Here, Dr Sandra Bell discusses organisational cyber resilience and why the human factor is so crucial
The academic and industry literature is full of extremely useful research, insights and advice on how people interface with security technology and how that interaction can be enhanced to reduce the chance of a malicious attack.
However, the role of the human in enhancing the overall organisational cyber resilience of an entity operating within an environment where the cyber risks of any type are high is discussed much less.
Clearly, stopping the risk at source with technological measures such as security to prevent anything malicious penetrating the organisations IT systems and fool-proof systems that work first time every time is the ideal. But no security is 100% effective, threats frequently emanate from within an organisation and, whilst malicious attacks dominate the news, other, more mundane, IT issues such as hardware failures, network outages and user error are far more common and often cause a similar disruptive impact on an organisation.
An organisation, therefore, needs to be able to function despite glitches, attacks, accidents and disasters with its IT systems. A well designed and maintained Business Continuity and Disaster Recovery capability will interface with security measures to ensure that the organisation “survives” such disruption by enabling operations to continue to produce critical products and services at a predefined level and return to business as usual as fast as possible. But other skills, capabilities and behaviours are required for the organisation as a whole to “thrive” despite cyber risk.
This paper looks at two of the most common human behavioural mistakes and suggests ways to overcome them.
Underestimating the enemy
Any corporate strategist or military general will tell you that the fasted way to lose a battle is by failing to understand, and match, what you are up against. Whilst, script kiddies who are trying to impress their social circles can still wreak havoc, the main malicious threats to business are now skilled business people whose general aim is to profit from exploitative attacks.
As opposed to armies fighting over territory or corporate giants fighting over market share, the new battleground is “information” where professional cyber criminals battle to gain information that has the potential to earn them substantial profits.
Although, it has long been known that there exists a certain level of organisation with cyber criminality, recent actor profiling on the dark web has shown that a clear value chain exists for exploitative attacks such as ransomware. The actors within the cybercrime economy generally fulfil roles that are similar to those in a conventional organisational value chain.
For example a typical “cyber organisation” will include: Vulnerability Researchers who search for zero-day vulnerabilities and sell the information to Malware Authors who can write exploit code; Malware Vendors and Distributors who buy and sell ransomware in marketplaces; Website Crackers and Designers who recreate websites that look authentic to the user and could act as a trap; and Money Mules who steal identities from individuals and sets up intermediary bank accounts that they offer to vendors to stores ransom funds.
These “cyber organisations” operate in much the same way as a conventional organisation looking at markets and deciding their attack strategy based on costs as well as their strengths, e.g. the encryption algorithm employed, their reputation, partnership opportunities etc., and the potential targets weaknesses that are meticulously researched and tested.
The average boardroom is supremely occupied with identifying, analysing and creating corporate strategies to stave off legitimate competition. However, most organisations seem to have a blind spot when it comes to “illegal” competition and attempt to enter the information battleground not with a fully resourced and trained army but with a couple of foot soldiers armed with bayonets.
The cyber economy has reached the scale and sophistication that it is dangerous not to analyse the illegal cyber organisations that are competing for your information in the same way as you would a new market entrant. Likewise, it is no longer effective to pursue a defence only strategy that focuses on an insular understanding of your organisation but now necessary to be prepared to create opportunities to defeat them through strategy.
Misjudging the effect of gossip
It is an extremely rare news day when some organisation or another is not publicly exposed for losing personal data. Most executives will emit a sigh of relief that it is not them. Some will immediately take action to find out if their organisation is also at risk and rush through security measures. Others will bury their heads in the sand confident that it will never happen to them. But a small proportion will seek to capitalise on their competitor’s misfortune.
This may seem harsh, but business is business, and if a customer is unable to find what they need from their normal source there is nothing inherently wrong with positioning yourself favourably for when the customer looks elsewhere.
The problem, however, that a data loss obeys “Gossip Theory” which means that not only is it not possible to capitalise on your competitor’s misfortune the whole industry, including you, is very likely to be disadvantaged financially.
Gossip is defined as “the unsanctioned transmissions of personal information about a vulnerable third party” – which is exactly what happens when an organisation that you trusted suffers a data breach and your personal data, name address, bank account details and passwords etc., are released without your knowledge or control to a malicious third party.
The typical reactions to learning that you are being gossiped about are feelings of betrayal and violation accompanied by loss of trust in “all” the holders of your personal information – not just the one that gossiped. It is also typical to vocalise these feelings leading to others to also start to distrust the type of people who hold such information.
In the case of a data breach, such word of mouth effects can be extremely damaging to the bottom line but are relatively easy to counteract with data policies that emphasise transparency and control. For example, Martin, Borah & Palmatier, calculated that if Citigroup had had such a privacy policy in place at the time of their recent data breaches their losses could have been reduced dramatically, via organisational cyber resilience.
In summary
Organisations have got quite good at “surviving” operational disruptions by employing business continuity and disaster recovery capabilities. Likewise, they have become fairly proficient at preventing the likelihood of cyber-attacks with security measures. However, information is now arguably the new corporate battleground and competitors, who are often are illegal, are upping their game.
The impact of a successful cyber-attack is now very rarely simply an operational disruption but a full-blown strategic shockwave impacting not simply the organisational cyber resilience in question but the whole industry that surrounds it.
However, there are some simple behavioural changes that an organisation can take right now that will minimise both the impact and likelihood of an attack.
Dr Sandra Bell, Head of Resilience Consulting, Sungard Availability Services.