What does COVID-19 mean for cybersecurity?
Security professionals have been battling with digital viruses and occasional digital pandemics – from Melissa to NotPetya – for decades. Have we learnt enough lessons from these episodes? Is it possible that a physical virus – although equally invisible – can give us a few pointers on how to tackle their digital cousins?
Summer has given us time to reflect and take stock of our learnings from COVID-19. The coronavirus is still with us. Yet, we continue to learn how to deal with it day in day out. Here are a few learnings that may improve our response to an equally destructive digital pandemic in the future:
Keeping it clean – Nothing beats keeping your hands clean to avoid infection – likewise, your IT systems free of vulnerabilities and your employees free of click-bait. Without basic security hygiene, complex security measures “up-the-stack” will simply not do.
COVID-19 has also taught us, the hard way, that isolation is still a good way to protect our most vulnerable groups. It is also key to avoiding exponential propagation of the infection jumping from cluster to cluster – or from one computer network to another.
As simple as it may sound, basic security hygiene goes a long way. Yet, it is still one of the most underrated concepts of cybersecurity.
No plan, no response – It would be fair to say that we have seen an underwhelming and uncoordinated response to the pandemic. It is as if we all had a rude awakening, never having planned for the rainy day despite all the dystopian stories foretold. The majority has failed to respond to the events with decisive action and a coordinated plan. In fact, it all came down to trial and error to strike a balance between lock-down and economic meltdown. Every day counted and every hour wasted has taken its toll.
When it comes to a digital pandemic, your business may not be as resilient as the nation states with deeper pockets, having the ability to try several options on the fly. It will come down to the option, or two at best, of determining the survival of your company. Having thought of such scenarios and having planned for them will separate those who prevail from those who fail.
The crisis of accountability – The underbelly of crisis management is the lack of accountability. In a national crisis, governments do assume this role. Yet, in some places, we have still seen a power vacuum during COVID-19 as authorities did not assume their role swiftly. Confusion over the roles and responsibilities often cause costly delays and misjudgements.
A clear gap in security crisis management is exactly that: a lack of a senior executive taking charge of the situation and acting decisively according to the drill. Worse yet; there is often a breakdown of communication between technical security staff (who speak “jargon”) and executives (who speak “business”). A crisis is not the best time to get lost in translation.
Moving away from “black swan” thinking – Regrettably, pandemics happen – so do other natural disasters and economic crises. Fighting one off or getting lucky with a near miss does not mean that it will not be repeated sooner or later. Treating these events as “black swan” events simply undermines the urgency to prepare for the next one and learn from the previous. In reality, lightning may strike the same place twice.
No better time to prepare for the next crisis – Every disaster – physical or digital – can serve as a prewarning of the next one. COVID-19 is no exception. We have seen a series of outbreaks within a short span of time from Ebola to SARS, H1N1 and even Zika to name a few – only for us to ignore the possibility of a more contagious virus strain. Why not treat this pandemic as an opportunity to prepare better for the next one?
Similarly, our industry has learnt a lot from the likes of NotPetya, but not enough. Once the storm has passed, many revert to business as usual. It requires a sustainable effort and unwavering commitment to be cyber resilient and prepared for the next outbreak. There is no silver bullet, especially if it is your only shot.
Living through a pandemic with isolation and lock-down is a rare occasion that gives one time to reflect. There are clear lessons to take away from the COVID-19 pandemic, and we should be smart and sensible about applying them to our ways of living and working. It is our only chance to make a lasting impact and not to repeat the same mistakes, expecting a different outcome each time.
Spørg mig om: Cybersikkerhed, digital transformation, cybertrusler, datasikkerhed, identitetstyveri Serdar dansk og nordiske leder af Deloitte Cyber risk-afdeling. Han har i mere end 15 år hjulpet danske, nordiske og globale virksomheder med at håndtere risici forbundet med cybersikkerhed og med at transformere virksomhederne, så de er rustet til cyberangreb.