David Norton, Executive Director, CISQ
Note: This blog first appeared on Dave's LinkedIn on March 8, 2020.
As a young engineer and mission specialist working on Nuclear, Biological, Chemical, Radiological (NBCR) systems I learnt how a potential enemy would deploy these weapons alongside conventional “kinetic” weapons (bombs and shells) for maximum effect. Trying to run 3 miles in a NBCR “noddy suit” whilst being shot at is hard work – so I am told (I was a backroom boy). Suited and booted - Paratroopers from UK 3 PARA in NBCR -
It also deterred the use of NBCR; by demonstrating to a potential advisory that we could maintain capability – and we had the resolve to do so.
This lesson has stayed with me; it is prudent to be prepared for a worst-case scenario whilst hoping for the best case.
“Si vis pacem, para bellum” - If you want peace, prepare for war".
So, what has NBCR got to do with the coronavirus? Simple, nature has given us half the equation for an IT and Business scenario, it just needs a hacker to give us the other half.
A cyber-attack timed to coincide with peak infection rates of the coronavirus could tip already stretched resources into chaos. Although let’s be clear, this is still a low probability, high impact scenario - at the moment.
As (or if) infection rates increase, businesses will see a corresponding increase in staff absenteeism. Not just of the sick but also those who choose to self-isolate as a precautionary measure.
At this stage, it is difficult to predict how many staff may be off ill at any one time, but it could be in the range of 15% to 25%. As absenteeism increases, so does the probability that staff necessary for business continuity and disaster recovery (BCDR) will be sick and not available when needed.
Criminal organisations and state actors have been quick to identify the opportunity any virus outbreak affords them to amplify the effect of a cyber-attack. A well-timed attack, or just sheer luck, on an organisation struggling with the impact of the virus has a higher chance of defeating overstretched resources. Likewise, BCDR plans can be thrown into disarray if key staff are not available as expected, prolonging the impact of an attack on the business.
Although an organisation cannot remove the risk entirely, there are steps they can take to give themselves a degree of immunity. And they need to take those steps now.
If You Do One Thing, Do This – Don’t Get Hacked
- If you stop your systems from being compromised in the first place, you will not need to deal with the coronavirus and cyber-attack doomsday scenario. An obvious bit of advice, but if you work in BCDR, you will tend to be biased towards what happens after the attack – if all you have is a hammer everything’s a nail.
- Make sure your cybersecurity measures are up to date, firewall, virus scans, ACL etc. – check it all now. And make sure all your critical systems and hardware is up to date regarding patches.
- Warn all staff to be on their guard for phishing attacks, and compromised websites - especially those related to coronavirus. There are already sites infected with malware offering bogus cures.
- As more staff are forced to work remotely or choose to self-isolate, make sure their devices are secure and using up to date anti-virus software. And make sure your VPN can cope with the extra load, if it cannot staff will try and bypass it - then you are compromised.
- Pay particular attention to ransomware and new delivery techniques – the crisis is a zero-day exploit dream. In the event systems are compromised, “swarm” the incident – don’t give an attacked time to escalate.
Don’t Make Yourself a Target
- Do not publicise the impact of the virus on your organisation, beyond information to health authorities and similar bodies who require it for emergency planning.
- All external requests related to the level of sick and related absenteeism in your organisation should have credentials confirmed before supplying any information.
- Make sure all information related to BCDR staff and absenteeism is secure. It's easy to leave a spreadsheet of key staff off sick on an unencrypted drive.
Don’t Assume Your Disaster Recovery Plan is Still Effective
- Review the organisation BCDR identifying assumptions regarding critical resources including their expected location and availability during a crisis. Is your plan based on having four systems admins available; would it still work if you just had two?
- Ensure you have an up to date list of named individuals with the requisite skills and experience to support the recovery plans. Confirm their contact details and emergency contact information.
- Identify those critical recovery procedures which are high risk because there are only a limited number of individuals who can undertake them. Apply “what-if” analysis, for example, if John is too ill to get to work, who could apply an urgent security patch?
Mitigate the Risk
- Inform the business as to which capabilities and processes would be most at risk during a cyber incident because of virus-related absenteeism. Make it clear how this could reduce disaster recovery capability and ensure the business continuation plan is revised in the light of the current and emerging situation.
- If time allows, and the procedures involved are relativity straightforward, train staff on the basics of what needs to be done to recover data, applications, or hardware. Caution - only do this where the process is clear and easily followed – they could do more harm than good.
- Automate those current manual recovery processes and steps. If full automation is not possible, focus on those steps which are most prone to error. Maintain the manual version of the processes as a contingency.
- Consider asking some of the disaster recovery team to self-isolate, especially those with essential skills in short supply within the organisation. Make it clear self-isolation will always require them to be reachable at all times and ready to support the recovery plan unless they become sick.
- Be prepared to suspend policies that restrict who can be involved in the disaster recovery process. It is no good if you have staff with the skills to patch the server if they are not allowed in the data centre, or don’t have the rights to the admin password.
Keep on Top of The Situation
- Implement a monitoring process that alerts a named individual responsible for disaster recovery when essential staff are absent. Ensure you give this individual the power to convene a crisis team if BCDR capability is at risk.
- Set trigger points regarding disaster recovery staff levels and escalate to the appropriate IT and Business Management when reached. For example,
- Green = Recovery process well-staffed, can support multiple cyber instances, can recover business capability within the expected time frame. Action: Monitor
- Yellow = Recovery process staff limited or restricted, business capability recovery possible but with delay or reduced capability. Action: Trigger Plan B
- Red = Recovery process staff levels are critical. Business capability recovery may not be possible even within the worst-case time frame. Action: Focus on critical business capabilities only
- Where disaster recovery involves 3rd party services, ensure they keep you informed of their critical staff levels. If time allows, make it contractual. For example, “the supplier has to inform the client if there is a risk they can no longer fulfill recovery services because of resource availability”.
- If you are supplying services to other organisations, keep them informed of your current disaster recovery capability, especially if it is approaching critical levels. Dry run worst-case scenarios with your partners now and clearly document resolutions.
Have a Plan B
- Work with human resources to identify recruitment agencies who can provide staff with the right experience and skills at short notice. Expect to pay a premium for the best-qualified people during the crisis.
- Identify 3rd party recovery services and speak to them now so as to understand their engagement process. Have a fast track procurement process in place and the relevant work orders ready.
- Work with other organisations and businesses and draw up a joint recovery plan based on the principle of “an attack on one member is an attack on all of its members”. Go beyond sharing of information. Be willing to share resources to help another organisation recover, even if they are a competitor “The enemy of my enemy is my friend”.
To reiterate this is a low probability, high impact scenario (and I hope it stays that way) but it does no harm to prepare. Any preparation you do for coronavirus can be used in any situation that affects BCDR resources - from a natural disaster to industrial action.
And remember you may not be able to stop staff becoming sick but there is a lot you can do to stop cyber-attacks and resulting outages. Start by asking all staff to be extra vigilant and make sure you have the basic cybersecurity right.
Finally, as I am editing this, I have just received an alert from Norton (no connection) titled “Cybercriminals are using concerns about the coronavirus to launch phishing attacks”.
It’s time to put our “cyber noddy” suits on.