As we have been acutely aware over the past year, various governments across the world have used different responses to managing the risks associated with a widespread and contagious virus, COVID-19. Some governments have used a rather casual approach (for example, Sweden), whereas countries like New Zealand and Vietnam have been publicly lauded for their stance on trying to achieve elimination, with mixed success (Vietnam is having a large second wave).
As an information security professional with over 30 years of experience, varying risk responses across the globe do not come as a surprise. When conducting risk assessments for my own clients across different industries, I too have experienced a wide gamut of responses from risk owners.
So, what does cyber security have in common with COVID-19?
Imagine a world where we approached treating threats to cyber security the same way governments sprang into action with COVID-19 outbreaks. I refer to the fast lockdown we had in the Greater Brisbane Region last month, where a hotel worker was exposed to the U.K. variant. Greater Brisbane was placed into a complete lockdown period for three days, followed by mandatory wearing of masks for two weeks.
Let’s translate this approach to cyber security – suppose an individual goes to a local café and uses the guest Wi-Fi, whereby their device becomes infected with malware. Unwittingly, they take this infected device home, where their rather sick relative is on a life-support system, connected to a 5G network using a typical medical device built on a free version of Linux and most likely not patched. Why is this an issue? The potential impact is varied, and includes financial extortion, human life and loss of privacy. It has already happened across the healthcare sector globally – a quick web search will reveal that back in 2017, a hospital in Victoria was heavily impacted for just over a month, with major surgery cancelled.
That is a rather dystopian, yet realistic, view of cyber security and how it could potentially impact people, our safety and privacy. Yet, align that thinking with how our governments respond to a single outbreak with COVID-19, declaring it an “outbreak”, and immediately restricting our movements.
I challenge you to stop and think, why is it, that many governments fail to take appropriate and swift action when presented with credible threats regarding cyber security for their infrastructure and failing to invest in appropriate risk mitigation. I do not recall a single country being plunged into years of debt for the sake of mitigating ransomware, or blocking Internet connectivity!
So, there you have it, we simply have an inconsistent, disproportionate approach to managing risk across different risk silos. Is it simply political point scoring, or the genuine belief that one type of virus has more impact to society than another? It has been shown that complete eradication of COVID-19 is not entirely feasible, so why not take a more pragmatic view? After all, governments are better known for being reactive rather than proactive.
Isn’t it time, we have a sensible discussion around commensurate levels of managing risk across the many different risk silos? If we all sprang into action against cyber security threats the same way we have handled COVID-19, wouldn’t the cyber world look very different?
Author: Peter Nikitser, ALC Director of Cyber Security
**For more information and or training on identifying and managing cyber security risks, you may like to consider the following courses: