Seven lessons learned about digital security during the COVID-19 crisis

Lesson 1 - Digital security risk increases during crises because stressed organisations are more vulnerable to attacks.

COVID-19 demonstrated the crucial importance of digital technologies for business continuity. When the crisis hit, bringing with it lockdowns and the closure of offices, companies were forced to take activities online to continue operating. Organisations’ digital dependency, already high, rose to exceptional levels as digital became the platform for business continuity.

As a result, most organisations’ digital ecosystems were placed under high stress. Organisations’ leadership had to swiftly make vital decisions about how to use digital technologies during the crisis. Digital infrastructures had to be rapidly scaled-up to match the exceptional circumstances. The workforce was often diminished (e.g. staff taking care of children at home) and not trained to effectively operate in the new digital environment. Many existing processes became irrelevant and dysfunctional, until adjusted to the new ways of working.

The disruption caused by a crisis creates opportunities that malicious actors leverage for their purposes, e.g. stealing money, trade secrets and personal data. For instance, from an attacker’s perspective, a hospital whose information system is paralysed by a ransomware attack is more likely to pay a ransom when it is under the pressure of a major health emergency. SMEs struggling to survive with relatively few IT staff in a more exposed digital environment are more likely to skip or delay patching processes, leaving their servers vulnerable to intrusion. Employees are also more likely to click on malicious “important Covid-19 information” attachments or links in emails.

Lesson 2 – During a crisis, organisations should continue to responsibly manage rather than neglect digital security risk.

It is necessary to maintain good digital security risk management practices during crises.

However, organisations can fall into two major pitfalls during a crisis: following plans or frameworks designed for “normal times” that are too rigid and not adapted to the current crisis; or disregarding digital security risk management processes entirely because of exceptional circumstances and the need for fast decisions.

The COVID-19 pandemic revealed how difficult it can be to follow digital security processes during a crisis, especially when the nature of the crisis places a high stress on the digital ecosystem, including infrastructures, people, and processes. For instance, in a very short period, many public and private organisations rapidly shifted entire workforces out of corporate facilities and into virtual environments, facilitating corporate use of personal computing devices, and adopting new teleconferencing and remote access tools almost overnight. In some countries, the government accelerated the development and deployment of “e-government” services to enable the continuity of public services (e.g. to pay taxes or obtain administrative documents) in the context of strict sanitary measures (e.g. lockdown, social distancing).

Under such circumstances, it may be tempting to bypass risk assessment and treatment processes altogether, in order to swiftly ensure business continuity. However, fast implementation of new or temporary digital infrastructures, and adoption of new processes on the fly are likely to create weak links that malicious actors are continuously seeking to exploit. A successful digital security attack during a crisis could lead to severe consequences for the organisation, for interrupting business continuity, exposing it to a massive data breach damaging its reputation, or leaking its trade and innovation secrets, undermining its competitiveness.

Business (rather than technical) decision makers should own the responsibility to decide what to do with digital security risk (i.e. reducing, accepting, avoiding or transferring it). Bypassing digital security risk management procedures is incompatible with responsible decision making. Even under exceptional circumstances, businesses and other organisations, including governments, need to manage digital security risk responsibly to avoid counter-productive effects in the short, medium and long-term.

Lesson 3 – Exceptional circumstances call for agile digital security processes to enable business continuity.

Nevertheless, digital security must support business objectives rather than hinder them through rigid bureaucratic processes. Exceptional circumstances demand more agility than usual for fast implementation of new solutions that are both effective and trusted.

Therefore, digital security risk management processes should be flexible to match exceptional business needs without sacrificing good security practice. During the crisis, decision makers should expedite digital security risk assessment and treatment processes to enable the rapid shift to emergency digital solutions that ensure business continuity. This requires an effective, trusted and seamless relationship between business decision makers and technical security experts, enabling business-driven digital security risk management decisions. To adapt to a wider range of situations, organisations could, for example, adjust the complexity and depth of their digital security risk management decision making processes according to levels of crisis likelihood (e.g. from unlikely to actual).

In addition, out of necessity, a higher tolerance of risk would likely shape digital security risk management decisions during early days of the crisis, increasing the organisation’s risk exposure (e.g. opening network ports, deploying insufficiently tested solutions, etc.). It is important to review these operational decisions, and ensure that digital security risk accepted under exceptional circumstances still matches the organisation’s risk appetite in normal circumstances.

Lesson 4 – Digital security preparedness is key and should be part of broader business continuity planning.

The COVID-19 pandemic highlighted the importance of preparedness, whereby an organisation has tested plans that it can rapidly implement when disruptive events occur in order to ensure business continuity and resilience. Preparedness is an essential part of digital security risk management, as articulated in the “preparedness and continuity” principle of the Recommendation on digital security risk management for economic and social prosperity (OECD, 2015[1]).

Nevertheless, organisations tend to approach digital security preparedness in a narrow manner, as a means for them to be ready for a digital security incident escalating rapidly into a crisis. The COVID-19 crisis demonstrated that a non-digital security crisis can also require special digital security readiness. It is therefore necessary to further integrate digital security preparedness into the broader enterprise risk management, business continuity and crisis management planning.

