVID-19 restrictions – combined with the new technological opportunities – companies have been collecting customer data like never before. With the transition from B2B to B2C companies are suddenly faced with an array of new communication channels and mobile devices over which data can be exchanged. The corresponding technologies such as machine learning, data analytics or deep learning reveal the added value of this big data – such as for customised advertising or offers that perfectly match the data profile of potential clients.

With the power of data comes both a greater risk of misuse as well as increased attractiveness for cyber criminals. New applications such as mobile apps are ripe pickings for hackers. It is not the apps themselves that are directly attacked, but rather the so-called middleware through which the apps access information from the company. The most recent incidents demonstrate how poorly this type of hastily cobbled together interface has been implemented, making it easy for criminals to steal data. For providers it is about the “intended functions”, while attackers are interested in “all the kinds of havoc they can wreak with it”. Faulty set-ups, security concepts or a lack of testing can lead to misuse: cyber criminals find exactly that spot where they can access data or misuse services.

b) Cultural upheaval

Developments that have come about as a result of the pandemic are changing the nature of the marketing mix and with it the entire company culture. Getting services from the cloud, buying standard applications instead of programming their own, presenting new platforms for new services – all this requires a cultural change of view. Doing this requires the relevant skills and technical expertise, which the company must either buy at an added expense or build in-house via an advanced training programme.

At the same time, the way a company deals with their customers is changing as well. These are no longer necessarily business customers, but often are private clients with emotional needs and their own style of communication. Not only does this expand the pool of potential buyers, it also alters expectations: applications need to be simple, fast, appealing and user-friendly. Security, however, is not typically regarded as an exciting topic. These days, purchasing decisions are made with a click and increasingly rarely at a point of sale (POS).

c) Regulation vs. transformation

Technical developments such as the internet, email, mobile phones, video conferencing and electric payment methods were already creating new options for recording data before COVID thrust digitalisation to the forefront. For this reason lawmakers have tightened data protection legislation in recent years, such as Europe’s General Data Protection Regulation (GDPR) or Switzerland’s Data Protection Act (DPA).

Such regulatory requirements could conflict with the rapid transformation of business activities and the resulting, ever-changing digital methods and technologies. Particularly when using cloud services or leasing digital applications (e.g. outsourcing, software as a service) companies are required to comply with data protection laws at all levels involved in the value chain as they are responsible for their customer data.

Back to the future

Many (digital) changes brought about by COVID-19 are here to stay – particularly the promising ones. In order for things to go back to normal, companies have quite a bit more to do.

• With regard to digital development decision-makers must focus on the protection and security of their data. As a company, I need to know which data are being processed where, and how do I protect these data along my business processes? This requires a data-centric point of view regarding the interplay between business transformation, security and expertise in the cyber world. In other words, anyone interested in transforming their business must reduce their business activities, technology and understanding of data protection and security to the lowest common denominator. Bringing in external experts at the right time can pay off in such an instance.
  
• Regulatory pressures to handle data carefully and in compliance with regulations are growing – and more than ever since the pandemic. The problems that occurred during the first lockdown are no longer permissible today as they are exploited by devious cyber criminals. This is why companies cannot get around aligning their business activities more closely with their security organisation and defining cyber security as a fundamental aspect of governance and compliance for management and departments such as legal, human resources or risk management. Compliance needs to be taken into consideration if data is to be protected.
  
• Given the complexity and speed of the issue, it is not surprising that many companies are unsure of what they are permitted to do with data and how what they need for this. In this instance, we recommend a well thought out upskilling programme in order to enable employees to use digital tools and deal with security issues. Companies should also redefine collaboration for management and for teams. This way they can exploit the potential of their col-laboration tools and boost both motivation and the individual security contribu-tions of everyone involved.
  
• Cyber security is neither an IT issue nor an end in itself, rather it is part of a future-proof, company-wide vision. Sustainably structured cyber resilience will enable companies to protect themselves from cyber attacks. This resilience arises out of a cycle of risk identification, suitable protection measures, monitoring controls and the ability to react to an incident in order to come out of it stronger than before. The monitoring in particular is often a weak point for Swiss companies. The move towards hybrid service provision and data storage (at a company’s own data centre or in the cloud) makes monitoring more difficult, mainly in terms of correlation. In order to be successful those in charge must gear their security systems to cyber-specific loss events and involve both partners and providers.