Skip to main content

The next pandemic-level threat: A global cyberattack

(Image credit: Image Credit: Geralt / Pixabay)

Despite prior warnings that infectious disease pandemics presented a high-impact threat, Covid-19 seemed to catch governments and companies off guard. Few were prepared for a wide-reaching, long-term impact quite like this.

Looking to the future, from a disaster recovery and business continuity perspective, there is something else that could be similarly disruptive if and when it strikes: a global cyberattack. If a large-scale hack hit, a major cloud provider, for example, the effect on organizations worldwide could be seismic.

Better preparation for such an event is therefore vital. By taking steps to build further resilience and learn lessons from the current crisis, businesses will be in the best possible shape to cope.

Unprepared and unready

For context, infectious disease pandemics have appeared in the top ten of the World Economic Forum’s highest-impact risks since 2018. They have also appeared as one of the likeliest threats in the UK’s National Risk Register, and in regional Community Risk Registers. Despite this, prior to Covid-19, the majority of organizations (66 percent according to the Databarracks 2020 Data Health Check) didn’t have a plan for how to respond to a pandemic.

The reason we have Risk Registers is to identify the most significant threats to your organization, so you can plan and prepare for them. From a business continuity point of view, Covid-19 was a warning for leaders to revisit those lists to see if anything else is being neglected.

The lesson here is that business continuity planning can sometimes be too inward-looking, focusing on incidents that affect only us, in the micro rather than macro picture. What happens if our IT is down? What would we do if our office is unavailable? The pandemic has shown the greatest continuity challenge is when everyone is impacted at once. These crises affect not only your own operations but your customers and entire supply chain at the same time. The questions we should also be asking are “what if everyone’s office is unavailable?” or “what if everyone’s IT is down?” The impacts of these wider crises are harder to mitigate because they are beyond our direct control.

Worldwide cyberattack: a matter of when and not if

In November 2020, AWS experienced an outage affecting a number of companies using its services, including Adobe, Roku and Glassdoor. While not caused by a cyberattack, the disruption lasted several hours, bringing to light not only our reliance on cloud services, but also the risks to businesses when these services are no longer available.

We’ve not yet seen a successful cyberattack on a major cloud provider, but, as predicted by the World Economic Forum it is inevitable. The recent SolarWinds hack is an example of compromising a product used by thousands of organizations. Described by Microsoft president Brad Smith as “the largest and most sophisticated attack the world has ever seen”, the campaign compromised a wide range of US government agencies, leading to a federal investigation of unprecedented scale.

The cloud oligopoly

The threat is very real, so what can we do now to guard against it?

The cloud computing market is dominated by a few key players, namely AWS, Microsoft and Google. To get a sense of their ubiquity, AWS reported revenues of $12.7 billion in Q4 of 2020 alone, while Azure saw quarterly growth of 50 percent and Google Cloud recorded $3.83 billion in Q4 revenue.

These services are very well defended, but they are also a target. If they do get hit, the knock-on effect for all the companies hosted on them will be severe. The effect will be similar to how the pandemic has affected the entire supply chain at the same time. IT has been centralized and hosted with these cloud providers. A major cloud outage would impact SaaS systems, your suppliers and your customers.

More points of redundancy

Firstly, diversify your organization’s supply chain. As the pandemic progressed, we saw countries like China, Italy and Brazil severely impacted at various times. Organizations with redundancy in their supply chain were able to shift to other territories to minimize disruption. Make sure you are not dependent on a single geographic area. A state-level attack could severely impact a single country, so having an alternate supply increases your resilience.

Each of the cloud providers offer the ability to run your IT from multiple availability zones in a territory or across multiple regions.

This offers protection against issues in a particular geography, but you are still using the same cloud provider. Availability zones and regions are designed to act as entirely separate entities. In theory, issues shouldn’t spread between them. In practice, we have seen issues in the code affect multiple regions.

We recommend going further and having multi-cloud resilience, using a separate cloud provider as a backup. Immediate failover from one cloud to another comes at a cost few businesses can justify but keeping a backup of data in another cloud is not a high cost and is good practice to limit single-supplier risk.

Doing things the old-fashioned way

It’s important to think about whether you could cope without IT for an extended period. Businesses that have suffered ransomware attacks have learned a lot about this, having to take novel measures to keep the lights on and minimize long-term damage. Could your organization, for example, operate effectively without IT for a month? Again, what if the cyberattack in question affected a large number of businesses, or your customers and suppliers lost their IT too?

Technology has made businesses much more efficient by automating manual tasks. It’s now so reliable that we’ve lost a lot of the manual processes which we would revert to in times of crisis. We need to put some of these alternative methods back in place in response to this threat.

For example, imagine your online ordering system is offline due to a cyberattack, leaving customers unable to place orders through that channel. Staff should be ready to intervene to manually take orders. Such alternatives will always be less efficient and more expensive, but they can keep you operating.

Learning hard lessons

Business continuity and risk professionals can take one positive from the upheaval of the Covid-19 pandemic: when they speak now, the organization will listen. Whatever preparations were made in anticipation of such an event, they weren’t enough to prevent massive disruption.

Now is the time to learn some hard lessons from the pandemic and make companies more resilient, particularly in the face of a large-scale cyberattack.

Peter Groucutt, Managing Director, Databarracks (opens in new tab)

Peter Groucott has a history in understanding and mitigating risk, having spent many years working in risk management roles within the banking sector – particularly developing applications to monitor value-at-risk across the banks treasury and hedged products.