Cyber security: how to avoid the catastrophic risks
Develop a cyber security strategy as if your organisation’s existence depends on it
Most companies survive most cyber attacks. For example, two American tech companies lost more than $100m to a crafty cybercriminal using forged credentials, but this financial attack never threatened the existence of the two businesses. A German steel mill lost control of a blast furnace – and the ability to protect workers – to hackers who gained remote access and overrode safety controls, but again, this company survived too.
Companies must take steps to address many types of risk – financial, operational, reputational, and others. But as business becomes ever more reliant on technology, addressing catastrophic risk – losing all data, production systems, or intellectual property – must also be on every executive’s agenda.
When hackers targeted Code Spaces, a software collaboration platform, they deleted all of the company’s data and its backups. Overnight, Code Spaces shut down. Existential threats are not always sudden, however. Over the course of 10 years, hackers siphoned the intellectual property of a North American telecommunications giant: Nortel Networks. Nortel no longer exists, and although it has not been proven in court, many speculate that its stolen IP helped the company’s foreign rivals get a competitive edge.
Questions for everyone
The attacks on Code Spaces and Nortel show the kind of damage that dedicated hackers can cause when focused on a specific target. This summer, WannaCry and NotPetya demonstrated that even relatively unsophisticated, untargeted attacks can cause considerable, widespread damage simply because minimum defense mechanisms, such as well-executed patch management strategies, were not universally in place. Although a failure in patch management may sound like technobabble for the IT department to sort out, it is not a challenge that can be solved solely by using the most sophisticated technology or by employing the most talented IT and security professionals.
Making an organisation cyber resilient requires close cooperation between business and technology leaders. Has your organisation identified its digital crown jewels – the data, systems or intellectual property that must be guarded most closely? This question must be answered before the IT teams can adequately prioritize what to patch. Likewise, has your organisation calculated how much cyber risk it can afford? If not, the IT and security teams are working in the dark.
Many companies fell victim to WannaCry and NotPetya because business leaders were inadequately trained about the risks posed by unpatched systems. These business leaders did not prioritise software maintenance, and their systems remained unpatched many months after the threat was known to security teams. Does your organisation have a culture where business leaders work with security leaders to balance operational and security objectives?
Effective cybersecurity must be aligned with your business strategy, and cyber risk must be an integral part of your corporate risk management strategy. (See Cybersecurity Meets IT Risk Management: A Corporate Immune and Defense System.) This cyber risk strategy must be guided by an engaged board of directors. (See Advancing Cyber Resilience: Principles and Tools for Boards.) And the strategy must be implemented and managed by executives that understand the risks. (See “Building a Cyberresilient Organization.”)
Does your company have a well-formed cyber security strategy? If your organisation’s existence depended on it, could executives answer the following questions?
- What is our most critical data, and who can access it? What are our most critical assets?
- How much cyber risk, physical risk, and brand risk can we afford?
- How do we address vendor, partner, and ecosystem risk? How do we gain consumer trust?
Governance, policies, and processes
- Who owns cyber security and cyber risk in our organisation, and how are they supported?
- How have cyber security and cyber risk management processes and policies been deployed?
- When did we last test our network and our incident response process by asking “what if…”?
External participation and internal collaboration
- Are we competing with our rivals on cyber security or collaborating with them?
- Are our cybersecurity, safety, and quality management functions working together?
- Have we established an appropriate cyber risk culture in our organisation?
- How do we use our cyber security culture to enable our business and digital strategies?
If you don’t know the answers, it is time to get to work.
By Stefan A. Deutscher, associate director in the Berlin office of The Boston Consulting Group; Walter Bohmayr, senior partner and managing director in the firm’s Vienna office and Alex Asen, senior knowledge analyst in BCG’s Boston office.
BCG is a strategic partner of the CBI's Cyber Security Conference, held in London on 13 September
Next post: WannaCry: the fear of change is to blame
Previous post: GDPR: A framework to improve business