Point of View –
Brian Pinnock –
The World Health Organisation and governments around the world are grappling with the coronavirus (now named COVID-19) that has infected more than 170,000 people in 157 countries. Predictions are that it could cause in excess of $1 trillion of economic damage.
In 2017 the NotPetya virus became a global cyber-pandemic that spread around the world in a few short hours, paralysing organisations, crippling shipping ports and shutting down government agencies globally. It caused over $10Bn in damages.
One reason for the seismic disruptions caused by both medical and cyber pathogens is the interconnectedness of the global economy. Supply chains now span multiple continents. Air travel passenger volumes have doubled. Disruption in China is leading to disruption everywhere.
Similarly, digital supply chains span continents and cloud computing has become ubiquitous, leading to a digital interconnected web which is fragile and can be easily broken.
The coronavirus has brought into stark relief some elements of basic human nature that come into play in both a health crisis and a cybersecurity incident.
A deeper look shows striking similarities between the human responses to the coronavirus outbreak and cybersecurity incidents.
Reports suggest that the coronavirus originated from animals such as bats, pangolins or civets. Cross species transfer possibly occurred in a market in Wuhan. Researchers found that the tolerated risky behaviour of consuming exotic animal parts triggered a single introduction into humans, which was followed by human-to-human spread. Similarly, employees engaging in tolerated risky behaviour, such as visiting adult or dark web sites or downloading files from non-work-related portals, can let malware into the organisation that spreads from one user to another.
Too often, keeping silent exacerbates the situation and puts business communities at risk. China has received some backlash, with reports emerging that the Chinese government at first played down the risk of outbreak and later the extent of the problem. Transparency is a major contributor to effectively managing the potential fallout from a viral disease. Even today, we are unsure of the extent of the coronavirus outbreak.
Similarly, by the time senior management are made aware of a serious cyber incident, the infection has usually been incubating and spreading in an organisation for weeks or sometimes months. The organisation can become the source of further infection via their own email systems. Coverups mostly don’t work and hide the extent of the problem to the wider community which leads to misinformed complacency about risks.
Many organisations don’t share threat intelligence effectively or at all. Cybercriminals therefore employ the same attack method repeatedly against multiple organisations because it keeps working. We enable criminals by staying silent and ineffectually sharing the symptoms and preventative measures of the cyber disease.
Demand for face masks is surging. But face masks aren’t as effective as most people think. Unfortunately, people are drawn to visible controls rather than invisible ones. But medical authorities suggest that basic practices, like regular handwashing, are more effective at preventing the spread of the virus.
The equivalent in cybersecurity is focusing on basic controls first. Have effective and regular patch management practices, implement controls to detect and prevent the spread of malware, adopt regular employee awareness training to equip people with the appropriate knowledge to avoid risky behaviour. It is mostly invisible, but it is a critical layer in the defence against cybercrime.
Organisations who can’t or won’t patch and protect their systems or train their people are the equivalent of the those who won’t or can’t vaccinate their families. An expectation of herd immunity is often misplaced both when it comes to human health and for cybersecurity.
In the UK an auditor general report on NHS disruptions caused by the WannaCry virus, showed they all had unpatched or unsupported operating systems. In addition, other security controls would have prevented the rapid spread and subsequent deaths and fiscal costs. But they were incorrectly configured which allowed the virus to spread.
We can never prevent all infections and we can never anticipate every eventuality. Diseases will continue to jump the species barrier and zero-day malware will continue to appear. What we can do however is become more transparent, be more community focused and make ourselves more resilient. If not, we remain exposed to a “Disease-X” — either in the medical or cyber domains — with no known treatments or vaccines and at the risk of devastating economic and human losses. (The author is a Cybersecurity Specialist at Mimecast)