Prepare for the unexpected

A few months back, if you were to describe the current situation to an average person, they would have looked at you like you’re mad. There’s no chance that anyone would believe that we would be forced to stay at home for weeks for fear of a virus infection, that we would wear medical masks everywhere we go, that travelling between countries would completely stop, and that all of this might have transpired because someone ate an undercooked bat.

Although it sounds like some strange dystopian science fiction novel, it became our reality. As with every other crisis that the world experiences, Covid-19 can teach us valuable lessons on risk management and cyber security.

So, without further ado, let us dive in.

Shit happens

One of the services that my company is providing is “Cyber crisis management.” That means that we are the people that you would call when you discover that your company got hacked (or is currently being hacked).

Dealing with cyber incidents is fascinating. And, amazingly enough, almost every incident is unique. Some involve “organized crime,” others include “competitors,” and there are those that were initiated by an internal employee.

Yet, there is one thing that happens in every incident that we have addressed so far. Even though the attacked company spent huge amounts of resources on cybersecurity, as well as time discussing cyber threats, when an incident occurs, management is always surprised.

Something in our human nature is seemingly biased towards the “It will never happen” attitude. Even though we discuss a threat, we usually never really believe that it will be realized.

Let’s take 9-11 for example.

Before 9-11, many companies that had offices in one of the twin towers, used to build a redundancy site (i.e. a backup site) on the other tower. The two buildings utilized separate infrastructures (electricity, water, etc.). That made companies believe that if something affected one building, their backup site would still work.

Consequently, when 9-11 happened, many companies lost their entire data storage. Without any means to restore it, many companies were forced to close shop.

So, for lesson number one, we need to fight our human nature which sometimes keeps us complacent and happy. We need to seriously discuss the improbable and ask the hard “What-if” questions. From time to time, the improbable happens, and we should be prepared.

The cybercrime world is an industry

Covid-19 reminded us again that cybercrime is an industry. Cybercriminals developed effective business models and cybercrime is their daily job. Criminals in cyberspace enjoy a wide range of marketplaces in which they can “rent” a botnet, buy a ransomware package in a black Friday deal, and trade identities and credit cards. With crime services, communities, and advanced tools, the cybercrime world flourishes.

It was interesting to see how fast criminals have adopted the new Covid-19 reality, and how quickly they have taken advantage of the opportunities it presented.

It started with various methods and techniques to trick unknowing victims into opening a fraudulent link or downloading an infected file with emails that sounds something like ‘’important information about Covid-19,’’ or ‘’you were infected, click here for additional information.’’

Under normal circumstances, most people would likely ignore these emails. However, when panic ensues, rationality decreases, and people are more prone to getting tricked.

Yet, a more alarming trend was the recent increase in attacks against hospitals. Criminals take advantage of the fact that hospitals have a central role in the fight against Covid-19, and that currently they are overloaded and don’t have much attention to deal with cyber incidents. Without a blink of an eye, they have started infecting hospitals with ransomware, not considering the fact that they’re putting other people’s lives at risk.

So, lesson number two should be that the cybercrime underworld has the ability and capacity to react quickly to changes, and to maximize their profits over others’ suffering.

Cyber kills

Cyber incidents can have physical consequences. And in some cases, yes, cyber can kill.

In 2010 the Stuxnet was discovered. It was a unique computer virus, which disrupted the uranium enrichment facilities in Iran by changing the way the centrifuges worked. Such a virus attack could have easily resulted in casualties.

In 2015, Ashley Madison, a website for people who want to cheat on their significant other, was hacked and its user information was stolen. A short time later, the attackers published the stolen information online, putting everyone’s dirty laundry on display. This has resulted in multiple suicides from people who couldn’t handle the shame they felt when they saw their names on this list.

Recent research by two universities in the United States has shown that the mortality rate in hospitals increases following a cyberattack. This is attributed to the fact that, after a cyber incident, hospitals tend to focus on improving their security infrastructure by incorporating new controls. Consequently, it would take more time to operate these new controls, which causes a delay in treatments. The research has stated that for every 10,000 people, 30 more die following an incident. And, that is how hospital cyberattacks indirectly influence the mortality rate.

Necessity is a strong driver for Innovation

For years now, many companies have wanted to enable their employees to work remotely. Letting your employees take their work computers home could boost productivity, employees’ satisfaction, and in some cases, reduce costs. Yet, such initiatives always reach a halt when cybersecurity issues start to float.

However, as soon as the Covid-19 crisis started, remote work became the norm, for the lack of a better option. And companies that might have viewed remote work as too dangerous, found secure ways to allow their employees to work from home.

This just proves how cybersecurity people can be innovation enablers.

Lesson number 4: Cybersecurity people move from being the “no it is too dangerous” team and become part of the driving force that moves digitalization and innovation forward.

Conclusion …

The moral of the story is: preparation is the key. We have to not only consider all the possible scenarios, but also act under the presumption that they WILL happen one day. Luckily, not everything is so gloomy and dark. Although the Covid-19 situation was definitely unexpected and disastrous, it has still given us a lot to think about. The world of cybersecurity is continuously evolving, and we have to keep up. If we learn from our mistakes and apply new knowledge moving forward, the next crisis will be only half as bad.