Companies that focus too much on their technical vulnerabilities and not enough on understanding cyber risk as a business risk leave themselves more vulnerable to attack.
Too often, cyber security discussions are a jargon-filled tech fest centering around the vulnerability of specific items of technology. You feel you lack the knowledge to participate, you zone out, and you leave this vital function to the experts. Then a cyber attacker strikes. And in the aftermath, you’re surprised to learn that, despite all the discussion, your firm was in fact woefully underprotected.
Writing for Harvard Business Review, Thomas J Parenty and Jack J Domet explain that, when cyber security strategy is left to a small cadre of IT staff, it risks becoming a “long, ill-prioritised list of mitigation tasks”.
Instead, the writers suggest, you must think of cyber risk as business risk – focusing on the macro level before addressing the technical minutiae of the measures required to protect your firm from harm.
CYBER RISK IS BUSINESS RISK
The ever-more sophisticated nature of cyber attacks might tempt you to assume it’s complexity – rather than unpreparedness – that leaves your organisation vulnerable to attack. But we’re also failing to learn the strategy lessons from the mistakes of the past.
In 2000, a lone cyberattacker hacked a wastewater treatment facility near Brisbane in Australia and flooded a popular beauty spot with raw sewage. All the attacker had to do was steal a computer of the same type as those used in the pumping stations and – with his systems knowledge plus radio communications equipment – he could access the plants, interfere with the pumps, and cause havoc. It turned out that the computers in the pumping stations lacked any form of password protection.
Nearly twenty years later, the Wannacry cyber attack cost organisations around the world an estimated $8bn. The ransomware attack targeted computers running Microsoft Windows, exploiting a security flaw for which Microsoft had already released a patch. The virus spread via machines that had not been patched, as well as older machines running outdated versions of Windows. Much of the disruption was preventable.
FOCUS ON CRITICAL BUSINESS ACTIVITIES
Cyber risk is business risk. It affects your business activities. For your cyber security strategy to do its job, you have to shift focus from the specifics of hardware and software vulnerability – that comes later – to critical business activities. What’s likely to be attacked and why; how an attacker might strike; and what effect would this have on operations?
This new approach calls for the engagement of a far wider group of people than just IT staff. You need senior execs, operations staff, IT personnel, and relevant specialists – legal, PR, HR, etc. – the people who understand the consequences of a potential attack. All have a role to play in a wider cybersecurity strategy.
HOW TO BUILD YOUR CYBER SECURITY STRATEGY
1) Stratify the risks. Interview leaders and research company documentation to figure out your firm’s risk tolerance in relation to its goals and vital functions. The business areas that are most important to present and future operations are where your cyber strategy needs to focus, and this varies from firm to firm.
Customer support is a vital function for the gambling industry – over half the gross gaming revenue of casinos in Macau comes from a select group of VIP gamblers. For a discount retailer, it’s much less important.
Think about how your business would be damaged in the event of an attack. How might vital supply chains or trade secrets be compromised – what might be the wider consequences?
A casino business might lose customers if a rival hacks its VIP’s personal data; a chemical firm might suffer a catastrophic failure causing damage and pollution to the wider environment, perhaps causing loss of life. Where the risks are varies from company to company – they may exist outside the firm in the form of threats to vital public infrastructure.
2) Who might launch an attack? “Your adversaries could be countries, criminal organisations, competitors, disgruntled employees, terrorism, or advocacy groups. Don’t underestimate their sophistication: Advanced hacking tools are widely available.”
To find out who’s out to get you, ask company leaders, managers and staff which functions are most operationally vital. A good question to ask is what does the company have that could be valuable to a cyber attacker?
A Macau casino hadn’t bothered to “encrypt the network connections they used to transmit their VIP client data to a centralised operations centre”. When the writers asked the firm to ask who might gain from launching a cyber attack, they realised that the communications network they used to send this unencrypted data was owned by the casino’s biggest competitor.
Even a customer can be an attacker. When Sinovel, one of wind-turbine software developer AMSC’s biggest customers suddenly cancelled payments on $800m of business, it turned out they had stolen the technology from AMSC and rolled it out across over 1,000 turbines.
Other attackers might have an environmental or political motivation – the inspiration behind an attack could be geopolitical, like the suspected Russian attack on Ivano-Frankivsk power infrastructure in 2015, which probably had nothing to do with the firm or its customers, but everything to do with firm’s location in Ukraine.
“When evaluating who might want to disrupt your systems, you must look beyond your company to the broader commercial and political world in which it operates.”
3) Which systems need protection? With an understanding of business risk in relation to cyberattack, it’s time to turn your attention to those systems which need protection: “Your company can’t mount an effective cyberdefense if it doesn’t know what it needs to protect.”
This phase of strategy formulation is about auditing your IT systems for vulnerability. Ask operational staff – from engineers to customer support staff and the people using the systems – what would happen if those systems failed? What would the impact be? Where are those systems?
“The inventory should note the physical locations of the systems so that cyber incident-response staffers know where to go to fix things.”
There are myriad methods attackers could deploy to bring your systems down – you can’t know them all individually, but you can categorise them. Your cyber-security staff should understand the types of attacks likely from external hackers using malware to internal sabotage by disgruntled employees and work to protect business critical systems from such attacks.
4) How might an attack be successful? After a South-East-Asian bank fell foul of a massive debit-card fraud, its investigation revealed the attackers knew the Visa and Mastercard authorisation code format; that they had procured access to terminals and a database of debit card account numbers; and that they coordinated with local merchants who were complicit in the attack. This is the kind of information you need to acquire before you’re attacked.
What knowledge do attackers need to make their attack a success? From password crackers to laptops and radio transmitters, what hard and software tools would they need? And where would attackers need to be? The bank hackers needed local accomplices, but they could launch their strike without entering the bank themselves.
Understanding what skills, knowledge, technology and access an attacker needs to deploy in order to launch a successful attack is vital to building up your cyber defences
5) What will the consequences of attack be? Ask a series of “What if…” questions. What would happen, for example, “to the provision of care if a hospital’s patient records were no longer accessible because of a ransomware attack?” In the wake of Wannacry, in the NHS’s case, it was the cancellation of thousands of appointments and operations. Knowing how an attack might affect your core activities enables you to plan workarounds.
Every firm which has fallen foul of a successful cyber attack has the opportunity to benefit from the lessons afforded by hindsight. Preparing a security strategy that treats the cyber threat as a business risk rather than simply an IT problem, gives you the tools you need to discover and resolve vulnerabilities before attacks get the chance to exploit them.