Written By; Pat Larkin CEO Ward Solutions
In cyber security the healthcare analogy has been apt and used widely for over 25 years. In both sectors we use terms like “virus”, “isolation”, “outbreak”, “remediation”, “anti-virus”, “mitigation”, “payload”, “immunity”, “self-healing” for different circumstances with very similar characteristics in public health and Information Technology. Its timely and useful to look at the analogies between the outbreak, impact and mitigation of COVID19 and its application to Information Technology and Cyber and vice versa.
1.. A stitch in time saves 9
COVID19 has been described as a “game changer”, “a once in 100 years pandemic”. The emergence of such a pandemic has been a mathematical certainty predicted by a number of sage people in healthcare, technology, academia and public policy over the last 30 years or more, not least Bill Gates in his TED talk in 2015 https://www.youtube.com/watch?v=6Af6b_wyiwI. The only unknown was how or when it would occur and its exact nature. The impact of COVID19 to date has been huge not just in terms of the number of people who have been or are likely to be infected, or die, but also the downstream economic and societal impacts in responding to COVID19, containing its spread. This is where the most relevant analogy can be drawn. Like cyber security there has been lots of indicators and warnings – SARS, MARS, Ebola, WANNACRY, NotPetya. There is certain knowledge that these outbreaks will occur. There is knowledge from previous outbreaks and from current societal trends, globalisation, mass transport and air travel, population densities, digital transformation and dependency as to its potential impact. This wired article from 2018 is very informative as the near pandemic nature and impact of NotPetya. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ . Once an outbreak occurs there is limited time to contain it. If it is not contained it spreads to pandemic levels, with mass impact. Despite all of that society and its leaders and C Suites deem that the investment in upfront resources to detect and rapidly manage such an outbreak need not be put in place or allowed to deteriorate on their watch. This limits the time, capability and effectiveness to respond and prolongs the duration and impact of the event once it occurs. Also when resources are not in situ, it leads to aggravated competition for resources where lots of organisations or countries are effected.
Call to Action: It’s not “if” but “when” – so make the upfront investment now for a security risk assessment and security strategy to put in places the resources to identify, protect, detect, respond and recover. Put in place the management, maintenance and governance regimes to sustain this system such as ISO27001.
2. Competition for resources and investment
Healthcare, IT budgets and thus cyber security budgets has been stretched for as long as I can remember. Seasonal trolley crisis, expanding waiting lists for both lifesaving and non-acute procedures. Balancing the economics and ethics of providing expensive treatments for niche diseases or prolonging life vs quality of life and the greater good has always been fraught. Competing demand for investment in business, housing, healthcare, education, policing leads to underinvestment in all – particularly if tax cuts are on top of the political agenda. In technology CFO’s often view IT as a cost (and thus cyber security is the ultimate cost!) instead of viewing it as a critical service that enables digital transformation of business. Minimising the cost of cyber security vs the need to invest appropriately to secure the digital channel have waged for as long as I have worked in the technology sector. Similarly, to the macroeconomic tax cut argument if the approach to cyber security is met by the relentless push for profits through cost management then investment in these areas will usually not be what is required. This means that you will not be ready when the inevitable occurs. The cost of containment and cleanup is usually far greater than the costs if this original investment is made. In a lot of cases your organisation doesn’t survive longer than 6 months, post a serious cyber security incident.
Call to action: Be brave, make the case for IT and Cyber Security in a rational and data driven way. Use tools like an Organisational Risk Assessment or a Cyber Maturity Assessment to build your business case. Find the balance of resources to secure and sustain the systems that sustain your organisation. Digital is now a critical infrastructure and channel for virtually all nation states and organisations. Outsource cyber security skills and services allowing you to concentrate on core business.
3. Intelligence and data means effective response
As COVID19 spreads – the latest country to be infected has the advantage of learning via the World Health Organisation (WHO) or through multi-lateral collaboration and knowledge sharing the symptoms, the at risk populations, the containment and treatments that are more effective, the restoration to “normalisation” protocols that work etc. Through intelligence sharing, collaboration, coordination through organisations such as the WHO and correct use of this intelligence each subsequent regional outbreak should have less impact or duration than previous one. Prevention or treatment strategies can be developed in parallel again with collaboration and information sharing. Similarly, in Technology and Cyber the provision and correct us of high quality intelligence should help downstream organisation prevent or minimise the impact of a cyber-event on their organisation. Coordination and collaboration should similarly lead to the rapid development and normalisation of prevention or immunity strategies.
Call to action: Subscribe to, use and contribute to appropriate and actionable intelligence sources. Integrate intelligence with your automation. Agitate and contribute towards creation of the “WHO” of cyber. If you are a cyber-player or a cyber-dependent join an industry cluster organisation such as cyber Ireland www.cyberireland.ie.
4. Inventory, diagnostics and testing
If you can’t measure the problems then you don’t know if it needs fixing, what you need to do to fix it. In the absence of prevention (immunisation) We have seen the race for rapid and accurate testing in order to contain the COVID19 problem and apply the fix of isolation (and treatment if needed) to the infected, to stop further spread. With limited testing capacity, decisions need to be made as to who to test – symptomatic people only or symptomatic people plus those in recent contact with same and perhaps sampling of higher risk populations. If and when a prevention is available then presumably it will need to be rolled out on a prioritised basis to those at highest risk – healthcare workers, immuno-compromised individuals etc. Knowing who these groups are is important to direct limited prevention or treatment resources. The use data and analytics by the healthcare sector to measure and validate COVID19 status and impact of remediation is also notable. Similarly, in IT and Cyber prevention is not 100% effective. Therefore, excellent diagnostics and testing allows inventory of resources at risk, the rapid assessment of what or whom is vulnerable, the prioristised treatment or mitigation of at risk resources, the early detection of an outbreak, the ability to measure containment effectiveness and restoration to normal health and immunity.
