As European businesses and regulators struggle to understand the fallout from the recent slate of ransomware attacks1, the global business community is asking fundamental questions about how organisations - particularly large organisations with complex IT requirements, manage their cyber risk.
If we cast our minds back to the Wannacry attacks - many of the organisations impacted, were vulnerable due to their use of an outdated operating system. Notably, hospitals under the UK's NHS were in this group, with crippling ramifications for patients and those seeking medical care2.
While these organisations were aware that there was a risk in maintaining an outdated operating system, critically, they did not understand the extent of that risk. According to cybersecurity expert David Simpson of CQR Consulting, the organisations in question “accepted the risks without understanding the real consequences”. This highlights a fundamental challenge when it comes to cybersecurity - if you don't have enough understanding of the risk in question, how can you make a good risk choice?
The area of cybersecurity is often plagued by a lack of understanding, unclear technical jargon and in some cases wilful ignorance, along the lines of - “that will happen to some other company, we have a firewall”. A recent Minter Ellison report showed that 22% of respondents in their Board Survey considered their Board to be 'not at all' informed and kept appraised of cyber risk issues3. With all this uncertainty, too often cybersecurity is relegated to the IT department without the buy-in and understanding required from leadership and the wider organisation.
This lack of buy-in and training organisation-wide, presents an issue when we consider the case of Wannacry and any spear phishing or ransomwear attack, in which every user plays a role in making a good risk choice. Too often, leadership teams look for a 'silver bullet' technology solution to prevent cyberattacks without a real commitment to embed information security into processes and organisational culture. Dante Disparte and Chris Furlow of the Harvard Business Review said that “spending millions on security technology can certainly make an executive feel safe. But the major sources of cyber threats aren't technological. They're found in the human brain in the form of curiosity, ignorance, apathy, and hubris”3.
"The organisations in question “accepted the risks without understanding the real consequences."
So, what can organisations do right now to begin to address cyber risk? David Simpson makes the following recommendations:
- Start to understand your technology risk and your exposure areas. This is particularly true when it comes to aging infrastructure, patching is important in this process to ensure you are maintaining your defences. David's recommendation is that “if you don't understand your risks you can't manage them”.
- Risks require active and ongoing management. For some organisations risk management starts and ends at the identification of a risk. The concern is added to the risk register and promptly forgotten about. David emphasizes the need for proactive management of risk as well as understanding that your controls are effective. David comments that “we don't live in a static world, all of the benefits of technology come with risk.”
- A layered approach to cyber risk is essential. Prevention is not the only answer. Regardless of the type of attack, for many organisations having a cyber incident is not about 'if', but 'when'. David says that for most organisations “you're in the situation that 'a breach has already happened you just don't know it yet.” David stresses the fact that “you cannot assume your preventative controls will save you. It's crucial to understand that the faster you can detect and manage an attack, the more you will be able to mitigate the fallout of a breach”.
1Source: The Verge, “A new ransomware attack is infecting airlines, banks, and utilities across Europe”, https://www.theverge.com/2017/6/27/15879480/petrwrap-virus-ukraine-ransomware-attack-europe-wannacry
2Source: The Telegraph UK, “Cyber attack: NHS ordered to upgrade outdated systems as disruption continues”, http://www.telegraph.co.uk/news/2017/05/15/cyber-attack-nhs-ordered-upgrade-outdated-systems-disruption/ 15 May 2017
3Source: Minter Ellison “Report: Perspectives on Cyber Risk”, http://www.minterellison.com/files/uploads/Documents/Publications/Reports%20Guides/RG_2016_Cyber-Report.pdf January 2016
4Source: Harvard Business Review, “The Best Cybersecurity Investment You Can Make Is Better Training” https://hbr.org/2017/05/the-best-cybersecurity-investment-you-can-make-is-better-training 16 May 2016