The last two years have thrust many organizations into a series of concurrent and overlapping crises and escalating risk. The direct effects of workplace shutdowns are still being felt with supply chain disruptions, shortages, and permanent closures of vendors that have gone out of business. Cyberattacks of enormous scale and sophistication shut down gas pipelines and even breached departments of the U.S. federal government.
For any organization that hadn’t considered the evolution of digital risk due to workplace disruption as an important part of risk profile, the pandemic was a wake-up call. The speed with which digital risks expanded as organizations went remote was unprecedented. Reports of a new respiratory illness were barely newsworthy in early January of 2020.
Some organizations had already begun voluntary suspension of in-person operations before official lockdown mandates were declared. Organizations that had relevant continuity plans implemented them, others scrambled to put together ad hoc fixes for unprecedented challenges.
The transition to fully remote work brought with it new types of risk. Sensitive information was being routinely accessed from home networks, and the chances of a data breach or other IT threats went up. To see how the most resilient organizations not only navigated this change, but thrived during this disruption, read our whitepaper, “The State of Integrated Risk Management”.
The Pandemic Accelerated Existing Trends in Digital Initiatives and Risk
Even before the pandemic, we found that a full 90% of respondents in our Digital Risk Survey felt that overall, their organization’s risk profile had expanded in the two years preceding 2019. Almost half of the respondents expected their risk profiles to expand significantly in the next two years (1). Our whitepaper, “The State of Integrated Risk Management” details how the pandemic reinforced trends of already expanding risk profiles.
For organizations that had already made the transition to a distributed model prior to the workplace shutdowns required to stop the spread of COVID-19, there were fewer novel challenges. For nearly everyone else, the last two years expanded the risk profile immensely. Only 2% of the organizations we’ve analyzed claimed that their digital risks had not been impacted by the pandemic (2).
Many organizations were faced with hard choices during the COVID-19 shutdowns. Workplaces could either become partially remote, fully remote or suspend operations entirely. Our findings revealed that in the previous two years, less than half of respondents’ organizations had begun to enable a “work anywhere” or dynamic workforce. More than three out of four respondents felt that in the next two years their organizations were going to accelerate their efforts to allow personnel to “work anywhere”.
Rapid Acceleration Introduces Novel Digital Risk
Organizations were forced to accelerate digital initiatives under the threat of a global pandemic. Almost one in five respondents in the RSA Digital Risk Survey felt that their organization was mostly reactive to digital threats.
Digital initiatives bring with them the expansion of what is known as the “attack surface” of an organization. Moving data to the cloud requires storing sensitive information with third parties, which may introduce or increase the risk of a data breach. When moved to the cloud, data that may have previously been “air-gapped” or stored on machines rather than the internet to prevent a cyberattack, is now open to increasingly sophisticated hacking.
The challenge and cost of provisioning and securing devices as well as installing and updating software has led many organizations to move more and more systems to the cloud. As organizations onboard and secure more and more remote devices and users, cloud infrastructure and bandwidth have had to increase as well. Software as a service often requires little more than a web browser to offer state-of-the-art digital tools. This also introduces risk, as with every username and password created to access a service, there is another opportunity for a cyberattack.
The risks associated with moving toward a dynamic or “work anywhere” workforce were already being considered by organizations when we conducted our 2019 survey. In our 2019 survey, we found that the risks associated with transitioning to a dynamic or “work anywhere” workforce were ranked as the second-highest source of digital risk.
How Integrated Risk Management Helps Digital Transformation
If an organization adds a new method, process, or platform for every source of risk, it can be difficult if not impossible to quickly assess how a risk profile is changing. Risk management should work with the goals of an organization. We recommend organizations merge essential capabilities across disaster recovery, data backup and recovery, business continuity, crisis management and security incident response strategies, and programs.
Organizations accelerate their digital initiatives to become more efficient, increase operational resilience, and be more effective overall at achieving their mission. If new risks aren’t proactively planned for, organizations could end up opening themselves to other threats that overwhelm the expected benefits of the digital transformation.
Effective risk management is more than avoiding major failures and business disruptions. Creating a culture of operational resilience through integrated risk management can protect your organization and enhance business outcomes. When integrated risk management is a part of the culture of an organization, the digital transformation is viewed as another component that, like all tools and processes, carries risk.
The pandemic expanded and accelerated existing trends, but did so at a pace that caught some organizations by surprise. Based on an amalgamation of inputs from analyzing our customer implementations and our 20+ years of industry leadership we’ve outlined how top organizations have successfully navigated the changing risk landscape in our “The State of Integrated Risk Management”. Download our whitepaper now to get a better sense of whether your organization is playing catch up, middle of the road, or ahead of the curve with operational resilience and integrated risk management.
(1) RSA Digital Risk Report (2019)
(2) RSA Digital Risk Report Third Edition