Right Tool, Right Job: How the UK lost 16,000 UK positive COVID cases using Excel.... (you read that right)

-
H.M. Government is about to have an extra boost to their COVID-19 figures. That is, they have found out that there is an additional 16,000 positive COVID-19 cases that they haven't accounted for. Why? Because the software they are using to make sure the figures are correct and verified to base the UK wide COVID-19 Crisis Response Plan is... a simple, Excel spreadsheet [1].

Yep, you read that yet. It's a manual spreadsheet. 
The fact that the Government has been collecting data and conducting data modelling using a simple Excel spreadsheet is a truly terrifying prospect. Human error is rife. Reporting errors will be everywhere and are unavoidable - if you insist on using this approach. 

This should be a database system, able to collect various data feeds, in order to provide near real-time data to the right people, in a secure, safe way.

This is, however, a sign of bigger problems. The Government in the UK has done something that has also infected within industry sectors with their approach to cybersecurity. We have forgotten what is important, and why we do what we do. Assets are not just computers and servers. They are also people, the files that are absolutely essential to your organization, passwords that are mission critical for single points of failure. The questions of "What would happen if "x" got ran over by a bus? What would happen if you lost that hard drive? That server? ..." need to be asked. 

Any cybersecurity professional worth their salt knows C.I.A. (Confidentiality, Integrity, Availability). Each asset, no matter what it is, needs to be assessed on its importance, and the risks needs to be understood in order to make sure mitigation plans are put into action.

However, during recent years, cybersecurity has become C.i.a. Big C. Little i and little a. Emphasis is on confidentiality. The rest goes out of the window. The above case shows this in action. Little i. Little a. 

We can see this with another IT based disaster, Grenfell towers. 

The fire at Grenfell Towers was terrible, and an investigation into the cause of how this tragedy could have possibly of happened was an essential and well needed report - to make sure we never repeat the same mistakes again. However, all the files were lost from a single laptop; no backup, no ability to get the data... all gone, zip [2]

You can see what happened. People were worried about the report getting into the wrong hands. They made sure the documents were not on a cloud; that they were isolated on a single laptop. The big C was what was important. Confidentiality at all costs.

And boy, was the price a high price to pay for that one.

The integrity of the data was put as a secondary problem. Availability was a non issue. All focus was on stopping people hacking that data directly. As a result, the laptop failed. No way to get the data back. Two years of report data gone. Back to square one.  

What these cases show is something really simple. People have forgotten the Golden rule:
Use the right tool, for the right job; to collect the right data, to extract the right information, and distribute the results to the right people, in the right fashion, to show everything needed to allow the leadership to make the right informed decision. 
All aspects that put this at risk must have mitigation plans. 

In summary; it's all about risk. Cybersecurity isn't just about the "hackers from Russia getting your data" - but that's our new warm happy safe place. It's so much easier and nicer to consider that there is always someone out to get us, rather than the truth; data security has many risks. 

It's not only hackers out to get you; it's also human error, insider threat, hardware failures, environmental challenges, rouge actors and so much more...

Your approach needs to understand all of these. 

Good luck. We all need it. 

But let's be frank. Every organization has one of these "spreadsheets".

The first step, make sure you know about yours. 

[1] “UK loses 16,000 COVID-19 cases due to Excel spreadsheet snafu | OSINT,” OSINT, 05-Oct-2020. [Online]. Available: https://osint.geekcq.com/2020/10/05/uk-loses-16000-covid-19-cases-due-to-excel-spreadsheet-snafu/. [Accessed: 05-Oct-2020]

‌[2] ITV News, “Grenfell files ‘lost forever’ after laptop wiped, inquiry hears,” ITV News, 14-Sep-2020. [Online]. Available: https://www.itv.com/news/london/2020-09-14/grenfell-files-lost-forever-after-laptop-wiped-inquiry-hears. [Accessed: 05-Oct-2020]

Previous
Don't look! It's Secure VOTING! I promise!

Add a comment

Email again: