Cybersecurity professionals are always interested in understanding how evolving events shape the threat landscape. Events such as WannaCry and NotPetya may have temporarily crippled technology environments that were running with third-rate security*, but the repercussions from the coronavirus will hit every organization, no matter how resilient they thought they were.
No single event to date has changed the tech threat landscape more than the consequences and impacts developing around the Coronavirus (aka SARS-CoV-2 and the disease CoViD-19).
- Impending shortages of hardware
- Further shortages of security and technical skills
- Budget cuts
- Supply chain failures
- Potential increases in the numbers of disaffected former staff (rogue outsiders?)
- Manipulation of news events for use in scams
Then there are the business consequences, such as the sudden changes in consumer patterns and steep loss of income.
The coronavirus is unmistakably a black swan event. It falls outside of the outliers. It creates a situation that many security professionals are familiar with: The Medusa Effect.
What is the Medusa Effect?
If you have ever presented the true magnitude of the cyber threats and security vulnerabilities to a committee of senior executives, you will know exactly what the Medusa Effect is. It is that moment when uncomfortable and uncontrollable levels of risk (with supporting evidence) are presented to any group of leaders.
As the group of people are catapulted far outside of their comfort zones, they will not embrace the problem. Instead, just like the threat from the mythical Medusa, they will do anything to look away from the danger and seek ways to exit the situation or push the bearer of the threat away.
The Medusa Effect can be summarized as: When you have too much risk, just try and ignore as much of it as possible and hope it does not materialize.
Businesses are rapidly having to create continuity plans that cover “what-if” scenarios that were unthinkable just a month ago.
What if normal trading will not resume for a year or so?
Security departments are facing a similar dilemma. Just at the point when threats increase because of potential unexpected layoffs and supplier failures, most of us will also face security budget cuts and a wave of fresh scams that leverage the virus.
Even the WHO has had to set up a page to warn everyone about the criminals who are using the deadly virus as a tool for scams. My advice for any and every business is simple:
- Take the time to understand your business. Security professionals and business continuity experts use business impact analysis (BIA) to help understand the products and/or services each organization provides and the dependencies (technical and otherwise) that they have.
- Rapidly develop an updated, operable business continuity plan that will allow at least the core of your organization to continue and has little if any reliance on outside suppliers and technologies.
Business continuity plans in turn link with (technical) disaster recovery plans. Review those plans carefully and seek to change them where they are reliant on suppliers or services that can reasonably be expected to be interrupted.
Six years ago, I wrote that cybersecurity was always as much about business continuity and resilience as protection from hackers. With a security landscape bulging with threats, it can be easy to focus on the wrong priorities.
In my opinion, the organizations that will survive the fallout from this non-technical virus will be the ones that focus on understanding how to isolate and insulate their core operations and services.
(* unpatched software, flat networks, ineffective malware products, poorly configured device security…)