What the Coronavirus Outbreak can Teach us about Cybersecurity

In 2015 the World Health Organisation raised the risk of “Disease-X”. At the time it was unknown and they projected it had the potential to trigger a global pandemic, with no known treatments or vaccines, leading to huge loss of lives and massive economic disruption. In a slightly similar vein, Lloyd's of London annually model a cyber-attack pandemic, started by threat actors who hold the only known cure. The predicted consequences for economies and human lives of both predictions are devastating.

The predicted consequences for economies and human lives of both predictions are devastating.

Today, both of these forecasts have real-world comparisons. In 2017 the NotPetya virus became a global cyber-pandemic that spread from the Ukraine around the world in a few short hours. NotPetya paralysed organisations, crippled shipping ports and shut down government agencies globally. It caused over $10Bn in damages. In the world of healthcare, the Coronavirus (now named Covid-19) has infected more than 170,000 people in 157 countries and could cause in excess of  $1 trillion of economic damage. That’s more than 3 times that of SARS - a similar virus that broke out 17 years ago.

One reason for the seismic disruptions caused by both medical and cyber pathogens is the interconnectedness of the global economy. Supply chains now span multiple continents. Air travel passenger volumes have more than doubled. Disruption in China is leading to disruption everywhere. The same dynamic is true for cyber-pandemics because digital supply chains span continents and cloud computing has become ubiquitous, leading to a digital interconnected web which is fragile and can be easily broken.

Disruption in China is leading to disruption everywhere.

The coronavirus has brought into stark relief some elements of basic human nature that come into play in both a health crisis and a cyber-security incident. There is often initial complacency along with a high tolerance for risky behavior in spite of warnings by experts. Only once visible danger strikes is there a frantic, even draconian response, usually focused on saving the image of the infected organisation rather than protecting their stakeholders and the wider community.  

A deeper look shows that the similarities between the human responses to the coronavirus outbreak and cybersecurity incidents are not just superficial but remain uncannily close in many respects.

Risky behavior exposes everyone to danger

Reports suggest that the coronavirus originated from animals such as bats, pangolins or civets. Cross species transfer possibly occurred in a market in Wuhan. Researchers found that the tolerated risky behavior of consuming exotic animal parts triggered a single introduction into humans, which was followed by human-to-human spread. Similarly, employees engaging in risky behavior that is tolerated both inside and more often outside of work, such as visiting adult or dark web sites or downloading files from non-work-related portals, can let malware into the organisation that spreads from one user to another.

Transparency is critical in containing outbreaks

Too often, keeping silent exacerbates the situation and puts business communities at risk. China has received some initial backlash from global observers, with reports emerging that the Chinese government at first played down the risk of outbreak and later the extent of the problem. Transparency is a major contributor to effectively managing the potential fallout from a viral disease. Even today, we are unsure of the extent of the coronavirus outbreak in many countries such as Iran because of pride, paranoia and a tendency to secrecy. When published statistics are untrusted, our response becomes tentative while complacency and misinformation flourishes.

Chinese government at first played down the risk of outbreak and later the extent of the problem

Similarly, by the time senior management are made aware of a serious cyber incident, the infection has usually been incubating and spreading in an organisation for weeks or sometimes months. The organisation can even become the source of further infection via their own email or other communication systems. Cover-ups mostly don’t work and hide the extent of the problem to the wider cyber-security community which leads to misinformed complacency about the risks we face.

Instead of making cyber-criminals’ tasks harder we enable them by staying silent.

Sharing information is crucial, but many organisations don’t share threat intelligence effectively or at all. This is a gift to cyber criminals who employ the same attack method repeatedly against multiple organisations because it keeps working. Instead of making cyber-criminals’ tasks harder we enable them by staying silent and ineffectually sharing the symptoms and preventative measures of the cyber disease.

The importance of basic (security) hygiene

Demand for face masks is surging in countries close to the epicenter of the coronavirus. But as we mostly now know, face masks aren't as effective as first thought. Unfortunately, people are drawn to visible controls rather than invisible ones. Medical authorities suggest that basic practices, like regular hand washing, are much more effective at preventing the spread of the virus.

Unfortunately, people are drawn to visible controls

The equivalent of hand washing in cyber-security is focusing on basic and largely invisible controls first. Have effective and regular patch management practices, implement controls to detect and prevent the spread of malware, adopt regular employee awareness training to equip people with the appropriate knowledge to avoid risky behavior. It is mostly invisible and not very sexy, but it is a critical layer in the defense against cyber-crime.

Herd Immunity and Misinformed Complacency

Organisations who can’t or won’t patch and protect their information technology systems nor train their people in cyber awareness, are the equivalent of the those who won’t or can’t vaccinate their families. An expectation of herd immunity is often misplaced both when it comes to human health as well as for cybersecurity.

Devastatingly incorrect assumptions were made about the extent of their cyber immunity

In 2018, the UK an auditor general report on NHS disruptions caused by the WannaCry virus, showed that the NHS had both unpatched and unsupported operating systems. In addition, other security controls in the NHS would have prevented the rapid spread and subsequent deaths and fiscal costs. But they were incorrectly configured which allowed the virus to spread. Devastatingly incorrect assumptions were made about the extent of their cyber immunity. These same kinds of assumptions are still pervasive in many organisations around the world.

What we can do is become more transparent, be more community focused and make ourselves more resilient

Cyber-security and human infections share one last similarity: we can never prevent all infections and we can never anticipate every eventuality. Never before seen diseases will continue to jump the species barrier and zero-day malware will continue to appear. What we can do however is become more transparent, be more community focused and make ourselves more resilient. If not, we remain exposed to a “Disease-X” - either in the medical or cyber domains - with no known treatments or vaccines and at the risk of devastating economic and human losses.