(by Delphine Chevallier, Thalia NeoMedia, and Didier Spella, Mirat di Neride)
The current crisis is plunging us into a unique state that is not the first and certainly not the last. Our generation has experienced many economic and financial crises. The Covid-19 pandemic is its first major health crisis, for which it seemed ill-prepared. So, let’s take a closer look at these two health and cyber crises. What are their similarities and what makes them different?
Let’s start learning from their similarities.
Crises are rarely purely national as they respect no borders, but they eventually bring us closer together.
In an increasingly globalised world, risks have no borders: viruses and microbes ignore the geographical limits established by humans. The same applies to malware using digital networks.
Whether a health or a cyber crisis, we are all affected in the same way.
Their origins are very difficult to identify.
When a crisis breaks out, we need to know its origin. The search for ‘Patient 0’ in a health crisis has its equivalent in a cyber crisis.
The search for the first infected machine is essential to identify the cyber criminals responsible for the malicious act.
They are brutal and surprise us in our chronic unpreparedness.
The brutal nature of the outbreak and the sequence of events characterise the onset of the crisis. It is always easy afterwards to point out warning signs that we should have identified much earlier. But our overconfidence and cognitive biases lead us to crises. This is certainly the case in cyber security: there are many signs that risks are increasing. Alas, how many of us take them into account?
What are the consequences of a cyber crisis for an organisation that is already financially weakened by the health crisis?
Faced with unpreparedness, dealing with the crisis requires huge investments.
A cyber crisis faces the same challenge as a health one: should I prepare for it or not? With what level of priority? When a crisis occurs, unpreparedness requires the implementation of exceptional tools and means in the broadest sense. The scarcity or urgency of the resources needed to regain control make such an implementation all the more expensive.
Finally, is it better to educate oneself to live with risks? Or to find the right balance between financial logic and acceptable risk?
In the face of the crisis, organisations are offering solutions that are uncertain and incite criticism.
In the face of uncertainty, there is not only one strategy. Therefore, what is at stake is the ability to make decisions at a given moment according to known data and the means available to us. What should you communicate to your customers when you are not yet able to assess the volume of potentially hacked data? What instructions should you give your employees when you are unable to determine when you will be able to restart the systems?
Isn’t the solution then to align behind a leader?
Individual reactions are similar. We do not feel concerned, either in the prevention phase, at the onset of the crisis, and sometimes even at its peak.
In both cases (health and cyber crises), we are dealing with an invisible and ‘unknown’ enemy. The infection phase is always silent: observation period, incubation, temperature rise.
The same applies to a cyber infection: the malware installs itself stealthily on your machine. You don’t see it. Nevertheless, abnormal activity on the processor (and on the network) is a warning sign that could enable to detect its presence.
However, we still lack collective experience in dealing with cyber crises. We are starting to identify and anticipate real differences that we now need to grasp.
The first difference is probably the speed of propagation.
A global cyber-attack is almost instantaneous, whether in the observation phase or in the triggering phase. International organisations that were victims of the NotPetya attack reported that it took it less than 90 minutes to destroy or shut down their entire digital infrastructure.
This brutal violence – impacting both individuals and activities – is still too much neglected by organisations when preparing for this type of crisis.
The second difference is maybe the criminal behaviour, which has only one objective: pecuniary profit.
Cyber-attacks – whether aimed at destroying systems or using digital tools for fraudulent purposes – are always malicious in nature. Their purpose is always to seek financial gain.
This observation leads organisations to investigate new modes of action to protect themselves: real-time monitoring of the operation and performance of digital systems; anticipation of potential malicious acts of internal or external origin; technical reaction, regarding both legal and insurance aspects; and reporting of incidents to the relevant bodies in order to contribute to general protection.
A third difference appears in the fact that cyber criminals can choose their victim(s) and viral diseases don’t.
The common perception of an illness is that it affects individuals at random. On the contrary, a computer virus contaminates and impacts all infrastructures in the same way. The consequences on the systems are therefore much more radical and homogeneous.
The rapid development of artificial intelligence and robotics is beginning to replace manual actions. We may wonder about the even more dramatic consequences of a cyber-attack on this type of equipment if we lose control of certain tasks or our reasoning ability.
Another point of difference is the experience curve.
Diseases and pandemics have been in our collective DNA since our origins. This is not true for cyber crises, for which we still refuse to grasp the impacts and consequences they would have on our activities.
Are we in a form of denial? If we naturally go to the doctor when we have a fever, we react quite differently when we receive fraudulent emails.
How would we respond to a cyber crisis? Do we know the essential actions in the event of an attack? What would our fallback solutions be if our digital tools were down?
A cyber-attack always has a human origin.
Every cyber-attack necessarily involves one or more individuals who have constructed the strategy and determined the means by which the attacks will be implemented. It is paradoxical to live with the belief that cyber-attacks are uncontrollable and unpredictable when we are able to control all their mechanisms and effects.
In the end, protecting oneself from cyber risks requires a better understanding of the technologies used, so it all comes down to instruction and education for all.
In conclusion, health or cyber crises put the individuals back at the centre of our concerns as the single indispensable actor. They are the first element of all protective measures.
Whatever our current level of knowledge and skills, it is time for all of us to become true players in the cyber world. Let’s not leave it in the hands of just a few tech-savvy ‘elites’.
The time has come for us to get involved and commit ourselves on a daily basis to change our digital practices. By integrating new behaviours, anticipating risks, and remaining in a questioning mode, we will be able to deal with cyber crises more serenely. As nature does, we must reinvent and rebuild ourselves to tap into these great sources of inspiration, energy, and collective progress.