This policy brief discusses key digital security policy issues that have emerged during the COVID-19 crisis, based on input shared by delegations to the OECD Working Party on Security in the Digital Economy (SDE) during the initial peak of the crisis. It distils lessons for organisations and policy makers, highlighting the urgent need for 1) ongoing efforts by public and private organisations to manage digital security risk during crises with flexible and agile processes; 2) significant efforts to strengthen digital security in the health care sector and for small businesses; and 3) nurturing a multi-stakeholder digital security ecosystem on an ongoing basis to enable information sharing in exceptional circumstances. This note should be read in conjunction with the policy brief on dealing with digital security risk during the COVID-19 crisis, published in April 2020, which focused on how threat actors had adapted to the crisis, the responses of governments, and recommendations for governments and the public at large.
Seven lessons learned about digital security during the COVID-19 crisis
Abstract
Key messages
Public and private organisations should be prepared for crises, and follow digital security risk management processes (e.g. risk assessment, risk treatment and continuity plans) that are flexible enough to adapt to crisis situations. In exceptional circumstances, these processes can be expedited, but they should not be disregarded altogether.
Policy makers urgently need to tackle poor digital security risk management in the healthcare sector and by small- and medium-sized enterprises (SMEs), which are two pre-existing critical challenges that have been thrown into further relief by the COVID-19 crisis.
Co-operation and information sharing across organisations, stakeholder groups and borders are essential to mitigate digital security risk, in particular during a crisis. Governments can play a key role to facilitate such co-operation, in particular by supporting, convening or encouraging sustainable multi-stakeholder partnerships based on trust.
Managing digital security risk during crises requires preparedness, flexibility and agility
For organisations
Lesson 1 - Digital security risk increases during crises because stressed organisations are more vulnerable to attacks.
COVID-19 demonstrated the crucial importance of digital technologies for business continuity. When the crisis hit, bringing with it lockdowns and the closure of offices, companies were forced to take activities online to continue operating. Organisations’ digital dependency, already high, rose to exceptional levels as digital became the platform for business continuity.
As a result, most organisations’ digital ecosystems were placed under high stress. Organisations’ leadership had to swiftly make vital decisions about how to use digital technologies during the crisis. Digital infrastructures had to be rapidly scaled-up to match the exceptional circumstances. The workforce was often diminished (e.g. staff taking care of children at home) and not trained to effectively operate in the new digital environment. Many existing processes became irrelevant and dysfunctional, until adjusted to the new ways of working.
The disruption caused by a crisis creates opportunities that malicious actors leverage for their purposes, e.g. stealing money, trade secrets and personal data. For instance, from an attacker’s perspective, a hospital whose information system is paralysed by a ransomware attack is more likely to pay a ransom when it is under the pressure of a major health emergency. SMEs struggling to survive with relatively few IT staff in a more exposed digital environment are more likely to skip or delay patching processes, leaving their servers vulnerable to intrusion. Employees are also more likely to click on malicious “important Covid-19 information” attachments or links in emails.
Lesson 2 – During a crisis, organisations should continue to responsibly manage rather than neglect digital security risk.
It is necessary to maintain good digital security risk management practices during crises.
However, organisations can fall into two major pitfalls during a crisis: following plans or frameworks designed for “normal times” that are too rigid and not adapted to the current crisis; or disregarding digital security risk management processes entirely because of exceptional circumstances and the need for fast decisions.
The COVID-19 pandemic revealed how difficult it can be to follow digital security processes during a crisis, especially when the nature of the crisis places a high stress on the digital ecosystem, including infrastructures, people, and processes. For instance, in a very short period, many public and private organisations rapidly shifted entire workforces out of corporate facilities and into virtual environments, facilitating corporate use of personal computing devices, and adopting new teleconferencing and remote access tools almost overnight. In some countries, the government accelerated the development and deployment of “e-government” services to enable the continuity of public services (e.g. to pay taxes or obtain administrative documents) in the context of strict sanitary measures (e.g. lockdown, social distancing).
Under such circumstances, it may be tempting to bypass risk assessment and treatment processes altogether, in order to swiftly ensure business continuity. However, fast implementation of new or temporary digital infrastructures, and adoption of new processes on the fly are likely to create weak links that malicious actors are continuously seeking to exploit. A successful digital security attack during a crisis could lead to severe consequences for the organisation, for interrupting business continuity, exposing it to a massive data breach damaging its reputation, or leaking its trade and innovation secrets, undermining its competitiveness.
