A four pronged approach to managing cyber risk
The rising tide of cyber attacks on businesses demand that every organisation – from the small town dentist office to the multinational bank – implement an effective cyber risk management program.
Think of this program like a four-cylinder car engine. You count on all four pistons firing in order and on time to give you the power you need to drive your company. If any of those cylinders is out of sync, your whole journey will be unbalanced and underpowered. In cyber risk management, those four cylinders are:
Each one is just as important as the other, but they each pose unique obstacles in protecting your company from sophisticated, or even simple, cyber attacks.
Cylinder #1: People
If your people are too technologically dependent and your computer systems go down, they will no longer operate as efficiently as possible. People will scramble to invent ways to manually accomplish what they used to do with technology.
When the costliest cyber attack in history – a $10 billion disaster caused by a piece of malicious code called NotPetya – took down the computers of the largest shipping container company in the world, Maersk, they resorted to using pen and paper. This led to inconsistencies because their process was not standardised. Without the people cylinder firing properly, you will have a group of individuals each operating without consistency.
Erie County Medical Center in Buffalo was hit with a piece of ransomware in 2017 that wiped out their computer systems for weeks. They chose not to pay the ransom, which was the right choice, but it cost them $10 million to recover from the attack. When they recovered, they had stacks of inconsistent, manually created medical records that they had to be input into their system – all because they weren’t prepared for a cyber attack.
Cylinder #2: Process
If you don’t have robust processes documented, people won’t know how to get their work done without technology. Lack of process leads to inconsistent results during a cyber attack. Without a process, your employees only create additional problems.
With Erie County Medical Center, a lack of documented process could result inadequate care being delivered and patients getting hurt, which opens them up to lawsuits.
One way to mitigate the procedural risk of a cyber attack is to keep hard copies of your company’s procedures on hand so that you can use manual procedures at a moment’s notice, for an indefinite period. Your processes should be thorough.
In the medical facility, for example, they should have had a physical checklist to ensure the medical staff delivered the full, necessary treatments to patients.
By not providing these processes for people, you’re leaving the health of your company up to chance. In Erie County Medical Center’s case, the safest route would have been to stop seeing patients. For Maersk, it would’ve been to stop accepting new shipments. If you’re ever forced to make that choice, it will seriously harm your business.
The most reliable way to put this into practice is to go old school: keep your manual processes—with preprinted forms—in three-ring binders, and use pencils and paper.
In the case of the medical facility, one innovative thing they did was have the staff use their own phones and personal computers when the company computers went down. Normally this would increase the cyber risks they faced, but the medical center had been securely sharing its medical records with a clearinghouse, so their doctors and nurses were able to access those records securely from their personal devices.
It’s important to practice these emergency cyber attack procedures the same way you’d run a fire drill. Choose a department in your company and pretend something terrible has happened and they have to do everything off-line.
Ask them: “Can you get your work done using these alternate manual procedures?”
See what they’re able to accomplish without the aid of technology, and use that information to help build out your cyber attack processes.
Cylinder #3: Management
It is management’s responsibility to know that cyber risks exist and to create and test plans that are designed to keep the organisation running if these risks materialise. If management doesn’t create binders with preprinted forms, or cardboard cash registers, or find alternate ways to access records offline, then it’s your failure as an executive.
Management is a cylinder, but it’s also the master computer inside the car. The computer contained in every car that controls how well the engine runs can turn cylinders on and off to save fuel, and can decide what the fuel mixture should be when the engine is operating. Without that master controller—management—there is chaos and mayhem. The engine can’t run, or it runs so poorly that it damage itself.
You don’t have to be a cyber risk expert to become a good cyber risk manager. In fact, when technology fails, all the technological expertise in the world will not help you. As a leader, you have to anticipate a technology failure and run your business without it.
Cylinder #4: Technology
When I say that technology is one of the cylinders of your cyber risk management plan, I don’t mean you have to understand all of the bits and bytes of your company’s tech. Not at all. What you do have to understand is exactly how technology can fail you and how to be prepared for those failures with no advance notice.
You should focus on ensuring you have a reasonable cybersecurity framework so that you can identify the major risks to your digital assets. Prevention is important, but in case something bad does happen, you need to detect the compromise, respond to it, and recover as quickly as possible. That is what you need to be focused on with regard to technology, rather than becoming an expert in technology itself.
Kip Boyle is founder and CEO of Cyber Risk Opportunities, an expert on cyber risk management, and author of Fire Doesn’t Innovate . This article is adapted from his book.