A cyber-attack timed to coincide with peak infection rates of the coronavirus could tip already stretched resources into chaos. Although let’s be clear, this is still a low probability, high impact scenario - at the moment. However, we are seeing cyberattacks leveraging COVID-19, couple of examples.
As (or if) infection rates increase, businesses will see a corresponding increase in staff absenteeism. Not just of the sick but also those who choose to self-isolate as a precautionary measure.
At this stage, it is difficult to predict how many staff may be off ill at any one time, but it could be in the range of 15% to 25%. As absenteeism increases, so does the probability that staff necessary for business continuity and disaster recovery (BCDR) will be sick and not available when needed.
Criminal organisation and state actors have been quick to identify the opportunity any virus outbreak affords them to amply the effect of a cyber-attack. A well-timed attack, or just sheer luck, on an organisation struggling with the impact of the virus, has a higher chance of defeating overstretched resources. Likewise, BCDR plans can be thrown into disarray if key staff are not available as expected, prolonging the impact of an attack on the business.
Although an organisation cannot remove the risk entirely, there are steps they can take to give themselves a degree of immunity. And they need to take those steps now.
If You Do One Thing, Do This – Don’t Get Hacked
If you stop your systems from being compromised in the first place you will not need to deal with the coronavirus and cyber-tacks doomsday scenario. An obvious bit of advice, but if you work in BCDR you will tend to be biassed towards what happens after the attack – if all you have is a hammer everything’s a nail.
Make sure your cybersecurity measures are up to date, firewall, virus scans, ACL etc – check it all now. And make sure all your critical systems and hardware is up to date regards patches.
Warn all staff to be on their guard for phishing attacks, and compromised websites - especially those related to coronavirus. There are already sites infected with malware offering bogus cures.
As more staff are forced to work remotely or chose to self-isolate, make sure their devices are secure and using up to date anti-virus software. And make sure your VPN can cope with the extra load, if it cannot staff will try and bypass it - then you are compromised.
Pay particular attention to ransomware and new delivery techniques – the crisis is a zero-day exploit dream. In the event systems are compromised, “swarm” the incident – don’t give an attacked time to escalate.
Don’t Make Yourself A Target
Do not publicise the impact of the virus on your organisation, beyond information to health authorities and similar bodies who require it for emergency planning.
All external request related to the level of sick and related absenteeism in your organisation should have credential confirmed before supplying any information.
Make sure all information related to BCDR staff and absenteeism is secure. Its easy to leave a spreadsheet of key staff off sick on an unencrypted drive.
Don’t Assume Your Disaster Recovery Plan Is Still Effective
Review the organisation BCDR identifying assumptions regarding critical resources including their expected location and availability during a crisis. Is your plan based on having four systems admins available, would it still work if you just had two?
Ensure you have an up to date list of named individuals with the requisite skills and experience to support the recovery plans. Confirm their contact details and emergency contact information.
Identify those critical recovery procedures which are high risk because there are only a limited number of individuals who can undertake them. Apply “what-if” analysis for example if John is too ill to get to work who could apply an urgent security patch?
Mitigate the Risk
Inform the business as to which capabilities and processes would be most at risk during a cyber incident because of virus-related absenteeism. Make it clear how this could reduce disaster recovery capability and ensure the business continuation plan is revised in the light of the current and emerging situation.
If time allows, and the procedures involved are relativity straight forward, train staff on the basics of what needs to be done to recover data, application or hardware. Caution only do this where the process is clear and easily followed – they could do more harm than good.
Automate those current manual recovery processes and steps. If full automation is not possible, focus on those steps which are most prone to error. Maintain the manual version of the processes as a contingency.
Consider asking some of the disaster recovery team to self-isolate, especially those with essential skills in short supply within the organisation. Make it clear self-isolation will always require them to be reachable at all times and ready to support the recovery plan unless they become sick.
Be prepared to suspend policy’s that restrict who can be involved in the disaster recovery process. It is no good if you have staff with the skills to patch the server if they are not allowed in the data centre, or don’t have the rights to the admin password.
Keep on Top of The Situation
Implement a monitoring process that alerts a named individual responsible for disaster recovery when essential staff are absent. Ensure you give this individual the power to convene a crisis team if BCDR capability is at risk.
Set trigger points regarding disaster recovery staff levels and escalate to the appropriate IT and Business Management when reached. For example,
Green = Recovery process well-staffed can support multiple cyber instances, can recover business capability within the expected time frame. Action: Monitor
Yellow = Recovery process staff limited or restricted, business capability recovery possible but with delay or reduced capability. Action: Trigger Plan B
Red = Recovery process staff levels are critical. Business capability recovery may not be possible even within the worst-case timeframe. Action: Focus on critical business capabilities only
Where disaster recovery involves 3rd party services ensure they keep you informed of their critical staff levels. If time allows, make it contractual. For example, “the supplier has to inform the client if there is a risk they can no longer fulfil recovery services because of resource availability”.
If you are supplying services to other organisation keep them informed of your current disaster recovery capability, especially if it is approaching critical levels. Dry run worst-case scenarios with your partners now, and clearly document resolutions.
Have a Plan B
Work with human resources to identify recruitments agencies who can provide staff with the right experience and skills at short notice. Expect to pay a premium for the best-qualified people during the crisis.
Identify 3rd party recovery services and speak to them now so as to understand their engagement process. Have a fast track procurement process in place and the relevant work orders ready.
Work with other organisations and businesses and draw up a joint recovery plan based on the principle of “an attack on one member is an attack on all of its members”. Go beyond sharing of information. Be willing to share resources to help another organisation recover, even if they are a competitor “The enemy of my enemy is my friend”.
To reiterate this is a low probability, high impact scenario (and I hope it stays that way) but it does no harm to prepare. Any preparation you do for coronavirus can be used in any situation that affects BCDR resources - from a natural disaster to industrial action.
And remember you may not be able to stop staff becoming sick but there is a lot you can do to stop cyber-attacks and resulting outages. Start by asking all staff to be extra vigilant and make sure you have the basic cybersecurity right.