The Role of IT Governance in Addressing Pandemic-Related Cyberrisk

The entire world is now grappling with the COVID-19 pandemic, which is turning out to be not only a massive health challenge, but also one of the most enormous economic challenges in recent history. With every passing day, thousands of positive cases are added to the already huge number of active cases. This one pandemic has taken scientists, researchers, politicians and policy makers the world over by surprise. Despite the many advancements in medical/clinical research and biotechnology, even the world’s most advanced countries are struggling to find effective treatments and a vaccine to combat this deadly virus.

The pandemic has brought about several changes in lifestyles, work lives and the way people do business. The importance of IT governance in keeping the world’s information systems on track has once again come to the fore. Top critics of IT have realized the importance of technology during these most challenging times.

Nearly everyone has embraced technology in some form or another:

• Conducting webinars/virtual meetings (official/personal), using CISCO Webex/Zoom/Google meeting platforms
• Placing shopping orders on Amazon
• Engaging in a virtual medical consultation with a physician
• Using a fitness app to remain active and healthy during lockdown
• Making mobile payments for services

Now schools, offices, even entertainment and dance classes, have gone virtual. Technology is now impacting all walks of life, directly or indirectly, in a real sense.

The proliferation of the use of technology has posed greater risk to people in all spheres of their lives. This has created gold mines of opportunities for cybercriminals. India alone witnessed a 51% rise in the use of spyware and stalkerware in the period between March 2020 and June 2020, compared to January and February 2020, according to one report.¹

The appropriate adoption of IT governance becomes an inevitable solution to safeguard the interests of organizations, governments and individuals.

In addition to individuals and society as a whole, organizations and financial institutions are more prone to cyberattacks. Some of the factors exacerbating the risk to IT systems and devices due to the spread of the pandemic include:

• Poor security architecture—Because some applications (apps) and software have been hurriedly developed to meet the urgent demand created by the lockdown (e.g., apps developed by schools and universities for taking online exams), the necessary security aspects might have not been properly tested. This leaves some of these apps vulnerable to cyberattacks. Cybercriminals may try to exploit any vulnerabilities available in these rapidly developed systems
• Dilution in security protocols—The COVID-19 pandemic has sparked the need to dilute some security protocols, particularly physical access controls, such as those used in biometric access systems, to avoid direct touch and maintain social distancing. This makes organizations more vulnerable to physical access penetration and uninterrupted intrusion to IT infrastructure (i.e., server rooms, data centers, desktops devices, printers). In addition, intruders are able to hide their identity by wearing masks that are not often objected to now.
• Scalability. The sudden surge in usage of apps/software is also posing a risk of scalability, as they would have been developed to accommodate an estimated number of users/activities in the normal course of events. However, due to the significant increase in hits on these apps/websites, there is extra load on servers, which might make them prone to a denial of service or crashing. For example, now more people have shifted to Internet and mobile banking. According to one report, consumer mobile app use increased 40% during lockdown.²
• Load on networks—As more people shift to a digital lifestyle, the load on networks/bandwidth has suddenly increased, posing the risk of breakdown or clogging of networks. According to a World Economic Forum article, between the first and second quarters of 2020, health and fitness app downloads increased by 46% worldwide.³ The regional breakdown is shown in figure 1.

Figure 1—Health and Fitness App Downloads (Q1-Q2, 2020) by Region

Source: Ang, C.; “Fitness Apps Grew by Nearly 50% During the First Half of 2020, Study Finds,” World Economic Forum, 15 September 2020, Visual Capitalist. Reprinted with permission.

• Newer avenues—The pressing need to embrace technology has forced almost every industry, organization and individual use technology in some form or the other. This has opened new avenues for cybercriminals to exploit. For example, new phishing emails in the name of COVID-19 have started spamming many inboxes with subject lines such as “Know the COVID Status of Your City/Country,” “Access Authorized COVID Labs/Hospitals in Your City” or “Claim Your COVID Subsidy by Clicking a Link.” Calls are being placed by fraudsters, informing individuals of a government COVID subsidy having been credited to their bank account, which they can access if they share their automated teller machine (ATM) card details. Furthermore, it is possible that software developers who lost their jobs may get into the unethical business of hacking due to their lack of employment.
• Video call apps—The current crisis has mandated that most individuals work from home and use technology as much as possible when performing their duties. This has provided office headquarters direct entry into employees’ homes when they are connected through video calls. If these video calling apps are hacked, bad actors can peer into employees’ homes, thereby directly infringing on their privacy.
• Unemployment—The pandemic has led to a drastic reduction in economic activities, at almost all levels across economies, leading to a significant rise in job losses. This has rendered many people unemployed. It is not outside the realm of possibilities that some who are unemployed may explore ways to make money illegally. They may try new ways of committing fraud, cyberfrauds in particular, due to the more fertile and conducive environment available now as a result of the pandemic.
• Lack of public awareness—From the user’s standpoint, an unprecedented increase in the use of IT systems/devices is a serious risk. The uninformed public is now forced to adopt these technologies, to which they may have previously been oblivious, due to restrictions imposed on the physical world. Many of them are first-time users in the virtual world and may not have been trained on cyber- and other-related risk issues these devices/systems bring. Making the public aware in a short period of time of the risk involved in using these devices/systems is challenging, which may render more people easy targets of cyberattackers.

IT Governance During the COVID-19 Pandemic

Although it will be difficult to contain the mounting risk arising from the enhanced use of technology by individuals and organizations, there is a need to respond to the governance challenges posed by the pandemic with the same vigor as health professionals and governments have responded to the health issues.

The appropriate adoption of IT governance becomes an inevitable solution to safeguard the interests of organizations, governments and individuals. There are several governance and security frameworks (e.g., COBIT^®, ITIL, International Organization for Standardization [ISO]/International Electrotechnical Commission [IEC] ISO/IEC 27002, ISO/IEC 38500) available in the IT space and it is up to organizations and governments to select the appropriate ones for them and determine the extent to which they adopt them. These governance frameworks provide globally acceptable standards, principles, practices and tools that create trust in and value from IT and can protect not only organizations, but also individuals.

COBIT^® 2019, the latest version of COBIT, is one such framework that provides effective principles and appropriate tools for leveraging multiple frameworks and standards under a single integrated framework. COBIT is now widely accepted and practiced by IT organizations worldwide for the governance of enterprise IT.

Conclusion

During these times, organizations cannot afford any laxity. They must strengthen their existing IT governance frameworks or adopt new ones, if they have not already done so. These frameworks enable organizations to manage their IT risk effectively and ensure that their IT processes are well aligned with the overall business objectives.

Organizations should see this as an opportunity and a reason to convince their boards and senior management to align their IT governance framework with risk management and compliance frameworks, within the overall governance framework of the organization, before it is too late.

Author’s Note

The views expressed in this article are the author’s personal views and in no way represent the stance of his employer.

Endnotes

¹ The Hindu Business Line, “Sharp Rise in Use of Online Spying and Stalking Apps During Lockdown,” 20 July 2020
² PYMNTS.com, “Consumer Mobile App Use Increased 40 Pct During Lockdown,” 9 July 2020
³ Ang, C.; “Fitness Apps Grew by Nearly 50% During the First Half of 2020, Study Finds,” World Economic Forum, 15 September 2020

Surendra Nidar, CISA, CIA

Is a general manager and heads the central accounts section of the Reserve Bank of India at Nagpur (India). He has banking experience spanning more than 25 years. His prior work experience includes at an Indian commercial bank and 5 years at a commercial bank in Bahrain, where he was responsible for the conduct of business and operations audit in the bank’s group audit function. He has also been a part of the IS auditor’s panel of the Reserve Bank of India.