In Q1 / 2020 to say that we live in unprecedented times could be tantamount to the understatement of the century, writes Professor John Walker FRSA. The current global manifestation of a pandemic, inflicting the BIO consequence of Covid-19 (C-19) is impacting both on health and the economy, of every nation.

However, the overall impact of this transient biological form goes well beyond that of the obvious danger to public health and has, sadly, also manifested in related digital exposures born out of, but not limited to:

a) Bad Practices
b) Unpreparedness
c) Exposures created by the imposed new ways of working
d) Crime.

The extended implications of Covid-19

The first element to consider is that of the imposed way of working for business users, which may also touch on state of unpreparedness. Granted, there will be those organisations who have planned for, or practice security for out of office operations, but there are also many more who may fall into the category of unpreparedness. For example, when an operative is situated within the business premises, they are (hopefully) working under robust operational policies, are accommodated with secure communications and digital defence facilities, and are supported by those everyday, taken-for-granted invisible elements which provision physical security. However, once we step outside the box of the ring-fenced operational environment, we are, as they say, on our own!

Dealing with insecurity

It is in such circumstances as these, when we may see the creep of insecurity enter the unanticipated, extended perimeter of commercial operations impacting the absence of the overarching working security framework of robust policies and the accommodation of real-time pragmatic defences. For example, data which has been quickly migrated onto some spare USB device, or which has been sent by insecure communications lines. And just think about the home-based multi-family computer, upon which such data may be stored and processed; or, maybe it is the generated hard copy waste that finds its way into the household waste. All these, and more add to the increased levels of ‘digital exposure’ - and this default presence of potential imposed insecurity, can also impact those who have prepared for such extended perimeter of operation conditions. After all, people are only human after all!

Fighting the bad actors

In a time of national, or indeed international upheaval, there is an enhanced opportunity for cyber crime with existing vulnerabilities and new opportunities being exploited by hackers and organised crime actors. Such criminal, parasitic activities as these may be born out of extraction of funds through some Covid-19 scam, or unsolicited communication claiming to be from the WHO (World Health Organisation); or maybe, the old game of taking control of the local IT asset with the underlying intention of onward exploitation for whatever purpose - all of which are every day, common-or-garden dangers we face at work - but all of a sudden, by the circumstance of imposition, one could infer such risks have been exacerbated by our new ways of imposed working!

State sponsored mayhem

Sadly, we also live in a world which is darkened by some state sponsored actors (SSA) such as North Korea, who have already been caught with their hands in the digital till. It is here where we see the aspect of a biological agent such as Covid-19 imposing disruption and fear to the global population, where such SSA’s see this as an opportunity. For example, remember the WannaCry Cyber Attack on the NHS which gave the UK tax-payer £92m bill? The attack resulted in over 19,000 appointments being cancelled - some of which resulted in death! As such, C-19 presents the opportunity which, again, allows some SSA’s to target their cyber-armoury against a known vulnerable target.

A public information text system?

One noted technology minded member of the House of Lords, with whom I had a remote conversation, this week, raised a very good point insofar as Her Majesty’s government (HMG) do not have any public text alerting system in place. If there was, it could have been leveraged over the first weekend of stricter isolating measures in March (2020) when the public parks and cities were crowded for recreational purposes, against all government advice! Here, such an alerting system could have been used to publish a ‘go home muppets’ communication.

Corruption of the young

With the younger members of our society spending their educational study time at home, this presents yet another knock-on opportunity for those predatory actors within our communities. Such actors as these are of course very much aware that young Johnny or Sally will be most likely spending time on the internet to busy their minds during this period of ultimate boredom - remembering that the youth / children of our age are amongst the most socially-active members of the online world. Here, during the C-19 pandemic there has, sadly, been a noted increase in predatory activities manifesting out of the corrupt minds of online abusers. Parents and Guardians alike must remind those in their care about the dangers of the online world - and where possible put in place not only parental defensive controls, but also active supervision.

Embracing (isolated) business as usual

We now find ourselves in a ‘new age’ of business continuity which is teaching us that we need to commercially evolve and accept that remote working will become a necessary part of ‘business as usual’. Here, we will see that world of Cloud becoming embraced, with out-of-band services moving towards the centre of the normal graph. Video conferencing tools such as Zoom will replace the need to attend face-to-face meetings. The delivery of training, such as services being now delivered by Dubai based Meirc, will become an everyday occurrence, or a necessary commercial evolution that will work to underpin the continuance of operations.

Planning for business continuity

The time has also arrived to review those business continuity policies and plans, to stress test them for accuracy and to ensure they are both fit for purpose, and pragmatic to serve the circumstance. At the same time, it may be wise to check how data will be made available to those business users who are not able to attend the. It is worth remembering that secure access controls are of paramount importance when dealing with commercially sensitive data assets.

Protecting the crown jewels

Data privacy regulations are, or should be, at the forefront of the corporate governance mindset, and thus, as we move further away from the over-shadowing hand of internal controls, so the potential of not meeting all compliance expectations increases. Remembering, the mandated expectations of standards such as GDPR travel in tandem with their related data assets, so the need to ensure that all external users, handlers, processors and custodians are fully educated and aware of the mandated safeguards is essential. After all, any adverse occurrence will certainly find the path back to the parenting organisation in the form of reputational damage or a fine.

Data protection of the future

Last, but not least, as introduced above, we must be aware of the need to protect the information assets we are the custodians of, which is asserted by the said number of standards. Thus we must start to think both of logical and physical security, and the use of storage devices, like the certified istorage mobile and desk based FIPS-140 / 2 diskAshur products. No longer will that USB thumb drive, sitting in the desk drawer be considered the to-hand solution for data migration - or should I say exfiltration!

Mankind can very resilient when it comes down to the wire, and in the face of the C-19 pandemic, time has arrived to don the fighting spirit against this unseen aggressor. From health to security,e time has come to fight the good fight. No longer is it a case of ‘your country needs you’, on his war-footing it is more a case of ‘your planet needs you’.

Take care, stay safe and keep washing your hands!

About the author

Professor John Walker FRSA is a leading authority in cyber security, digital forensics, OSINT and geopolitics. He works with government agencies, is an author, trainer and a visiting professor at the school of science and technology at Nottingham Trent University.