Business (rather than technical) decision makers should own the responsibility to decide what to do with digital security risk (i.e. reducing, accepting, avoiding or transferring it). Bypassing digital security risk management procedures is incompatible with responsible decision making. Even under exceptional circumstances, businesses and other organisations, including governments, need to manage digital security risk responsibly to avoid counter-productive effects in the short, medium and long-term.
Lesson 3 – Exceptional circumstances call for agile digital security processes to enable business continuity.
Nevertheless, digital security must support business objectives rather than hinder them through rigid bureaucratic processes. Exceptional circumstances demand more agility than usual for fast implementation of new solutions that are both effective and trusted.
Therefore, digital security risk management processes should be flexible to match exceptional business needs without sacrificing good security practice. During the crisis, decision makers should expedite digital security risk assessment and treatment processes to enable the rapid shift to emergency digital solutions that ensure business continuity. This requires an effective, trusted and seamless relationship between business decision makers and technical security experts, enabling business-driven digital security risk management decisions. To adapt to a wider range of situations, organisations could, for example, adjust the complexity and depth of their digital security risk management decision making processes according to levels of crisis likelihood (e.g. from unlikely to actual).
In addition, out of necessity, a higher tolerance of risk would likely shape digital security risk management decisions during early days of the crisis, increasing the organisation’s risk exposure (e.g. opening network ports, deploying insufficiently tested solutions, etc.). It is important to review these operational decisions, and ensure that digital security risk accepted under exceptional circumstances still matches the organisation’s risk appetite in normal circumstances.
Lesson 4 – Digital security preparedness is key and should be part of broader business continuity planning.
The COVID-19 pandemic highlighted the importance of preparedness, whereby an organisation has tested plans that it can rapidly implement when disruptive events occur in order to ensure business continuity and resilience. Preparedness is an essential part of digital security risk management, as articulated in the “preparedness and continuity” principle of the Recommendation on digital security risk management for economic and social prosperity (OECD, 2015[1]).
Nevertheless, organisations tend to approach digital security preparedness in a narrow manner, as a means for them to be ready for a digital security incident escalating rapidly into a crisis. The COVID-19 crisis demonstrated that a non-digital security crisis can also require special digital security readiness. It is therefore necessary to further integrate digital security preparedness into the broader enterprise risk management, business continuity and crisis management planning.
For organisations, going back to “normal” is also an opportunity to review the effectiveness and consistency of emergency plans and digital security risk management processes (e.g. did the organisation follow pre-defined processes? Were the emergency plans flexible enough? etc.).
For governments
Lesson 5 – During a crisis, the government needs to extend its reach beyond operators of critical activities to key actors in their supply chain.
The COVID-19 pandemic also highlighted the role of public policy frameworks1 in strengthening digital security of critical activities. These frameworks identify operators of critical activities and set digital security risk management requirements they should meet. The Recommendation on Digital Security of Critical Activities (OECD, 2019[2]) provides a set of policy recommendations for governments in this area (See Box).
In many countries, digital security agencies had established communication channels with operators such as hospitals, to facilitate information sharing regarding emerging threats, and provide technical assistance if necessary. However, in some countries, governments had to refine their lists of operators of critical activities in the healthcare sector to include organisations involved in their supply chains, such as producers and distributors of face masks, medical tests, and ventilators, or vaccine research centres. Governments had to rapidly identify these actors, inform them about potential digital security threats and security measures to implement, and establish communication channels for potential assistance in case of disruption.
OECD Recommendation on Digital Security of Critical Activities
Adopted in December 2019, the OECD Recommendation on Digital Security of Critical Activities sets out a range of policy recommendations to ensure that policies targeting operators of critical activities focus on what is critical for the economy and society without imposing unnecessary burdens on the rest. These recommendations support adherents in:
Adapting their overarching policy framework;
Ensuring that operators effectively reduce the digital security risk to critical functions to a level acceptable for society;
Promoting and building trust-based partnerships; and
Improving co-operation at the international level.
The Recommendation also clarifies how this public policy area relates to broader national risk management/critical infrastructure protection policy.
Source: OECD.
Governments should adopt ambitious plans to strengthen digital security in the healthcare sector and for SMEs in the medium term
Lesson 6 –There is a need for proactive policies to improve digital security in the healthcare sector and for SMEs.
