*I am not an expert on health, infections or medication, take my advice on dealing with Coronavirus with a pinch of salt. But, do take the cyber security advice with a little more salty-assurance*
You’ve probably heard of the Coronavirus. You’ve probably heard of cyber security, too. But how are they similar? It’s quite simple actually. Two words. Awareness and hygiene.
Let’s talk first about the Coronavirus. Initially spread from an animal source, like many of it’s predecessors, it is contracted through human-human interaction as well as short-distance airborne transmission such as sneezes, coughing etc.
Awareness. Awareness is a big aspect here. With awareness, the people can better protect themselves from contracting the virus. They can know which places to avoid, what hygiene measures to take – simple measures such as washing hands often and wearing a mask. They can also learn how to improve their health and immune systems for the medium and longer term, and equally important, the steps to take to improve their chances if they do catch the virus.
How does cyber security relate? With awareness of what’s possible, business and people can take steps to protect themselves. They can prepare for prevention, detection and response to a potential breach. Part of the issue for smaller and medium sized organisations is that they are so focused on the critical things which make their business operate, they can’t afford to spend time on many less important areas.
If they understood that a ransomware attack could lock them out of those systems, or a wire fraud email could empty their cash reserves, or a loss of personal data could lead to regulatory fines and reputational damage, maybe they could act.
Time for some statistics. According to the Verizon Data Breach Investigations report (a report I actually trust), 43% of confirmed data breaches involved small business victims.
More specifically focused on smaller businesses, in a survey from the NCSA’s (National Cyber Security Alliance) study on small businesses, 28% of respondents have experienced an official data breach within the past 12 months. As a result, 37% of those suffered a financial loss, 25% filed for bankruptcy and 10% went out of business.
The same study shows that smaller businesses are becoming much more aware of the cyber security threat landscape, so there is some good news.
Now let’s have some educational fun. Let’s talk about hygiene. We will align Coronavirus hygiene measures with cyber security breach prevention measures, both for individuals and businesses.
Level 1:
| Measure | Coronavirus | Cyber security breach (individuals) | Cyber security breach (business) |
| Identify | Awareness: watch the news, read the paper, talk to people at the bus stop | Awareness: read ‘the register’ or BBC technology websites, talk to your geeky family member – we all have one | Awareness: train employees on the threats |
| Protect | Wash your hands often | Use different passwords for important accounts | Implement basic controls such as anti-virus |
| Detect | Notice when your leg drops off | Notice when your Twitter account starts supporting Donald Trump | Implement basic security detection controls |
| Respond | Take yourself and leg to hospital | Reset your Twitter account password | Turn off all the things |
Level 2 (slightly more serious)
| Measure | Coronavirus | Cyber security breach (individuals) | Cyber security breach (business) |
| Identify | Do more research over coffee. | Understand the threats to you and your family. | Identify the key threats to your business, depending on the business type and technology used. Identify all assets – otherwise they can’t be protected |
| Protect | Wear a mask | Don’t click on suspicious looking emails or websites | Update systems at least three monthly. Create system backups |
| Detect | Know the signs of coronavirus | Know when your device is acting abnormally | Sign your company domain up to Have I Been Pwned domain subscription. Create an alert for when a service account is logged in interactively (i.e. hand on keyboard) and when a new admin is created |
| Respond | Wear dustbin bag at all times to prevent further spread | Talk to that geeky family member. If they don’t like you, bribe them with a one year subscription to WoW | Have a forensics and incident response contact number at hand |
Level 3 (very, very serious)
| Measure | Coronavirus | Cyber security breach (individuals) | Cyber security breach (business) |
| Identify | Find a safe-house or bunker, just in case… | Find a password manager to store all accounts. Then use it. | Identify and implement controls that are more effective at preventing and detecting the earlier identified key threats |
| Protect | Use hand-sanitiser every time you twitch a finger | Use two-factor authentication for important accounts | Test your employees and security controls (e.g. phishing campaign, penetration testing). Update systems when new threats emerge |
| Detect | Use some expensive internet-connected health monitoring device to detect signs of Coronavirus | Sign up to Have I Been Pwned? to get notified of future breaches containing your data | Setup monitoring for abnormal usage of user accounts, especially those which are high-privileged |
| Respond | Don’t be surprised when the device gets hacked and tells you it’s only man-flu | Ask for a credit freeze if you suspect your data has been compromised | Outsource detection and response to an managed security service provider (but read this first) |
Notice that a lot of the cyber security measures described above are ‘quick wins’, and hardly any of them involve buying a piece of technology or spending any money. They are based on people and process. More on why here.
There we have it. Hopefully this post has aided the understanding that human health threats and cyber security threats aren’t too different. Awareness and hygiene are key for both.
If you have any questions or feedback about anything in the article, or you want slightly more serious and tailored advice, you can find me here.
"But we've always secured it this way" 