On Firm Foundations: Cybersecurity and Digital Development Strategies Post COVID-19

This blog was authored by Alexander D.J. Botting, Senior Director of International Cybersecurity Services, Venable LLP and M. Daniel Vazquez, Sr. Standards Specialist, Resonance

Over the last decade, policymakers and development agencies alike have used Information Technology (IT) as a catalyst for economic development. This technology has been applied to build workforce productivity, accelerate economic development, and improve the business enabling environment. However, the twin forces of rapid technological adoption and the proliferation of online users have exposed companies to a new set of threats in cyberspace that can have catastrophic consequences to both their operations and the ecosystem in which they operate. Such threats are more vicious during a crisis, like the current COVID-19 pandemic, when people and companies are trying to address myriad corporate challenges at the same time as adapting to telework. 

Phishing emails, ransomware, and password attacks are already proliferating. In some cases, legitimate websites, such as Johns Hopkins University’s COVID-19 heatmap created to provide information to the public about the pandemic, have been illegally cloned and altered by malicious actors to implant malware.[1] The level of exposure will further increase as countries across the globe embrace the digitization and virtualization of their economies to build their resilience in a post-pandemic world, overshadowed by the threat of future outbreaks and disruption to face-to-face interaction. 

These threats transcend size, sector, and level of IT sophistication. Small and Medium-Sized Enterprises (SMEs) may be particularly vulnerable to attacks because they have fewer resources to devote to cyber preparedness, crisis management, and depend on IT tools to conduct business.[2] 

A study carried out by the National Cyber Security Alliance, a public-private partnership that works on cybersecurity awareness, found that about 25 percent of the small businesses surveyed do not have a cybersecurity plan in place.[3] This despite the high number of breaches involving small businesses (43 percent according to a 2019 study by Verizon),[4] and the dire financial consequences that those attacks have on such firms (one in four file for bankruptcy and 10 percent go out of business).[5] 

The vulnerability of SMEs is compounded by a lack of understanding of the economic risk posed by lax cybersecurity and weak or absent protocols to protect essential IT infrastructure to detect breaches, respond to attacks, and recover from incidents. The use of generic passwords such as “password” or “admin” is still commonplace. “Who do you know that can help us?” is a frequent plea by management in the wake of an attack. Recovering sensitive data, such as information provided by clients, from scans of old printouts is a necessary step to try to rebuild operations. All of this tells us that the reality for most SMEs after an attack is chaos, uncertainty, loss of competitiveness, and revenue ending in closing of operations.

Donor efforts, such as those by USAID, to strengthen business enabling environments of the digital economy should address this problem by incorporating cybersecurity considerations into their design, even more so if those interventions include IT components. Drawing a parallel: in the same way that safeguards are built by default into water infrastructure development projects, cybersecurity standards should be incorporated into cooperation projects.  

This approach cannot be a one-size-fits-all recommendation due to the diverse challenges facing different sizes of companies operating in diverse markets or sectors. Nonetheless, there are at least three basic pillars that can be incorporated into donor strategies setting up the foundations for robust cyber resilience of businesses.

A first pillar should be encouraging the adoption of a risk-based approach to cybersecurity.  This concept is not foreign to the private sector, as it has long been broadly adopted by financial services, communications, and energy companies globally to deal with the myriad of threats confronting them. The NIST Cyber Security Framework (CSF), for instance, is used by roughly 30 percent of companies in the U.S. and Japan and has been adopted by more than a dozen governments around the world. By utilizing the CSF (or its international standard counterpart the International Organization for Standardization's ISO/IEC 27103 Information technology — Security techniques — Cybersecurity and ISO and IEC Standards) in national cyber frameworks, governments can both guide SMEs towards its use and better ensure international alignment in addressing shared cyber threats. 

At a firm level, this approach helps companies to identify risks and prioritize resources to address them. When done effectively, a risk-based approach is more responsive to continuously evolving threats than rigidly defined or prescribed cybersecurity regulations. By nature, regulators tend to lag in response to rapidly shifting (and increasingly complex) operating conditions faced by businesses. This, combined with the typically narrow regulatory purview means regulators are often unable to adopt comprehensive solutions to security that consider the complexities of business operations. 

Businesses face heterogeneous risks. Risk-based approaches reflect this reality by allowing SMEs to develop strategies based on their own levels of risk and prevailing business practices. A community bank has a higher risk profile than a mom-and-pop cafeteria. A cloud provider may need to comply with contractual requirements that are not codified but are rapidly becoming standard business practices worldwide.  

A second pillar is to foster the security awareness in the digital ecosystem itself. Here and based on international best practices, technical assistance programs can develop assessment tools for domestic SMEs that will assist in taking a holistic approach to cybersecurity. At a minimum, the tools should help SMEs understand the inherent economic costs and benefits of cybersecurity for their business, the nature of threats, their level of exposure, how they can develop appropriate mitigation measures, and how to quantify the positive economic externalities of cybersecurity. An essential component would be increasing local awareness of globally recognized standards and best practices that are proven to reduce cybersecurity risks effectively increasing the linkage of the domestic ecosystem with global coordination efforts.  Likewise, SMEs would benefit from greater sensitization of how reputational damage and safeguarding clients’ safety plays into a company’s digital competitiveness. 

This can be complemented by promoting sectoral approaches to security. Sponsored by USAID or other donors, stakeholders in one sector can reach consensus on the means that can be used for communicating information about breaches and threats safely—to both regulators and consumers—in case of an incident. Having a clear reporting mechanism can be particularly useful for resource-strapped SMEs in a post-COVID-19 world. 

Informed by global best practices, agreements can be reached regarding what constitutes an effective approach to cybersecurity. Process standards for managing attacks can be crafted, informed by domestic realities post-health crisis circumstances, and communicated to stakeholders in ways that ease their adoption throughout the ecosystem. Methodologies can be developed to assess the economic advantages of increasing cybersecurity in a sector, and to implement cost-effective strategies for improving cybersecurity at the firm level. 

A third pillar is strengthening the ability to engage in international coordination efforts. In an interconnected world, cybersecurity threats regularly arise from abroad and easily expand globally. A prime example is the WannaCry [6] attack of 2017. This ransomware attack started encrypting files in Asia and within 24 hours there were reports of systems being infected in 150 countries. This example cogently illustrates the need for strong efforts that go beyond domestic borders to address threats in the digital economy and from preventing unscrupulous cybercriminals from taking advantage of future health crises. 

In this context, international cooperation can take the form of harmonizing national frameworks for cybersecurity, ratifying laws and policies that penalize cybercrime such as the Budapest Convention, as well as multistakeholder engagement in the development and adoption of international standards for cybersecurity. 

In the world that will arise after COVID-19, unprepared SMEs face a digital landscape where threats are even more plentiful. International stakeholders must support SMEs with the tools to navigate this landscape. Ignoring this reduces the value of the donor efforts to help those companies thrive in the digital economy. It diminishes SME’s competitiveness as, rightly so, cybersecurity gives competitors an edge. Ultimately, it endangers countries’ self-reliance and innovation-readiness by not giving innovative SMEs the tools needed to address cyberattack risks. By embedding cyber resilience among all participants of a digitally-connected economy, we can ensure that development strategies are built on firm foundations and that the post-COVID-19 risk curve for cyberthreats flattens out, enabling SMEs to flourish. 

[1] Krebs on Security. Live Coronavirus Map Used to Spread Malware. https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-malware/
[2] The National Broadband Plan estimates that 97 percent of SMEs use e-mail and 74 percent have a company website. https://transition.fcc.gov/national-broadband-plan/national-broadband-plan.pdf
[3] National Cyber Security Alliance (NCSA). 2019 Small Business Cybercriminal Target Survey Data. https://staysafeonline.org/small-business-target-survey-data/
[4] Verizon. 2019 Data Breach Investigations Report. https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
[5] National Cyber Security Alliance (NCSA). 2019 Small Business Cybercriminal Target Survey Data. https://staysafeonline.org/small-business-target-survey-data/

[6] The Verge. The WannaCry ransomware attack has spread to 150 countries. https://www.theverge.com/2017/5/14/15637888/authorities-wannacry-ransomware-attack-spread-150-countries