In June 2020 Swissinfo.ch reported figures from the NCSC (National Cyber Security Center) showing that there were 350 reported cases of cyberattacks (phishing, fraudulent web sites, direct attacks on companies etc.) in Switzerland in April, compared to the norm of 100-150. The coronavirus pandemic and increase in working from home were seen as a major cause of this increase, since individuals working at home do not enjoy the same level of inherent protection/deterrent measures from a working environment (e.g. internet security).
Seven Major Hacks That Changed How We View Cyber Security
On July 8th, the City of London Police reported that since January 2020 more than GBP 11 million have been lost due to COVID-19 scams. In Switzerland, one in seven respondents to a survey had experienced a cyberattack during the pandemic period.
Cybersecurity is on the agenda of most executive committee meetings, but should perhaps be given extra attention in view of the growing threats during the pandemic. In the midst of the second wave of the coronavirus and concerns about a potential third wave, companies should be proactive in addressing the threats, and plan ways of preventing successful cyberattacks rather than responding when they occur. However although prevention measures are important, there is also a need for cyberattack detection, response and recovery capabilities.
Not all cybersecurity roles are entirely technical. The CISM teaches valuable information security-aligned managerial skills. This is a domain where assurance and risk management are major parts of the role requirements. It is based on security management principles that are practical and essential to getting the job done.
April 2022. Cybersecurity researchers identified a new campaign by Russian-linked hackers that started in January and targets diplomats and embassy officials from France, Poland, Portugal, and other countries. The hacks started with a phishing email to deliver a malware-laden file to the target.
To answer these questions, we interviewed chief information officers (CIOs), chief information security officers (CISOs), and health care cybersecurity experts at hospitals and developed a system dynamics model to study the dynamics of implementation and maintenance of cybersecurity capabilities in hospitals.
The two main issues affecting resource availability were net revenues and talent availability. For most interviewees, net revenues were perceived to be declining, driven by flat revenues and increasing operating expenses. For organizations with declining net revenues, outsourcing IT to an organization with more expertise was an effort to increase resource availability to undertake more efforts to close cybersecurity gaps. Some of our interview subjects worked at organizations that were financially healthy enough to fund the development of purely internal solutions; however, the majority did not. Two subjects stated the following:
For those who worked at organizations healthy enough to fund internal development, subjects were split as to whether self-hosting and internal development increased resource availability. On one hand, some felt that owning IT policies themselves gave them finer control over how to allocate resources in their efforts to close cybersecurity gaps. On the other hand, some felt that outsourcing security operations to a firm such as Microsoft via purchases of their cloud products simultaneously allowed them to do more with fewer resources and also tacitly allowed them to pay less attention to cybersecurity, thereby introducing an entirely new set of risks.
Our interview subjects often used a successful cybercriminal exploit at another hospital to stoke higher pressure for cybersecurity capabilities by bringing the consequences of that exploit to the attention of their board or managers. They were typically speaking of the pressures imposed by the public and the media and those imposed by Health Insurance Portability and Accountability Act (HIPAA) and related regulation and, more recently, from the US Food and Drug Administration (FDA) in the arena of medical devices.
Some felt that the pressures produced by HIPAA interacted with the target level of cybersecurity capabilities in such a way that the resultant desired level of cybersecurity capabilities encouraged hospitals to focus on the wrong things. One subject stated the following:
What is clear is that the process of external audit at least compels hospitals to adopt some cybersecurity standard (examples given were National Institute of Standards and Technology [NIST] 800-66, Control Objectives for Information and Related Technologies, and Information Technology Infrastructure Library) and try to follow it. On subject stated the following:
Interview subjects stated that external auditors varied in the degree to which they demanded rigorous compliance to that standard but that the standard gave them a helpful tool in socializing good cybersecurity practices throughout the organization. Two subjects stated the following:
Additionally, medical device manufacturers have historically not designed their products with security in mind. Interview subjects were optimistic that this might be shifting, as the FDA has waded into the regulation of the medical device market. However, they felt the process would be slow, as the FDA is slow to certify devices, creating a gap between regulation and practice that exposes patients to more risk. Three subjects stated the following:
For the interview subjects who did not feel that their hospital was developing cybersecurity capabilities, it was mostly because of high turnover at the C-suite level. That high turnover, in turn, led to constant shifts in strategy that became difficult to navigate as an IS specialist, leaving the organizations more reactive than proactive in developing cybersecurity capabilities. One subject stated the following:
In any case, it is clear that health care organizations have been an attractive target recently. Even with an increase in cybersecurity capabilities, the first two reasons for their attractiveness to criminals will remain in place. This overall increasing trend in cybercriminal activities can be incorporated in our model, next to successful cybercriminal activity.
Figure 7 presents that what might seem to be an initially counterintuitive behavior: Medium to high stakeholder alignment results in low pressure to have stronger capabilities. However, consider that hospitals with medium to high stakeholder alignment likely already have a higher target and desired level of cybersecurity capabilities, the result being that they are less likely to become the victim of a cyberattack. Hospitals with a low stakeholder alignment, however, would be more likely to become the victim of a cyber incident, thus creating pressure to have stronger capabilities. The result of a low stakeholder alignment environment, therefore, would be a high pressure one.
In practice, a hospital that does not have sufficient resources will struggle to develop cybersecurity capabilities and meet a target level of cybersecurity capabilities. They will almost certainly be the victim of a cyberattack, and following the attack, will likely increase resources for cybersecurity (ie, a reactive mode). In our interviews, many of the interviewees felt that their hospital had been at this point a few years ago.
Reducing end point complexity: the end point complexity of the hospitals environment is rich with exploitation opportunities for cybercriminals. The tension between decreasing the complexity of this environment and providing excellent patient care is a challenging trade-off. If, however, CIOs and CISOs can decrease the end point complexity of their hospitals, it will have a dramatic impact on decreasing the likelihood of cyberattack. Some of the ways, among many others, that our interviewees achieved the outcome of reducing end point complexity were
Improving internal stakeholder alignment: improving internal stakeholder alignment also reduces the likelihood of cyberattacks. We showed that low internal stakeholder alignment decreases the effectiveness of capability development and increases the erosion of capabilities (by not maintaining them). Our experience shows that soft variables such as stakeholder alignments are often forgotten in cybersecurity management.
Resource availability: finally, while we showed that variability in resource availability did not have the strongest impact on successful cybercriminal activities, we also showed a moderate level of resources is required to have any success in fending off attacks at all. Securing more resources is required to achieve the lowest likelihood of cyberattack, but without internal stakeholder alignment, capabilities are not built and maintained effectively. Furthermore, in the absence of sufficient resources for cybersecurity, setting a high target level of cybersecurity capabilities (beyond those required by policies and regulations) can relatively offset the lack of resources.
Our interview data presents some of the main challenges of cybersecurity capability development at hospitals. Our model also provides an explanatory platform to analyze the complexities development of cybersecurity capabilities in hospitals. For instance, cybersecurity experts believe that resource utilization correlates strongly with infrastructure age: with the increasing arrival of security patches to a hospital IT department, the number of patches increases with the age of systems. These patches need to be tested for their impacts on internal systems, which is a losing endless loop of resource burden. This mechanism can be explained by the general feedback loop B1 in the model, where with the aging systems at a hospital, the cybersecurity level decreases, which in turn requires resources to build capabilities to fill out the cybersecurity gaps.
As businesses focus on enhancing cybersecurity, they will need information security analysts to secure new technologies from outside threats or hacks. A shift to remote work and the rise of e-commerce have increased the need for enhanced security, contributing to the projected employment growth of these workers over the decade. 2ff7e9595c
Comments