Introduction
The ongoing global health crisis has changed our lives in an unprecedented way. All sectors of the economy are struggling to adjust to the new reality. Both healthcare and financial services are crucial to ensure the society’s wellbeing and functioning as well as business continuity. The digital leap accelerated by the pandemic crisis is transforming the character of those sectors – from the use of contact tracing apps, telemedicine, and reshaped payment methods, to operational resilience and data security.
What is more, people moved their businesses and lives online, and lots of digital tools were introduced to monitor the spread of the virus. Most companies around the globe have experienced a significant increase in cyberattacks as a result of employees working remotely. ICT tools have, most likely irreversibly, converged with the physical realm. Due to increased reliance on new technologies, the society is also more exposed to various cyberthreats. Newly unveiled vulnerabilities are being exploited through sophisticated phishing campaigns, network data breaches, ransomware, and DDoS attacks. COVID-19 resulted in the highest jump in malware numbers in history with a 92% increase in such threats compared to numbers before the pandemic.
Challenges of the accelerated digitisation lesson
In many organisations, at the beginning of the pandemic, employees who shifted to remote work did not have the necessary equipment (like laptops or monitors). They were very often using their private computers (used by the whole family with a lot of unverified applications and programs installed) which additionally increased the attack surface for potential hostile actors. Also, from the psychological point of view, home environment is not conducive to the proper maintenance of necessary rules and policies, unlike the office space. Employees were moved from an environment where they felt comfortable into a very different way of working with no training and no awareness of adequate behaviour. As systems are as secure as their weakest link, it only takes one user who clicks something inadvertently to possibly lead to a breach within the whole environment. According to Global Workplace Analytics, by the end of 2021, 25–30% of the US workforce will be working from home multiple days a week. Organisations should therefore significantly shift their focus to secure remote work environment.
Despite the fact that during the pandemic large global scale cyberattacks, such as WannaCry or NotPetya, did not take place, there were a lot of COVID-19-related scams and frauds. For example, in the UK, as much as between 1.3 billion to 7.9 billion pounds might have been lost in attacks targeting the governmental financial rescue schemes. Also, hostile actors took advantage of people’s emotional responses to the pandemic. There were scams that were allegedly supporting NHS (which actually redirected payments to another purpose) or selling the only right disinfectant that kills the virus. However, from a more positive perspective, a large part of the society has finally understood that cybersecurity is not only a subject for CISOs or CTOs in the big companies. They realised that it is also the challenge of their everyday lives, and CEOs of smaller and medium companies understood that they need to invest to boost their cybersecurity and resilience.
Cyberdimension of the crisis in the healthcare sector
During the pandemic we could observe that not all sectors were seemingly prepared for the cybersecurity challenges. Unfortunately, hospitals and health institutions were among organisations that were very often compromised in the first weeks of the crisis. Malicious actors have been targeting their databases and the systems that maintain the functioning of the hospitals, taking advantage of difficult times where health services focused their attention on the crisis in the physical world and took care of a large number of patients, often beyond their capacities.
There is a sort of paradox in the health sector – insufficient security can result in loss of human lives. However, one simple and easy argument that there are more important things to invest in than cybersecurity (medical devices, medicines, etc.) outweighs others. The fact is that the same medical devices bring cyber-risks to the hospitals and lack of preventive measures might have tragic consequences. There should be a change in the paradigm of and approach to cybersecurity in the areas of common public interest. One of the solutions are dedicated budgets at the state level which would be allocated only to cybersecurity and would not give hospitals a choice in what to invest. Another solution is to decrease inefficiencies (in procurements or in contracts) which are largely present in this sector.
Regulations concerning the health sector are relatively recent, with NIS Directive entering into force in 2016 (obliging EU Member States to take specific steps by August 2018). The two-year period was not enough for hospitals to put in place cybersecurity measures. Health institutions still have a long way ahead of them before they reach a sufficient level of security. What is more, the pharmaceutical sector has also come under attack during the pandemic. Taking into account what is at stake, it is worth assessing whether for example this sector should also be included in the NIS Directive (as the review of the NISD is currently ongoing). The interdependencies between sectors make a holistic approach that takes into account all linkages necessary.
There is a need for organisations to build adaptive and flexible architectures that could weather unforeseen and disruptive circumstances (not only pandemics but also major cyberattacks). There are some decisions that are being assessed at the moment. The current situation makes people reflect on what they have learned in recent months, what needs to be avoided in future, and what the digital infrastructure of organisations which facilitates remote work should look like.
How to learn from the best? Perspective of the financial sector
The majority of financial organisations coped very well with the pandemic crisis. The existing challenges concerned mainly moving to the remote or hybrid mode of work (equipment, accesses, bandwidth requirements, etc.), as was the case with the majority of sectors based on office work. Also, financial services had to be adjusted as people significantly shifted to contactless payments (for example the UK has increased the spending limit for contactless payments from 30 pounds to 45 pounds). Payment intermediaries (such as PayPal) were also more exposed to frauds due to the increased interest in e-commerce. Despite that, the short-term solutions that industry applied worked very well, mainly because the sector was already heavily regulated for many years now, has built security and resilience measures and is investing a lot in security and in innovation. A lot of financial institutions were among early adopters of flexible infrastructure like cloud. Also, the mindset of staff in this sector differs as banks have always been a target for cybercriminals.
Overall, we should learn as much as possible from the financial sector in terms of building the operational capabilities. Financial sector outstands when it comes to cross-industry cooperation which can be observed at three levels – regulatory, incident response, and information sharing. It is something that could be embraced by other sectors, for example the health industry. It should be underlined, however, that sticking too much to sector-specific strategies and policies – one-size-fits-all approach – is not the best option as each sector has its own characteristics that should be taken into consideration.
Partners Road to CYBERSEC is British Embassy Warsaw.
