Brian Pinnock, cyber resilience expert, Mimecast, discusses the uncanny similarities between the human responses to the coronavirus outbreak and cybersecurity incidents.
In 2015 the World Health Organisation raised the risk of “Disease-X”. At the time it was unknown and they projected it had the potential to trigger a global pandemic, with no known treatments or vaccines, leading to loss of lives and massive economic disruption. In a slightly similar vein, Lloyd’s of London annually model a cyber-attack pandemic, started by threat actors who hold the only known cure. The predicted consequences for economies and human lives of both predictions are devastating.
Today, both of these forecasts have real-world comparisons. In 2017 the NotPetya virus became a global cyber-pandemic that spread from the Ukraine around the world in a few short hours. NotPetya paralysed organisations, crippled shipping ports and shut down government agencies globally. It caused over $10 billion in damages. In the world of healthcare, the Coronavirus (now named Covid-19) has infected more than 170,000 people in 157 countries and could cause in excess of $1 trillion of economic damage. That’s more than 3 times that of SARS – a similar virus that broke out 17 years ago.
One reason for the seismic disruptions caused by both medical and cyber pathogens is the interconnectedness of the global economy. Supply chains now span multiple continents. Air travel passenger volumes have doubled. Disruption in China is leading to disruption everywhere. The same dynamic is true for cyber-pandemics because digital supply chains span continents and cloud computing has become ubiquitous, leading to a digital interconnected web which is fragile and can be easily broken.
The coronavirus has brought into stark relief some elements of basic human nature that come into play in both a health crisis and a cybersecurity incident. There is initial complacency along with a tolerance for risky behaviour. Only once visible danger strikes is there a frantic, even draconian response, usually focused on saving the image of the infected organisation rather than protecting their stakeholders and the wider community.
A deeper look shows that the similarities between the human responses to the coronavirus outbreak and cybersecurity incidents are not just superficial but remain uncannily close in many respects.
Risky behaviour exposes everyone to danger
Reports suggest that the coronavirus originated from animals such as bats, pangolins or civets. Cross species transfer possibly occurred in a market in Wuhan. Researchers found that the tolerated risky behaviour of consuming exotic animal parts triggered a single introduction into humans, which was followed by human-to-human spread. Similarly, employees engaging in risky behaviour that is tolerated outside of work, such as visiting adult or dark web sites or downloading files from non-work-related portals, can let malware into the organisation that spreads from one user to another.
Transparency is critical in containing outbreaks
Too often, keeping silent exacerbates the situation and puts business communities at risk. China has received some backlash from global observers, with reports emerging that the Chinese government at first played down the risk of outbreak and later the extent of the problem. Transparency is a major contributor to effectively managing the potential fallout from a viral disease. Even today, we are unsure of the extent of the coronavirus outbreak.
Similarly, by the time senior management are made aware of a serious cyber incident, the infection has usually been incubating and spreading in an organisation for weeks or sometimes months. The organisation can become the source of further infection via their own email systems. Coverups mostly don’t work and hide the extent of the problem to the wider community which leads to misinformed complacency about the risks we face.
Many organisations don’t share threat intelligence effectively or at all. This is a gift to cyber criminals who employ the same attack method repeatedly against multiple organisations because it keeps working. Instead of making cybercriminals’ tasks harder we enable them by staying silent and ineffectually sharing the symptoms and preventative measures of the cyber disease.
The importance of basic (security) hygiene
Demand for face masks is surging in countries close to the epicentre of the coronavirus. But face masks aren’t as effective as most people think. Unfortunately, people are drawn to visible controls rather than invisible ones. But medical authorities suggest that basic practices, like regular handwashing, are more effective at preventing the spread of the virus.
The equivalent of handwashing in cybersecurity is focusing on basic controls first. Have effective and regular patch management practices, implement controls to detect and prevent the spread of malware, adopt regular employee awareness training to equip people with the appropriate knowledge to avoid risky behaviour. It is mostly invisible and not very sexy, but it is a critical layer in the defence against cybercrime.
Herd immunity and misinformed complacency
Organisations who can’t or won’t patch and protect their systems or train their people are the equivalent of the those who won’t or can’t vaccinate their families. An expectation of herd immunity is often misplaced both when it comes to human health and for cybersecurity.
In the UK an auditor general report on NHS disruptions caused by the WannaCry virus, showed they all had unpatched or unsupported operating systems. In addition, other security controls in the NHS would have prevented the rapid spread and subsequent deaths and fiscal costs. But they were incorrectly configured which allowed the virus to spread.
Cybersecurity and human infections share one last similarity: we can never prevent all infections and we can never anticipate every eventuality. Diseases will continue to jump the species barrier and zero-day malware will continue to appear. What we can do however is become more transparent, be more community focused and make ourselves more resilient. If not, we remain exposed to a “Disease-X” – either in the medical or cyber domains – with no known treatments or vaccines and at the risk of devastating economic and human losses.