Call to action: Invest in your inventory of critical information assets and risk classifications. Use Risk Assessments, Vulnerability Management, Penetration testing to determine at risk systems, for targeted application of prevention or mitigation to highly vulnerable, high impact resources first and on a prioritised based thereafter. Use diagnostics such as SIEM IPS/IDS to detect outbreaks as soon as possible. Back this up with effective incident response capabilities to reduce your exposure time, isolate outbreaks and minimise your time to recovery. Use automation and AI to help manage your workload
5. For all bugs, fixes, earlier is better and cheaper
In healthcare and IT – we all know the data – a patient or a network starts with a niggle pain, temperature or some indicator, which if it remains unaddressed end up with a far costlier impact and treatment plan with far poorer outcomes. We have seen COVID patients presenting late to A&E with acute symptoms needing prolonged ICU and ventilator care. We have seen patients with symptoms not being detected early enough and becoming super-spreaders as a result of prolonged contact and exposure to other parties. We have seen late diagnosis or interventions resulting in poorer outcomes in terms of recovery. Similarly, in technology, bugs or misconfigurations typically cost 6 times more to fix during deployment or implementation than had they been identified and fixed during the design phase. Too many times Ward’s penetration testing team have been asked to penetration test a system in the final weeks before go live or just on go live, having had no involvement in the system earlier in the lifecycle. Usually the issues found are of such magnitude and volume that it jepordises the customer’s go live timetable, resulting in a flurry of costly fix and a sub-optimal go live decision based on risk profile.
Call to action: Get security involved as part of your project team right at the earliest point possible in your SDLC. Change your philosophy from Systems Development Lifecycle (SDLC) to SSDLC (secure systems development lifecycle) or SecDevOps from DevOps. Perform secure design reviews and design stage, security test and validate throughout the lifecycle both pre and post production. Adopt frameworks and principle such as security by design, privacy by design and OWASP top 10 etc.
6. A risk based approach
Accepting that 100% prevention of COVID19 or Cyber Security incidents is not possible right now, and nobody has infinite budgets, we cannot shut down society, the economy or your digital infrastructure – then we need to move to a “risk based approach”. It’s a number game based on a systemic approach to risk assessment and risk mitigation planning getting to the point of “an acceptable level of risk”. This risk based approach is guiding our public health response to COVID and our policies. People might argue that our public health approach is too risk averse and does not balance the other factors such as economic risks, mental health risks, health risks from lack of normal healthcare activities in terms of management of other diseases and symptoms etc. and needs to be rebalanced. Similarly, this approach should guide our approach to Information and Cyber security. It is not possible to have 0 risk. It is possible to balance and weigh actual risk and determine acceptable risks to your organisation backed up by data, testing and good risk mitigation strategies addressing people, process and technologies risks and controls.
Call to action: Adopt a systemic risk based approach to cyber security continuously re-balanced by acceptable levels of risk with workable controls. Consider starting with something like an organisation risk assessment and the implementation of an appropriate ISMS such as ISO27001
7. Necessity is the mother of invention
The response to COVID19 in the healthcare sector has seen incredible innovation and transformation. A&E queues have disappeared overnight. A sector fraught with industrial relation tensions, public v private tensions and difficult working practices has united and delivered an incredible response of heroism and output to stem the COVID19 crisis. Pharmaceutical, life science companies, sector frontline workers, academic and research communities and volunteer’s groups have all coalesced to produce open source ventilators, tests and possible vaccines at a point where perhaps traditional approaches, cost structures, regulation and decision making shackles have been removed by a common goal to address the COVID crisis, save lives and find a cure/vaccine. In the technology sector COVID19 has been attributed with driving organisation to implement 2 years worth of laboring digital transformation in 2 months based on necessity and survival. Businesses are transforming their business models, routes to market and even product, service and manufacturing strategies. Gin companies and producing sanitising gels, blind companies are producing medical PPE, traditional event companies are producing virtual events.
In Cyber Security we like to think of our sector and ourselves as young, hip, innovators. However, for years, in net terms the cyber security sector has been losing the battle to cyber-crime and nation states in terms of volumes on incidents, breaches, data and revenue lost, security costs mounting etc. Has the sector perhaps become a slave to similar legacy strategies and ways of doing business, tied up in a compliance based, male, pale and stale world of risk aversion, risk management, conservatism and restrictive working and business practices. Imagine what is possible in the Cyber Security sector and what benefits to our customers would be if we adopted the medical sector approach to innovation to COVD19?
Call to action: The Cyber Security Sector needs to increase the levels of innovation and collaboration focused on protection of society and customers first rather than protection of intellectual property and legacy business models, driven by the same sort of urge that medical sector has experienced to try and win the battle against COVID19 and cybercrime for the good of society.
As always, Ward Solutions will continue to Assess, Protect, Detect & Respond to your cyber security needs. If you need to contact Ward Solution on any matter, then:
Contact your normal account manager for sales or sales@ward.ie
Contact our orders department at orders@ward.ie
Contact our service delivery office at servicedeliveryoffice@ward.ie
Contact our Security Operations centre at SOC@ward.ie
Contact our Network Operation centre at NOC@ward.ie
Contact our finance department at Finance@ward.ie