It’s day 4,823 that I’ve been home for the stay at home order in the county where I live. Okay, so it feels like years, but it’s actually only been a few weeks. Like many of you, I can’t seem to tell what day or month it is lately. The coronavirus has changed the world we live in completely, from our daily activities to missing out on lifetime events.
The coronavirus, COVID-19 or C-19, can be said in a variety of ways, like cybersecurity, IT security or information security. Looking at COVID-19, I see a correlation to cybersecurity and awareness training programs that can help everyone.
With that said, there are three lessons we should all take away from this experience:
- People not heeding the COVID-19 warnings = people not heeding the cybersecurity warnings
- COVID-19 response = InfoSec and IT response to incident handling
- Wash your hands = Hover over and check the links
COVID-19, while dangerous to a lot of people, has not been taken seriously by everyone around the world. For a cybersecurity professional who wants to educate more and more people, this is no surprise. It's made us look at professional medical doctors in leadership positions and rely on them for advice, similar to what happens when a cybersecurity incident hits an organization -- they look to cybersecurity professionals for support and guidance. Finally, it has reintroduced us to washing our hands and other basic hygiene concepts, as this is similar to cyber hygiene concepts such as telling people not to click on links or open attachments in emails.
Since COVID-19 came on the scene earlier this year, it has taken the world by storm, infecting over a million and sadly, killing over 70,000 people. Struggling with this pandemic are experts standing up and saying this is going to be a dangerous virus. The people responsible for making the risk management decisions didn’t believe it was a high enough concern and attempted to contain it in their own way. In my over twenty years of working in IT organizations, business product development departments, myself, and other cybersecurity experts have met with management, having made one presentation after another to higher and higher levels of management. We sought to explain the risk of not implementing the "widget A" security feature in our flagship product, that it could be risking security issues with the product and frustration by our customers. Sadly, it wasn't until a "pearl harbor" type event before the risk was exposed. The organization took the necessary steps and provided funding to implement widget A. Even though experts recognized the problem and alerted management, it wasn't until the event got worse before any actions were taken.
The same thing happened in various parts of the country where young adults were in attendance at parties on sandy beaches of different states enjoying the sunshine, the ocean, and party life. All the while, believing their bodies were strong enough, and even if they did get COVID-19, they could beat it. Ironically, they knew that they needed to self-isolate, but they believed it wouldn't get them and if it did, they could overcome it.
This opinion aligns with Perry Carpenter's security awareness training for human nature that states, "just because I'm aware doesn't mean I care." Making people care about security awareness and not clicking on links or opening attachments in emails has been a challenge. People know they shouldn't do it, but end up clicking links and falling for phishing scams anyway. However, providing new-school interactive training is one way to help with this issue and offer a gamified experience to learn why it's important to hover over a link and determine its authenticity.
Every day, there is a news conference from the U.S. task force leading the efforts to flatten the curve, and every day, people look to the doctors who appear at these briefings for advice and guidance. To people in the IT and cybersecurity world, we see this COVID-19 attack as an incident, and there are cybersecurity incident response teams (CSIRT). A cybersecurity event has occurred within the organization, and various departments need to come together to resolve it. Similar to the processes with handling COVID-19, we have the Center for Disease Control (CDC), the federal government, lawyers, and the media coming together to hear from the task force set up to battle the virus. Within the organization, when a data breach or a zero-day vulnerability becomes known, the cybersecurity team, the upper management, the legal department, and the communications department all come together to address the issue and communicate to customers and other stakeholders. The cybersecurity teams fix the problem of the leak and work to solve the incident and report regularly to keep the various departments or groups informed. They continue to do so until the problem is solved. Much like what is happening with COVID-19, the multiple teams are working tirelessly to flatten the curve.
One common item that has surfaced is the need for hygiene, such as making sure people are washing their hands for twenty seconds. This type of hygiene is similar to the concept of cyber hygiene with social engineering phishing scams, where someone makes sure to check links and attachments in emails that they receive before clicking. Luckily for end users, it takes less than twenty seconds to hover the mouse over the link in an email to view the actual web address and verify its validity. It only takes a momentary lapse in judgment for you to click on a link and potentially infect your computer, just like a momentary lapse in judgment by not washing your hands after touching things at a public place could cause you to possibly become infected with COVID-19.
It's a lot of lather, rinse, repeat with the ongoings of working from home. Still, like COVID-19, we need to make sure we take a few moments to hover over the links, pay attention to security professionals, and have the awareness to understand and adapt to security events that occur within the organization. Just as we are operating in a more cautious way while understanding the risks associated with COVID-19, we should take the same precautions when it comes to cybersecurity.