This is part one of a two-part series.
As the COVID-19 pandemic ravages the American health care system, underfunded medical centers are struggling to provide adequate care. And patients in poorer counties, who may not have access to better options, are experiencing higher mortality rates than average.
Now add to this the growing fear that cyberattacks could strike one of these vulnerable hospitals or clinics. Naturally, the same economic struggles that restrict health care providers from hiring more doctors or investing in newer medical equipment also prevents them from staffing up their security team and bolstering their cyber defenses. And once again, it is the patient that ultimately suffers the consequences.
But this cyber “digital divide” that separates the “haves” from the “have-nots” in the health care sector is just a microcosm for a much larger reality that has invaded virtually every industry: Businesses and institutions in poorer or underserved regions are less equipped to fight off cyberattacks than their well-funded counterparts in affluent cities.
Put simply: “Poor communities are more at risk. For real,” said Michael Hamilton, chief information security officer at CI Security and former CISO of Seattle.
A public and private sector problem
Hamilton’s colleague Drex DeFord, health care executive strategist for CI Security, fears a cyber incident for some of the more vulnerable health care systems, could be the difference between life and death. It also could be the event that pushes a medical facility over the edge, causing it to shut down, perhaps permanently. It’s happened before.
“And when something like that happens, you really punch poor people in the gut, when they’re already down,” DeFord told SC Media.
“The thing about big national health care emergencies like COVID is the amazing way that they expose problems with the system – underlying challenges that have kind of been there for years and years,” DeFord continued. “And that’s a lack of robust health care systems… And inside of those healthcare systems is a lack of highly skilled cybersecurity specialists who can protect that critical infrastructure in those smaller communities, at a time when it’s needed the most.”
Now consider municipalities, which Hamilton describes as “hanging by a thread” – underfunded and with no access to professional cyber practitioners in regions where professionals are not inclined to live.
Local government covers “water purification, waste treatment, traffic management, communications for law enforcement, public safety” and much more, Hamilton continued. Unfortunately, government systems are “super easy to knock over, and the impact of that is your toilet won’t flush, you can’t trust your water, all the [traffic] lights are blinking red, cops don’t get to your house on time,” and other disastrous scenarios.
This frightening reality isn’t lost on adversaries, either. For every Baltimore or Atlanta infected by ransomware, there are many more smaller cities like Leeds, Alabama and Lake City, Florida attacked, relying on ransom negotiations and cyber insurance to keep the financial damage of a payout as minimal as possible.
Cyber budgets and awareness levels are especially paltry among America’s school districts. A new survey-based report from Morphisec states that just 27 percent of K-12 educators in the U.S. are using antivirus software, and only 11 percent are using a virtual private network. More than half, 52 percent, say their schools have not warned them of the dangers of ransomware.
The trend also extends to small and medium businesses, which often find themselves below what Wendy Nather – head of advisory CISOs for Duo Security at Cisco and former research director of the Retail ISAC – calls the “cyber poverty line.”
But “security poverty is more than simply a matter of money,” Nather told SC Media. “Like socioeconomic poverty, it is a number of dynamics that come into play: budget, expertise, capability, and influence. Even if all security technology were available for no cost, you need the expertise to configure and maintain it. Even if you know what you need to do, you may not have the capability or capacity if, for example, you can’t run your own network or make changes to the software you’re using. Finally, smaller organizations, or those with less funding, can’t always influence their providers to meet necessary security standards.”
Such struggles are common among smaller entities. While rather outdated, a 2017 survey conducted by Vistage, in partnership with Cisco and the National Center for the Middle Market, found 62 percent of small and medium businesses didn’t have an up-to-date or active cybersecurity strategy in place. But when organizations are also operating in economically depressed regions – whether it’s a rural area devoid of tech infrastructure or an inner city in need of commercial revitalization and development – the challenges are exacerbated.
But the question is: by how much exactly?
Meaningful research is scarce
Is it possible to statistically measure and quantify the cause-and-effect between socioeconomic status and cybersecurity hygiene? Are they, in many cases, directly proportional?
Regrettably, this is where empirical data is sorely lacking.
Michelle Mazurek, an associate professor of computer science at University of Maryland, College Park, with a specialty in human-centered computer security, explained to SC Media why the correlation between socioeconomics and cybersecurity has not been heavily mined for insights.