The COVID-19 crisis drew attention to the weak digital security of SMEs and small organisations such as local governments. Like large businesses, they were forced by the COVID-19 pandemic to switch to teleworking, sometimes overnight. This shift has increased the potential for attacks and introduced new vulnerabilities. For instance, many SMEs did not have Virtual Private Networks (VPNs) in place, did not use multi-factor authentication for remote access, or had to allow employees to use their own devices, which were not as secure as the ones provided by the organisation.
Furthermore, the crisis underlined the vulnerability of the healthcare sector. As highlighted in April 2020 OECD policy brief (OECD, 2020[3]), there have been multiple cases of malicious actors targeting the healthcare sector during the crisis, including Distributed Denial of Service (DDoS) and ransomware attacks on hospitals in France, Germany, Spain and Czech Republic. However, attacks on such institutions are neither new nor rare. Significant gaps in digital security risk management in this sector have been identified and documented for years. Successful digital security attacks on hospitals have happened in many countries, including France, Germany, and the United States. In 2017, many health care organisations were severely hit by the WannaCry ransomware, in particular in the United Kingdom, because they had poor vulnerability management processes (i.e. patches not implemented in a timely manner) and relied on operating systems that had reached their end-of-life, i.e. for which security updates were no longer provided. The same year, the Health Care Industry Cybersecurity Task Force convened by the US Department of Health and Human Services concluded that “healthcare cybersecurity is a key public health concern that needs immediate and aggressive attention”. These significant gaps in the healthcare sector often result from a lack of awareness and skills, limited digital security risk ownership, a lack of resources and funding for digital security and a lack of co-operation and information sharing mechanisms. Nevertheless, in many OECD countries, hospitals and other health institutions are considered as operators of critical activities and subject to regulations such as the European Union Network and Information Security (NIS) Directive.
Governments should develop ambitious plans to address the significant gap in digital security for SMEs and in the healthcare sector.
Nurturing a multi-stakeholder digital security ecosystem is essential to enable information sharing during crises
Lesson 7 – During crises, information sharing on risk is crucial and often relies on a pre-existing ecosystem of trusted partners.
Identified as a key principle in the 2015 OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity, multi-stakeholder and international co-operation has emerged as a critical condition for success in managing digital security risk during the COVID-19 crisis. Effective information sharing on digital security risk including threats, vulnerabilities, incidents and protection strategies often relies on a pre-existing ecosystem of trusted stakeholders spanning across many levels (organisations, sectors, stakeholder groups and borders).
In many OECD countries, the COVID-19 crisis shed light on new, unexpected and often generous forms of multi-stakeholder co-operation. Many digital security service providers offered free assistance to vulnerable groups such as healthcare organisations and SMEs (e.g. the “COVID-19 CTI league”, for Cyber Threat Intelligence, gathered digital security professionals from across 40 countries, offering free services to vulnerable actors).
Governments often play a key role and act as a convenor or co-ordinator for such multi-stakeholder co-operation. For instance, in France, the digital security agency ANSSI leveraged the existing awareness raising and incident reporting online platform2 (based on a public-private partnership) to provide resources and to connect individuals and organisations with digital security service providers. In Israel, the government launched a marketplace to facilitate connection between such actors, and on which vendors are vetted by the Israeli National Cyber Directorate (INCD) in a fast-track manner.3 The crisis also highlighted the importance of innovative models of public private partnerships and multi-stakeholder co-ordination, for instance with the use of regulatory sandboxes in the health sector.
It takes time to build trust between stakeholders with different cultures and objectives. Governments can help create the conditions to facilitate multi-stakeholder co-operation mechanisms based on trust, in particular for information sharing regarding the threat landscape and the pooling of resources.
Further reading
[3] OECD (2020), Dealing with digital security risk during the coronavirus (COVID-19) crisis, https://oe.cd/il/covid-digitalsecurity.
[2] OECD (2019), Recommendation of the Council on Digital Security of Critical Activities, https://legalinstruments.oecd.org/api/print?ids=659&Lang=en.
[1] OECD (2015), Recommendation of the Council on Digital Security Risk Management for Economic and Social Prosperity, https://www.oecd.org/sti/ieconomy/digital-security-risk-management.pdf.
Notes
← 1. For instance, in the European Union, the NIS directive requires States to designate operators of essentials services (OES).