Executives know that the IT they need for their operations is a double-edged sword. Already in the first months of 2022, two polls tell the story: PwC’s latest CEO Survey found that leaders considered cyber-risks the chief threat to growth; in a separate KPMG study, 77% of senior executives believed that these cyber-risks would grow during 2022.
We can see that business leaders recognize the risk, but they frequently misunderstand it. First, they are unlikely to need to worry about a teenage hacker sitting in their basement probing systems for vulnerabilities, like in the movie War Games. The real danger comes from sophisticated criminal gangs taking a multifaceted approach. Think Ocean’s 13, where the thieves’ solution is to create an earthquake, not break through invincible technological defenses.
A typical ransomware attack shows the extent of cyberattackers’ planning. Before they strike, the fraudsters learn about the target victims in depth. They gain access to information in company systems, often via phishing attacks.
Then, they take their time to study the corporate picture: the amount of money that a company’s resources make it realistic to demand; the maximum pain threshold below which executives are more likely to pay up than to resist; even the extent to which a business’s cyber insurance covers ransomware payouts. Only after this kind of analysis do they launch their endgame.
Second, these gangs do not have to function in isolation, because they can rely on an advanced criminal supply chain. Some organizations specialize in the social engineering aspects of hacking, some in creating back doors, others in creating software to carry out attacks, and others in keeping a database of unresolved security risks that affect major commercial software. And these organizations have access to the same advanced technologies, such as artificial intelligence, as well-financed corporates. Put it all together, and this cyberattack supply chain makes companies’ detection and prevention methods less effective.
The third aspect of cyber-risks that business leaders tend to miss is that physical security and cybersecurity are no longer distinct. For example, if someone enters an office with a badge, that location’s security depends on the recognition software. Similarly, an attacker who gets into a network can create a physical security threat. Every organization has an interface between these two kinds of security.
Faced with such a sophisticated set of threats, what can companies do?
“The real danger comes from sophisticated criminal gangs taking a multifaceted approach”
They should start by throwing out the old rule book. The traditional approach is a reactive one that involves building high technological walls around the organization. Over the past decade, it has become clear that once attackers breach that barrier even a single time, and through whatever means, they can do almost whatever they want.
In a world where many employees work from home and use a multitude of connected devices, it no longer makes sense to focus exclusively on an increasingly indistinct perimeter. Proactive security, on the other hand, assumes that a breach of corporate IT systems is inevitable. It then works out how to minimize the related damage and continue with business as usual while dealing with the incident.
As the name suggests, proactive security also involves ongoing preparation. As a starting point, businesses need up to date expert threat intelligence about the nature of attacks that those in their sector and country are particularly exposed to. For example, some businesses are especially likely to be hit by ransomware while others are more likely to experience a denial-of-service attack. Knowing how you might be targeted enables you to prepare accordingly.
Many companies have plans in case of incidents, but too often these just sit there. Instead, businesses need to practice executing their contingency arrangements – including for recovery. They need to:
Sound preparation requires rigorously keeping up to date with upgrades and patches. It may sound simple, but many businesses miss upgrades or do them too late for fear that it will disrupt operations. The reality is that the downtime caused by upgrades is negligible, especially compared with the disruption that a cyber-attack could cause.
Even if upgrades and patches are executed in a timely manner, some systems are naturally more vulnerable than others. Documenting weak spots can help mitigate the fallout from a breach because it gives IT teams a head start in identifying the system that was originally compromised.
In addition, companies must probe actively for vulnerabilities, including by employing ethical hackers to test for weak spots both in corporate systems and in how employees interact with it. Digital transformation has made the attack area much bigger, which means that no organization has the time to find everything that could go wrong. So-called white hat hackers can step in here to find the most dangerous gaps in security.
When a major cyber event occurs, an incident-response team needs to assemble rapidly that can identify the source of the problem, direct action to get key systems back up and running and communicate to the public. This team must therefore include the Chief Information Security Officer, if one exists, an IT director that has knowledge of the business’ IT architecture, a PR director that can draft communications to customers, and a legal director. The latter is vital because there are certain regulatory reporting obligations that need to be met if personally identifiable information has been breached. It’s also vital for a C-level executive such as the CEO or CIO to be part of this group so that they can update the board.
A fundamental question that will need to be answered very quickly in the event of an attack is whether the ransom will be paid. And to answer this, businesses need to know whether they are insured against a ransomware attack and what the Terms & Conditions are. They also need to understand their financial exposure to the disruption, and whether this eclipses the size of the ransom. Understanding the legal implications is also critical as paying ransoms to certain organizations could result in criminal proceedings according to US law. Multiple factors need to be weighed up when determining whether to pay, so those making these decisions need to have this information at their fingertips.
Ransomware demands are extremely challenging to respond to. It is therefore also vital to plan how you will respond in advance. This means determining who will negotiate on behalf of the business, and whether this should be an internal employee or an outside negotiation expert.
Although the majority of businesses ultimately pay up, some do not. For example, Norwegian renewable energy company Norsk Hydro received acclamation for its refusal to pay and its swift and effective response after being hit by a major ransomware attack. Very soon after suffering an attack, the business consulted external experts and took the decision to be completely transparent about the impact of the breach.
On its own, however, this new approach will not provide enough protection. Organizations also need to make a cultural change, and that includes the corporate leaders themselves. Cybersecurity can no longer be seen in isolation, and the people responsible for IT and physical security need to work closely together – at a minimum.
More generally, Chief Information Security Officers are too often given a mandate to provide security but gain no visibility in the boardroom. Instead, they typically report to CFOs, where it is often a struggle to demonstrate any return on investment. This can make it a thankless job, where success is achieved when nothing happens. CISOs could get better at communicating their challenges, but to do that they also need an audience that is ready to listen. When cyber-risk is growing this rapidly, security must become a board-level issue.
AI's true revolution isn't in chatbots but in transforming industrial operations through dark factories and predictive maintenance. This will require leaders to balance technological advancement with responsible societal impact....
In a world of deepfakes, hallucinations, and bias, we offer practical guidance on how you can trust your AI systems....
Audio available
Companies are rushing to embrace the game-changing opportunities to improve operations and scale that AI offers; yet many are unaware of the pitfalls. Test your knowledge of the risks here – and...
In an era defined by advanced AI and behavioral data, Apple’s 'Evil Steve' test exemplifies a proactive approach to ethical decision-making and responsible data governance....
Explore first person business intelligence from top minds curated for a global executive audience