“It’s still, in a weird way, really early,” said Mazurek. “Computer science as a whole hasn’t been around that long relative to something like physics.” And the study of cybersecurity within computer science is even more nascent and presents its own challenges.
For starters, security is just hard to measure, Mazurek said. But also, cooperation from organizations or municipalities is critical, and institutions in general have been reluctant to talk about their security posture.
The fear is this, Mazurek explained: “‘We’re going to talk about it and then people will realize that we have a problem and then they’re going to come and try to exploit us.’ So it’s really hard, actually, to get realistic data about how these things work in the wild.”
Multiple experts who spoke with SC Media agreed that a research study examining the relationship between socioeconomic status and cybersecurity would be a valuable and worthwhile endeavor. It’s just not clear how to go about conducting one.
Phil Reitinger, president and CEO of the Global Cyber Alliance – a nonprofit organization focused on eliminating systemic cybersecurity risks – suggested one method might be to examine which regions within a given nation include the highest concentrations of organizations using out-of-date software. Hamilton, meanwhile, said researchers could look for “an increased incident rate of [cyber] events in organizations that you could demonstrate as poor.” They also could track the businesses that have closed as a result of cyberattacks and look for economic trends, he noted.
One survey commissioned by the National Cyber Security Alliance and conducted by Zogby Analytics did find that 30 percent of small businesses surveyed experienced an official security breach in 2019; of those businesses, 25 percent filed for bankruptcy and 10 percent went out of business.
But that study, like most, looked at small businesses generally. It did not factor in socioeconomics. Another study ranked geographies where small businesses are most likely to suffer a cyberattack, but the ranking focused exclusively on metro areas, which are typically more financially sound.
In 2017, Mazurek co-authored an academic research paper that examines whether socioeconomic status affects individual users’ cyber awareness and their likelihood of reporting a security incident.
Using results gleaned from a 3,000-respondent telephone survey, Mazurek and her two co-researchers found that users of a lower socioeconomic status (SES) tend to count on different sources of security advice than more affluent users do. According to the study, low-SES users rely more heavily on their friends for security education, and less on more reliable sources such as coworkers and websites. This is perhaps because their jobs may be more blue-collar roles that don’t require access to computers or training, Mazurek suggested.
And yet, the low-SES users reported experiencing the same number of fewer negative personal cyber incidents than their high-SES counterparts. The reasons for this outcome are unknown.
Still, security pundits don’t need hard data to see the anecdotal evidence playing out in front of their faces: poorer organizations struggle to acquire desperately needed security resources.
“It’s obvious,” said DeFord, suggesting that any such official research finding would likely provoke the response: “Didn’t we already know that?”
Perhaps a more practical question, then, would be to ask where economically struggling organizations are experiencing the greatest cyber inequity. In other words: Where are they most deficient?
Hamilton, for one, said that businesses organizations with little money to invest in cybersecurity tend to overly rely on preventative controls such as firewalls, URL filters, email security solutions and antivirus software. Meanwhile, they don’t devote enough funds toward incident detection and response that could “minimize the impact of what is essentially a foreseeable event.”
“Poor communities are more at risk. For real.”Michael Hamilton, CISO, CI Security
“You’re going to get malware on workstations. It’s going to happen,” said Hamilton. But “you don’t have to lose your records, you don’t have to get locked up and extorted. Those things don’t have to happen. And the way that you avoid that is by monitoring your network. Making sure we have eyes on logs, investigate events and put out little fires before they get big.”
Another common problem shared among smaller, fiscally struggling entities, is the preponderance of outdated, legacy devices, “or older systems that are no longer being supported or getting patch updates as quickly… There are quite likely to be security vulnerabilities in there that are going unaddressed,” said Mazurek.
It’s a problem that’s very familiar to Jerry Huff, a member of the CyberRisk Alliance’s Cybersecurity Collaborative advisory council, and CISO of the Kansas Independent College Association, a consortium of 11 independent, non-profit, colleges and universities that collectively share IT resources.
“The number one thing that I see is old stuff running on the network,” Huff told SC Media. “And probably the two vulnerabilities that pop up most are old Adobe Reader and old Adobe Flash. Those two things have been hanging out there for ages.”
Old versions of Windows, Linux and Unix operating systems are commonplace as well, said Huff, who also served as director of operations for Kan-Ed, a program that has provided internet connectivity to K-12 schools, colleges, libraries and hospitals across Kansas. In fact, sometimes it’s impossible to upgrade the OS, Huff explained, because certain systems – an on-premises HVAC system, for instance – might only run on older versions and the manufacturer “made no provision to update that.”