For organisations, going back to “normal” is also an opportunity to review the effectiveness and consistency of emergency plans and digital security risk management processes (e.g. did the organisation follow pre-defined processes? Were the emergency plans flexible enough? etc.).

Lesson 5 – During a crisis, the government needs to extend its reach beyond operators of critical activities to key actors in their supply chain.

The COVID-19 pandemic also highlighted the role of public policy frameworks1 in strengthening digital security of critical activities. These frameworks identify operators of critical activities and set digital security risk management requirements they should meet. The Recommendation on Digital Security of Critical Activities (OECD, 2019[2]) provides a set of policy recommendations for governments in this area (See Box).

In many countries, digital security agencies had established communication channels with operators such as hospitals, to facilitate information sharing regarding emerging threats, and provide technical assistance if necessary. However, in some countries, governments had to refine their lists of operators of critical activities in the healthcare sector to include organisations involved in their supply chains, such as producers and distributors of face masks, medical tests, and ventilators, or vaccine research centres. Governments had to rapidly identify these actors, inform them about potential digital security threats and security measures to implement, and establish communication channels for potential assistance in case of disruption.

Lesson 6 –There is a need for proactive policies to improve digital security in the healthcare sector and for SMEs.

The COVID-19 crisis drew attention to the weak digital security of SMEs and small organisations such as local governments. Like large businesses, they were forced by the COVID-19 pandemic to switch to teleworking, sometimes overnight. This shift has increased the potential for attacks and introduced new vulnerabilities. For instance, many SMEs did not have Virtual Private Networks (VPNs) in place, did not use multi-factor authentication for remote access, or had to allow employees to use their own devices, which were not as secure as the ones provided by the organisation.

Furthermore, the crisis underlined the vulnerability of the healthcare sector. As highlighted in April 2020 OECD policy brief (OECD, 2020[3]), there have been multiple cases of malicious actors targeting the healthcare sector during the crisis, including Distributed Denial of Service (DDoS) and ransomware attacks on hospitals in France, Germany, Spain and Czech Republic. However, attacks on such institutions are neither new nor rare. Significant gaps in digital security risk management in this sector have been identified and documented for years. Successful digital security attacks on hospitals have happened in many countries, including France, Germany, and the United States. In 2017, many health care organisations were severely hit by the WannaCry ransomware, in particular in the United Kingdom, because they had poor vulnerability management processes (i.e. patches not implemented in a timely manner) and relied on operating systems that had reached their end-of-life, i.e. for which security updates were no longer provided. The same year, the Health Care Industry Cybersecurity Task Force convened by the US Department of Health and Human Services concluded that “healthcare cybersecurity is a key public health concern that needs immediate and aggressive attention”. These significant gaps in the healthcare sector often result from a lack of awareness and skills, limited digital security risk ownership, a lack of resources and funding for digital security and a lack of co-operation and information sharing mechanisms. Nevertheless, in many OECD countries, hospitals and other health institutions are considered as operators of critical activities and subject to regulations such as the European Union Network and Information Security (NIS) Directive.

Governments should develop ambitious plans to address the significant gap in digital security for SMEs and in the healthcare sector.

Lesson 7 – During crises, information sharing on risk is crucial and often relies on a pre-existing ecosystem of trusted partners.

Identified as a key principle in the 2015 OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity, multi-stakeholder and international co-operation has emerged as a critical condition for success in managing digital security risk during the COVID-19 crisis. Effective information sharing on digital security risk including threats, vulnerabilities, incidents and protection strategies often relies on a pre-existing ecosystem of trusted stakeholders spanning across many levels (organisations, sectors, stakeholder groups and borders).

In many OECD countries, the COVID-19 crisis shed light on new, unexpected and often generous forms of multi-stakeholder co-operation. Many digital security service providers offered free assistance to vulnerable groups such as healthcare organisations and SMEs (e.g. the “COVID-19 CTI league”, for Cyber Threat Intelligence, gathered digital security professionals from across 40 countries, offering free services to vulnerable actors).

Governments often play a key role and act as a convenor or co-ordinator for such multi-stakeholder co-operation. For instance, in France, the digital security agency ANSSI leveraged the existing awareness raising and incident reporting online platform2 (based on a public-private partnership) to provide resources and to connect individuals and organisations with digital security service providers. In Israel, the government launched a marketplace to facilitate connection between such actors, and on which vendors are vetted by the Israeli National Cyber Directorate (INCD) in a fast-track manner.3 The crisis also highlighted the importance of innovative models of public private partnerships and multi-stakeholder co-ordination, for instance with the use of regulatory sandboxes in the health sector.

It takes time to build trust between stakeholders with different cultures and objectives. Governments can help create the conditions to facilitate multi-stakeholder co-operation mechanisms based on trust, in particular for information sharing regarding the threat landscape and the pooling of resources.