Building Cyber-Resilience Across the Wider Economy Post-COVID

The need for extensive collaboration between all stakeholders to build resilient cybersecurity in the wider economy in the wake of COVID-19 was highlighted during a session at the recent Westminster eForum policy conference.

Four speakers representing different areas of the economy emphasized how digital technology is playing (and will continue to play) an increasingly vital role in the UK following the pandemic and subsequent social distancing restrictions.

An example of this is in the healthcare sector, which in the early stages of the crisis had to shift many of its regular services online to enable it to cope with surging coronavirus cases. Dr Saira Ghafur, lead for digital health, Institute of Global Health Innovation at Imperial College London, explained: “Over the past couple of months we’ve seen a dramatic acceleration of digital services across the health system just to keep access to all healthcare services, and especially in the last couple of months, we have seen all appointments digitized.”

She added: “This has been brilliant in terms of ensuring patients can still have access but, at the same time, it poses an incredible cyber-risk because all of these new technologies have been brought in at rapid speed and scale.”

There has also been extensive adoption of new digital technologies by small businesses during the pandemic, both to maintain interactions with customers and drive revenue as well as to facilitate remote working, according to Sonali Parekh, policy director at the Federation of Small Businesses. While again this has many positive facets, this increased digitalization does pose substantial risks to these businesses, who in many cases do not have adequate expertise or resources to properly protect themselves against the range of threats posed by cyber-criminals.

“Given that many of the trends COVID-19 has accelerated will remain a state or a part of the way in which smaller businesses operate and consumers engage with smaller businesses, tackling cybercrime and improving cyber-resilience is even more important for the wider smaller business community,” noted Parekh.

Alex Towers, director of policy and public affairs, BT, added that overall “COVID has accelerated the extent to which digital resilience is becoming the resilience of the entire economy.”

“COVID has accelerated the extent to which digital resilience is becoming the resilience of the entire economy”

Addressing the Skills Gap

The scale of this challenge requires much more coordination, particularly between the public and private sectors, bringing together their respective skillsets and capabilities. Arguably the most important of these is tackling the well-publicised skills gap in the cybersecurity industry.

The UK government has made major efforts to encourage more people to enter this type of career recently. Positive examples include the creation of an online cyber-school earlier this year to allow teenagers to learn cybersecurity skills at home. One method that drew widespread criticism however, was the infamous advert of a ballet dancer called “Fatima” with the caption “Fatima’s next job could be in cyber. (she just doesn’t know it yet) for its suggestion that those working in performing arts should retrain for other careers in the wake of COVID-19.

While insensitive, there was perhaps a good underlying message behind that particular campaign: that people from a wide variety of backgrounds can retrain for a successful career in cybersecurity. “Underneath that advert, there is clearly a really good strong motivation and sensible point to make about the shortage of people in the sector, and even if all the UK’s 17,000 ballerinas, dancers and choreographers all switched to cyber, they would still fill less than an eighth of all of the UK cyber-jobs that are advertised in one single year,” commented Towers. “We still have a shortage and there’s still more to do to try and promote career flexibility and to challenge perceptions that cyber is in some way only for highly technical and IT people.”

This is something that large companies such as BT can also play a major contribution to, in the view of Towers. This includes developing its own apprenticeship and other training programs, as well as opening internal IT and cybersecurity roles to more diverse candidates. “We want to push on diversity, both neurodiversity and gender diversity,” he added.

“There is further to go to increase awareness and sources of advice provided by bodies such as the NCSC”

Improved Education and Awareness

The need for high quality cyber-awareness training and education across organizations has also been significantly heightened by the increasing digitalization. In regard to the NHS, Ghafur spoke of the ways in which the rapid uptake of new technologies and systems has grown the risk of compromise, such as the sharing of passwords and smart cards between staff in order to deliver care to customers quicker. “Anyone with access to patient records is essentially a custodian of that data and they need to be very aware of the cyber-risks that exist,” she stated.

Similarly, there needs to be far greater awareness of basic cyber-hygiene practices in small businesses that have quickly adopted new digital systems and technologies, with Parekh noting that research from the Federation of Small Businesses indicates that “a strong proportion of smaller business owners themselves lack confidence in their basic digital skills and are also not always confident about the digital skills of their staff.”

While bodies like the National Cyber Security Centre (NCSC) have produced useful guidance in areas such as remote working practices, including an exercise to enable small businesses to test their cyber-resilience while staff work remotely, this is not currently sufficient. Parekh added: “There is further to go to increase awareness and sources of advice provided by bodies such as the NCSC.”

It is also important that large tech companies, such as Microsoft, support organizations that have had to quickly shift to operating remotely, often with limited technical expertise to do so. Simon Staffell, UK government affairs manager at Microsoft UK, commented: “Enterprise resilience is clearly going to be critical; this concept of extending the boundary beyond on-site is going to have a wide-range of impacts and will make things like support to small businesses in particular very important in terms of their resilience,” he said.

This is something Parekh concurred with: “We really want to see efforts that the government and policymakers make to support the adoption of digital technologies by boosting smaller businesses’ cyber-resilience. That could range from using digital vouchers to help smaller businesses tackle cybercrime to efforts between government, policymakers and large businesses to support smaller businesses to improve their digital skills,” she outlined.

Establishing Underlying Cyber-Resilience

More generally, building greater cyber-resilience across organizations, industries and society at large is vital to help the wider economy thrive in the ‘new normal.’ As well as in individual organizations, this includes looking at underlying digital infrastructures.

One crucial part of this is government and big businesses working together to increase investment in research and development (R&D) in the field of cybersecurity. For instance, Towers highlighted that “lots of work is being done on the notion of security immune systems and whether or not we can learn from the spread of viruses like COVID-19 and look more in-depth at how malware spreads across networks.”

The importance of data is clearly growing in the context of a digitalized world, and Towers stated that there should be much more co-ordination in how it is used to further enhance resilience throughout the economy. “At the moment there are all sorts of different sectors, bodies using different standards and proprietary technologies to develop their new Information of Things (IoT) services and applications and there’s just an obvious risk this won’t help resilience,” he explained. “We need to think across industry and government about how we make data infrastructure resilient, the standards we need to set with privacy and how public services are going to work together on open platforms.”

The shift to digital throughout the economy during COVID-19 looks certain to sustain even beyond the crisis. This means a much more coordinated approach to tackling the growing threat of cybercrime is needed, with the government and large companies working together to build more cyber-resilience across the underlying digital infrastructure, as well as helping those organizations with limited technical expertise to improve their own internal security capabilities. This will be crucial to economic recovery following the devastating impact of the virus.

What’s Hot on Infosecurity Magazine?