The remote working conditions prompted by the coronavirus have only made matters worse, added DeFord.
“That new model requires a lot of equipment and infrastructure that a lot of these small communities, smaller organizations, are not prepared to support,” he said. So they send corporate desktops home and they let people use their own personal computers to work at home… It compounds this potential cyber threat on all these smaller, less well-funded organizations.”
These are serious cyber maintenance issues, Huff said. But when money is scarce, the business decision makers controlling the budget may have other priorities.
“Maintenance is always easy to defer, because there’s no immediate consequence,” he said. “’The roof isn’t leaking so we can put that off for another year. There’s no issue on network, we haven’t been hacked or anything so you know what… we can put that off for another year.’
But eventually, it hits a point where things start to break.
“All of a sudden, boom,” Huff said. “‘We need a new firewall, we need new servers, we can’t work on Windows 7 anymore because it’s no longer being supported. We have to update everything. Oh my God.’”
Indeed, whether they’re funded by corporate profits, investments, donations or taxpayers, organizations have to make tough choices when allocating their meager budgets. And often this forces institutions into unwanted compromises, said Kiersten Todt, managing director of the Cyber Readiness Institute and DC-based resident scholar with the University of Pittsburgh’s Institute for Cyber Law, Policy, and Security.
“When you have a limited budget… and then all of a sudden you get a line item that is critical, inevitably, you are going to have to figure out what you’re going to give up,” said Todt.
And often it’s cyber that ends up shortchanged.
“It’s not that businesses don’t appreciate the importance of cyber, but “they have these functions that they have to support [first] in order to survive. And they haven’t quite figured out how to get that extra money for cybersecurity resources,” Todt continued.
It’s also a matter of picking the right resources for your organization. Only there’s a problem: Those buying the equipment lack the expertise to truly know what is required. “And if they invested incorrectly, or they haven’t been given the right guidance, then they’re locked into something for a long period of time,” Todt said.
Which brings up another issue for smaller entities: a dearth of in-house expertise and talent.
“We’ve seen in a few studies that we’ve done that experience is the most important factor for security professionals in a variety of different contexts,” said Mazurek. “And this doesn’t just mean pure years of experience, like how many years have you been on the job – although that helps. It also means things like experiencing a broad variety of situations and problems that might happen, to be able to recognize various kinds of security problems when they come up and know how to remediate them quickly.”
The cyber skills gap continues to widen and top-tier cyber job applicants generally gravitate toward major tech hubs and large corporations with deep pockets who are willing to pay handsomely. t’s a key reason the public sector has such a hard time recruiting candidates.
“The value proposition for working in government is you get Groundhog Day off,” said Hamilton. “Meanwhile, Amazon has gigantic bags of cash. That’s our problem right there.”
And whatever manpower an organization does have might be quickly overwhelmed. “In a typical rural hospital, you may just have two or three or four people in an IT department,” said DeFord. “There’s just too much for them to do and not enough highly skilled people to go around.” said DeFord.
Huff said that some of the member colleges in the Kansas Independent College Association had just one IT person handling everything from voiceover IP troubleshooting to adding new users onto the network.
“There is no time for that one person to be proactive in addressing security issues on their network,” he added. “Their full-time job is just keeping it running.”
Terry Ocaña, another advisory council member of the CyberRisk Alliance Cybersecurity Collaborative, said that while he doesn’t think socioeconomic factors have a direct impact on cybersecurity, they may indirectly hamper cyber preparedness insofar as how they affects the local workforce’s mindset.
“As a broad-brush generalization, having moved from a metro region into a rural region, I notice a stark difference in technology fluency,” said Ocaña, the IT director of Chippewa County, Minnesota. As of the 2010 U.S. census, the county featured a population of 12,441 and a median household income of $54,552, with 8.8 percent of the population located below the poverty line.
“Due to the social/cultural differences in rural communities, citizens generally prefer personal over technical business interactions even for mundane tasks such as license renewals, burn permits, building permits, real estate title research, etc.” said Ocaña. This translates into slow adoption of technology services at the county level, which, in turn, slows the learning pace for employees adopting technology, reducing the understanding of how practical cybersecurity needs to be. Instead, cybersecurity is viewed as an IT department function.”
Check back for part two of this series, where SC Media will examine the various ways organizations in underserved communities can even the cyber playing field.