What it Takes to Create the Perfect Storm
So here we are – locked-down, locked-out, and locked-in to the Perfect Storm of the coronavirus pandemic which was born child of Wuhan, China (See Fig 1). At this time, we are still to discover if the bio origin of this devastating virus was created by a natural mutation or man-made hands-on chemical engineering – only time and transparent disclosure will tell. But one thing is for sure, the coronavirus has put an unprecedented strain on the global economy, and those everyday working practices we have all taken so much for granted.
For many years now we have observed the morph from IT Security, through Application Security and the age of Governance/Compliance take a grip on the direction the business security mission – finally arriving at the port of assurance with the applied all-encompassing label to the operational mission of ‘Cyber’ from which we have seen the emergence of many Cyber Security Experts, who I assume by very nature of the all-encompassing label suggests that such experts knew everything about everything – very impressive I am sure you will agree. And on the topic of expertise, I was astonished this last week to see an appointment of an individual in the UK to lead Cyber Learning in Schools – which is a good thing of course. However, when I looked at the background of the appointed individual it was very shallow and very short in its tenner in the world of IT/Cyber Security. Thus, I may only assert that the delivery of subjective learning will, of course, be constrained by the limitation of acquired knowledge of the leader – amazing, as if we are to learn anything from this pandemic, it must be that any cyber skills taught, at any level must be as robust as possible to achieve the longer-term ultimate objective of securing the planet, not to mention out-of-space!
We have also encountered the age in which, over about two decades we have seen the organizational infrastructures and systems shift and evolve from those robust and trusted, tied-down compartmented environments running trusted, segregated platforms, manifest into the modern distribution of technology born out of any commercial technology producers in-house offerings, no matter the perceived risk – here I, of course, include the UK Governments interest in engaging Huawei to deploy the UK’s 5g Network! And then, of course, we have the added angle of interest which comes along with BYOD (Bring Your Own Disaster) and IoT, or as I see it IoP (Internet of Things/Internet of Pings (if it ain’t got a Ping, it ain’t a Thing)) allowing users devices to process, store and communicate potentially business-sensitive data – of course, all done in the good names of collaboration and accessibility, not to mention reduced business procurement running costs.
And then we need to consider the Active Persistent Threats (APT) that are in circulation in this bio-fraught time. We may wish to focus on the development of Cyber Weaponry crafted and designed out of both low and high investment to be released to the awaiting unprepared home-user/out of office public by Serious and Organised Criminals, Malicious Hackers, Hacktivists, and of course not forgetting those State-Sponsored Actors such as North Korea, Russia, and ‘China’ who utilize malicious tools to underpin and achieve their warped political objectives. All arriving in the form of adversity, and in particular at this time of a pandemic, leveraging the current coronavirus outbreak as a cloak to spread misinformation, fear, doubt, and of course to use the unprecedented viral outbreak to spin off some criminally generated financial gain from the unprepared connected user. But the malicious intent goes much further than this and moves toward what is downright cruel and heartless when one considers the successful attack against an Italian Online Government Service providing much needed financial support to the impacted public to ease the financial consequence of coronavirus. And there is the rise in opportunity fraud by the commercially motivated criminals who are purporting to sell PPE (Personal Protective Equipment) which either does not arrive; or when it does it is of such low quality, or out of date, the equipment is far too dangerous to use. Sadly, even in the darkest hours, mankind must suffer those who see disastrous events as an opportunity for corruption, fraud, and other conjoined unacceptable, unethical practices.
With the current pandemic in mind, if I may, I will refer to a conversation I had with the CEO of a successful SME who told me:
“We had no choice but to push our administrative and office-based operations into the home-office, a situation we were completely unprepared for, and we (I (the CEO)) are now placing trust on the end-users to do the right thing at home”
I guess here, the question is what may be interpreted as the right thing? My conversation with the CEO went on to discuss his worries around GDPR, lack of encryption and the serious implications if things do go wrong – he went on to share with me that the company had no real security policies or procedures in place to underpin such a forced condition of out-of-office working and that this was a matter that kept him awake at night!
Looking the CEO’s concerns as a one-off situation, I am left wondering what such a worrying condition looks like on the macro scale, and just how many other small, and yes, big organizations have been limping along the yellow brick road of the unprepared mission in this current state of real-world macro exposure. But looking back over many previous years, I am very much aware from big companies in the energy sector, financial services, and commercials who have suffered continued exposure created, not out of lack of investment, but out of a total lack of real-world appreciation and perspective that Cyber Security is not just a word to be used at the right time in order to impress the listening audience or the MD – it is a real science which must be correctly, consistently and robustly applied to secure all the business assets or be deployed to mitigate the unknown unknowns.
The pandemic has imposed an enhanced level of risk on all organizations which they must now deal with. Hopefully, it will prove to be an invaluable lesson that communicates the message of PPPPP (Prior Planning Prevents Poor Performance. I hope that this current situation goes on to teach that the time for crafting a response to an adverse event is not at the time it is in full flight, but it must be done prior to the stage of the first-degree impact. You can exercise ignorance as a potential casualty, but you can only eradicate unpreparedness with forethought and action.
If you found this article interesting, I am also hosting a Webinar to go deeper on this subject on 21 May 2020 titled ‘Pandemic – The Perfect Storm’ which will also be available on-demand after the date of delivery, so please feel free to join us for further expansion on this very current topic. The Registration URL is below:
By John Walker (Visiting Professor at the School Science and Technology Nottingham Trent University).
Editor in Chief at the ‘International Journal of Cyber Forensics and Advanced Threat Investigations