Mar 24, 2022 by Josh
COVID & Cybersecurity
There are parallels between the lessons we’ve learned, and continue to learn, about mitigating risks involving COVID and managing cybersecurity. Just like the risks involved with COVID, cybersecurity risks to businesses are a global, indiscriminate, unrelenting, and require personal, national, and global effort to limit the impact they have on society.
As a managed service provider, we spend a lot of time mitigating risks for our clients. You may think that good cybersecurity is only successfully achieved through the efforts of an elite group of networking expert geeks who never sleep and can understand complex systems. Managing cybersecurity may feel unapproachable, but the truth is, managing cybersecurity risks and protecting yourself and your business is not as difficult as it appears. Cybersecurity experts can take your protection to another level because they are experts. However, there are a few things that you can do yourself like two-factor authentication, firewalls, and anti-virus.
“Defense in depth”: having several overlapping security systems in place. In case one fails, the other protective systems in place should stop or minimize the impact and severity of the attack. Cybersecurity experts know that their defenses – no matter how well-crafted – will eventually fail. It’s kind of like how COVID variants keep popping up. Things are always changing and evolving in the world of cybersecurity. That means redundancies need to be put in place to keep up as we change and evolve our cybersecurity measures to keep up with the bad guys. With COVID, we maintain social distance (layer 1), wear masks (layer 2), wash hands and sanitize (layer 3), limit exposure to as few people as possible (layer 4), boost immune systems by exercising, eating healthy, and taking vitamins (layer 5). None of these layers alone will stop COVID from spreading entirely, but the combination of these efforts can systemically minimize impact and severity.
“Risk management”: how much risk we choose to tolerate and how we deal with it. We know intuitively that doing some things are riskier than others. For example, if I go to a large indoor party and someone who is COVID positive is present, there is a high chance of spreading to the other guests. I also know that if someone gets infected with COVID there is a chance that individual could get very sick. The key to risk management is understanding the risk factors. If I don’t know that being in a crowded room is risky, then I can’t make an informed decision. The same is true with cybersecurity. Once we are informed, we can determine the amount of risk we can manage and the consequences of those risks we are able to handle.
“Cyber hygiene”: maintaining a healthy and resilient cybersecurity system that’s up to date, patched, and configured to limit vulnerabilities. This is like maintaining a healthy working environment and being thoughtful about you and your staff’s overall health by taking necessary precautions to prevent the spread of COVID. For example, staying home because you have a runny nose, cough or compromised immune systems helps limit the spread of COVID. With technology, it’s also important to remain proactive to prevent issues and protect against cyber-attacks.
“Authentication,” “access control” and “privileged access”: electronic ways to identify people and determine the level of access, if any, individuals have to specific systems. We have ways to identify people and determine what level of access they have in our lives and what level of access we are comfortable with them having – if they are even authorized at all. People have names, we recognize their faces and voices, and we put them in the context of their relationship to us and the people around us.
“Compensating Controls,”: knowing what weaknesses or vulnerabilities we can’t control and doing something else to help minimize the risks involved. For example, if an individual has a compromised immune system, it may be a good idea for them to practice stricter precautions to limit risk of contracting COVID. Staying home is an example of “compensating control”. If there is a computer system that only supports weak passwords, then as a compensating control we might consider only allowing physical access to the system rather than connecting it to the internet to limit the risk of it being compromised.
It is the combination of all these security measures together that provides optimum cybersecurity. The Colonial Pipeline hack is a high-profile example of an organization not employing defense in depth, authentication, good access controls or good cyber hygiene. The attackers were able to compromise their systems using a leaked or stolen password combined with a VPN connection that didn’t require multi-factor authentication. Once the attackers were inside, there was nothing else to prevent additional access or provided detection.
Like controlling the spread of COVID – education, implementation of control measures, and creating layers of defense will minimize the risk and severity of cyberattacks.