Cyber resilience and digital transformation in the time of COVID-19

In the technology world, a rare moment of shared experience occurred during the response to COVID-19. Across sectors and at all different scales, organisations faced the same challenge: how to continue to do business without physical access to premises or people. In an immense effort, a significant proportion of the New Zealand workforce was enabled to continue work from home with the aid of technology. As the constraints of lockdown recede, it’s natural to think about what we can learn from the experience. Which business practices should revert back to previous methods, and which ones ought to persist as part of a ‘new normal’?

Consider the benefits of cyber resilience

Organisations that already had an emphasis on cyber resilience prior to COVID-19 were able to respond quickly and minimise disruption as the situation developed. Cyber resilience is a broader approach to security than just prevention; it also gives organisations the ability to identify, respond to, and recover from threats.

At the outset of the COVID-19 crisis, cyber-resilient organisations could fall back on a range of existing response options. Although these plans may not have considered the specific threat scenario of a pandemic, a focus on resilience provided the technology, processes and culture required to adapt quickly. For example, organisations that had begun the process of implementing remote working solutions as a response to major earthquakes enjoyed greater continuity and productivity during COVID-19.

Most importantly, resilient organisations had considered how to maintain the security of services within a modern, mobile workforce. The availability of services enables continuity, and their security ensures the sustainability and robustness of the business activities they support.

Think of cyber security as a business enabler

Effective cyber security enables organisations to achieve their business objectives through improved resilience and risk management. During the COVID-19 lockdown this principle was accentuated for two reasons: firstly, by the simple business need for continued operations; and secondly, by a reliance on information technology as more staff worked from home.

Organisations that depend on IT must have strong cyber security. The ability to perform business functions without being affected by cyber threats cannot be assumed, and requires active consideration. For organisations that have not evaluated the risks and benefits of a rapid digital transformation, it’s timely to think about cyber security as a long-term business enabler.

Some organisations may be hesitant to undertake or sustain digital transformation due to perceived cyber risks. It is likely these risks can be managed to an appropriate level, strengthening the organisation and opening the way for more opportunities. For these organisations, it’s also an opportune moment to consider investment in cyber security.

Be proactive in building secure services

During the COVID-19 lockdown, many organisations conducted digital transformations at pace. The deadline imposed by the lockdown required the expedited delivery of technology projects. Although this was an extraordinary situation, the challenge of considering security during an accelerated delivery schedule is becoming a frequent problem. Iterative development is increasingly popular alongside waterfall projects that traditionally embed security steps, and urgency is not uncommon in either case.

In this context, it’s crucial for cyber security professionals to be directly involved in the process of commissioning new services. Their participation enables timely security advice on the architecture, design, implementation, and management of new services. This approach will almost always be more effective than retrofitting existing services with additional security measures. Information security programmes should be adaptive and focussed on continuous improvement rather than large-scale, periodic security investments.

Support digital transformation and the ‘new normal’

Providing an ability for staff to work remotely is one aspect of a digital transformation, where technology has been integrated into a business process. Organisations with well-developed remote working technology and culture gained a head start in their COVID-19 response and experienced greater inbuilt business continuity. Although COVID-19 has highlighted remote working in particular, the potential impact of digital transformation is far broader.

In the face of challenging economic headwinds, organisations will look for opportunities in the technology space, as well as ways to reduce costs. It can be difficult to resolve years of technology challenges in an established business; however, a balance must be found between addressing security issues with legacy technology and ensuring support is provided to enable new developments. Cyber resilience is a key component of successful digital transformation, helping to realise benefits through risk management. A culture of cyber resilience should be a ‘new normal’ for any organisation in the aftermath of COVID-19.


Click here for the NCSC's guidance on working remotely and cloud security 

Click here for the NCSC's compilation of COVID-19 cyber security resources