When I got my second Pfizer vaccine shot and now ponder the possibility of a third, I started thinking about what it means for me to be afforded added protection from the threat of COVID. Should a vaccine change how I behave and what, if any, additional precautions I should take? With the appearance of new variants, how do I identify the risks? How does it affect my overall approach to protecting my health, my friends and family’s health, and even my business’s continuity?
As a person who spends his professional life mitigating risk for his clients. I couldn’t help but see the parallels between managing cyber security and the lessons we’ve learned, and continue to learn, during COVID. Just like the COVID-19 pandemic, cyber risk to businesses is global, is indiscriminate, is unrelenting, and requires personal, national and global effort to limit its impact on our businesses and ultimately, our society.
Reading security blogs, Twitter feeds and the musings of CISOs, one walks away thinking good cyber security is only successfully achieved through the efforts of an elite group of cyber-geeks who never sleep, live on stress, can code with abandon, are networking experts, and can understand complex systems. It can feel unapproachable.
The truth is, managing cyber risk and protecting yourself and your business is not as difficult as it appears. Cyber security businesses and technologies want you to think it’s complicated stuff, impossible for a lay person to understand, and requires the magic wand of AI and advanced technologies. While modern businesses have complicated systems to manage, the concepts behind cyber security are largely intuitive.
Let me outline a few important cyber security principles that we can all understand and that are highlighted by our shared COVID experience.
“Defense in depth” is a term common to cyber security professionals . It sounds fancy but really just refers to a layered approach to security. Cyber security experts know their defenses will eventually fail no matter how well crafted, so if you have several overlapping systems or protections in place, if one fails, the other protections should stop or minimize the impact of an attack. Living through a pandemic, this idea is familiar to us all. We maintain social distance (layer 1), wear masks (layer 2), wash hands and sanitize (layer 3), limit exposure to as few people as possible (layer 4), and get vaccinated if possible (layer 5). We know that none of these things alone will stop COVID from spreading entirely but that the combination of these efforts will systemically minimize its impact and its spread.
“Risk management” is another phrase found within the cyber security lexicon. Again, this can sound more complex than it is; it refers to the decisions we all make about how much risk we choose to tolerate during daily activities. We know intuitively that doing some things are riskier than others. For example, if I go to a large indoor party with people who don’t wear masks, I know that if one person shows up COVID positive, the virus has a higher risk of spreading to many people at that event. I also know that if I get sick, there is some chance I could get very sick. The key to risk management is understanding the risk factors. If I don’t know that being in a crowded room with unmasked people is risky, I can’t make an informed decision. This is true of cyber security, once informed, our clients determine the amount of risk they can manage given their unique situation and the consequences of the risks they take on.
“Cyber hygiene,” another bit of cyber security jargon, describes a connected system, up-to-date and patched, configured to limit vulnerability to misuse. While this, too sounds fancy, you can think of it much like maintaining a clean working environment and being thoughtful about your and your staff’s overall health. Choosing to stay home with a running nose, cough or compromised immune system helps limit the spread of disease and infection. This is the same with technology. Maintaining a healthy, resilient systems means keeping technology up-to-date and using protective software that monitors and protects against malicious activity.
“Authentication,” “access control” and “privileged access” may sound officious but in fact, describe really simple concepts, the kind of lessons that we teach our kids from a very young age. We all have ways to identify people and determine whether we are comfortable with or if they are authorized to enter our lives in different ways. People have names, we recognize their faces and voices, and we put them in the context of their relationship to us and the people around us. Is this person someone I know who is allowed to pick me up from school? Of course, it’s my aunt who picks me up every Wednesday! Is this person allowed to make medical decisions and talk with my doctor? No, it’s my coworker who brought me to the ER when I injured my leg. Authentication, access control, and privileged access are simply electronic ways to identify people and determine who they are contextually and what they should be allowed to do.
The last cyber security term, “Compensating Controls,” means that when we know there is a weakness or vulnerability we can’t control, we do something else to help minimize the risk it represents. So, because my child is under 12 and has other health risks, we don’t send her to school. We home school her to minimize her exposure to other people and limit her risk of contracting COVID. Keeping her home is our “compensating control.” If we have a computer system that only supports weak passwords, then as a compensating control we might consider allowing only physical access to the system and not connecting it to the Internet. This would limit the risk of it being compromised because only a small group of people would be able to physically access the system.
When it comes to cyber risk, it is the combination of these measures that provides optimum security, no matter how simple or complex your system. The Colonial Pipeline hack is a high profile example of an organization not employing defense in depth, good access controls or good cyber hygiene. The attackers were able to compromise their systems using a leaked or stolen password combined with a VPN connection that didn’t require multifactor authentication, demonstrating poor authentication and access controls. They also appear to have had few defense in-depth measures, so once the attackers were inside, little else prevented additional access or provided detection. Additionally, there was lax cyber hygiene, allowing attackers to further compromise unpatched and poorly configured systems.
It is true that large businesses like Colonial Pipeline have many complex systems complicating the process of managing cyber security, but the fact is, these measures are not out of reach for any business. Educating staff and implementing management systems are the key to successfully maintaining good cyber security and putting an end to the recent ransomware and international supply chain hacking. The lessons are much the same in taming the spread of COVID: becoming educated, implementing control measures, and creating layers of defense will minimize the risks of its impact and disruption.