How nuclear thinking can help you eliminate human error.
JPMorgan Chase was hacked because somebody forgot to update the security settings of a server to dual-factor authentication. Health insurer Anthem’s systems fell prey to a “spear phishing” email. Edward Snowden persuaded a colleague to enter his password on Snowden’s computer.
Your own staff are as big a threat to the cyber security of your firm as any technological weakness.
Writing for Harvard Business Review, James Winnefeld Jr, Christopher Kirchhoff and David Upton explain that when US Cyber Command sought to secure its networks, it turned for inspiration to Admiral Hyman Rickover, the man they call the “father of the nuclear navy”. The lessons they learned helped them revolutionise their approach to cyber security. By employing the same tactics so can you.
THE NUCLEAR SOLUTION
After over 60 years of operation, the US Navy’s nuclear propulsion programme continues to maintain an accident count of zero. By focusing on eliminating human error, Rickover created a safety culture that is as relevant today as it was when the first nuclear submarine was commissioned in 1954.
Training to avoid mistakes – and to detect and resolve problems before they snowball out of control – defines Rickover’s approach to safety. The mission is to turn your firm into a “High Reliability Organisation”.
In 2009, the US military’s seven million devices operated across 15,000 separate network enclaves, with over 100,000 network admins. As an IT infrastructure it was complex, poorly organised and vulnerable to cyber attack.
Robert Gates, secretary of state of state at the time, created “Cyber Command” and put it under the control of a single four-star general. His mission: to consolidate the US military’s rambling IT networks into a single, secure entity – the Joint Information Environment.
Business leaders need to take cybersecurity far more seriously than they do now. A joint survey by the University of Oxford and the UK Centre for the Protection of the National Infrastructure found that executives inside the C-suite were less worried about cybersecurity than those outside it.
Yet according to a 2014 study by the Ponemon Institute, the average yearly cost of cyber crime has risen by 96% over the last five years. It now takes 33% longer to fix the damage caused by an attack and the average cost of a single strike now stands at $1.6m.
Collapsing a range of legacy systems into a unified IT system is complex, costly and time consuming. But like Cyber Command’s four-star general, it’s up to CEOs to lead the way. Here’s how to apply naval strategy to your own firm.
LESSONS FROM THE NUCLEAR NAVY
1) Create a culture of integrity. The nuclear navy recognises that security depends on following procedure; there are no second chances for personnel who deliberately deviate from protocol.
Commanders are accountable for everything that happens under their command. But by placing a high value on personal integrity, the navy also seeks to avoid a blame culture. Personnel are expected to report every anomaly outside specific parameters and immediately flag any mistakes they make.
And from the most junior to the most senior, staff are expected to listen to their intuition. If they don’t understand something, or they think something’s not right, they’re encouraged to adopt a questioning attitude.
From the CEO down, every member of your organisation should understand they are accountable for security, responsible for drawing attention to potential problems and expected to report their mistakes without fear of retribution. Never tolerate dishonesty.
2) Formal training. Hundreds of hours of ongoing training, drilling and testing epitomise the US nuclear navy’s approach to training. Cyber Command is moving towards the same model by bringing in formal study, self study and certification via examination – training standards that CEOs should also apply across their organisations.
Naval personnel are strictly supervised until they can demonstrate their competence to operate the systems within their remit and their training never stops – neither should that of your staff.
But many organisations offer only the most cursory of training programmes and updates – not nearly enough. A thorough understanding of IT systems includes learning not just about their operation, but also about their design and vulnerabilities too. That way, personnel are quicker to spot and interpret the signs that something is wrong.
3) Understand and stick to procedure. Would your staff be able to answer any question about their operation of the IT system? Or if not, would they be able to tell you exactly where to find the relevant documentation? The nuclear navy requires its personnel to know procedure inside out and regularly puts this to the test via snap inspections.
The security lapses Defence Department routine inspections revealed include a police staff officer who held open the door for an intruder carrying a fake ID card. Another officer clicked a link in a phishing email which offered discount purchases. Does this sound familiar?
In 2014, the US military created a procedural architecture for its IT systems. It says who is responsible for what and details how security clearances are to operate both under normal circumstances and when a threat has been identified. For particularly sensitive operations, the military has instituted a two-person rule, ensuring greater resilience to “lone wolf” attacks.
The goal is to make cyber security everyone’s responsibility. But while big firms have cut the number of staff with access to the most privileged information, and set in place security strategies for managing access rights for contractors, small- and medium-sized enterprises need to follow suit.
By installing inexpensive software that monitors and warns staff when they’re about to download or transfer sensitive information, smaller businesses can achieve a higher degree of cybersecurity. Regular reminders help reinforce a security culture. Regular inspections keep everyone vigilant.
4) Formalise communication. Nuclear navy personnel are expected to repeat, verbatim, the instructions they receive. Civilian organisations should also formalise communication to eliminate the potential for misunderstanding. They should foster a workplace mentality that cuts out the small talk and familiarity that leads to mistakes. Your staff should treat cyber security with the respect it deserves.
The newly formed US Cyber Command drew on the experience of its colleagues in the nuclear navy. It's time CEOs adopted a zero-incident strategy too.