What reaction do you have when your hear current or prospective clients say ‘just tell me what to do.’ when discussing cyber security? It should be a warning sign – but perhaps for reasons you might not expect. Whatever the reason (some of which we explore below), it is important to take them seriously – and to recognise that clients’ understanding and tolerance of cyber risk will vary considerably.
It’s a corporate problem
It is easy for cyber security practitioners to forget that clients may not understand all the intricacies of cyber security. Securing investment for cyber risk remediation is often very difficult, particularly when margins are tight and company executives think that cyber is an IT rather than a business problem.
And while we may want our clients to do everything in their power to combat the cyber threat, they will most likely want to take only a few steps at a time.
Recent changes in regulation, and the gradual march of cyber responsibility up to Board-level, may provide the necessary additional external pressure to free the resources required to manage cyber risks appropriately. But there is never a right amount of investment – and what is invested, if done poorly, will not mitigate key risks effectively. Retro-fitting existing systems is costly and may have knock-on effects for functionality and efficiency.
Risk management: my risk management is your opportunity to blame me for not preventing a breach
Governments are taking an increasingly hard line in requiring organisations to provide critical infrastructure – or those providing products and services to critical infrastructure – to assess their cyber controls against NIST or other frameworks and to take remedial action. National Authorities in the UK and EU have the power to fine organisations up to 2% of turnover for failure to report an incident quickly, or for handling an incident particularly badly. National authorities are trying hard not to tell organisations what to do, as this will push significant risk back on to governments, rather they prefer to encourage key companies and organisations to ‘do the right thing’. It remains to be seen whether Governments will deploy heavier and more intrusive sticks to get companies to do the right things – and do them well.
Despite all this encouragement there is still evidence of organisations demonstrating risky behaviours, for example running key applications on out-of-date machines, or running out-of-date software which effectively pushes them out of any warranty from their supplier. The reasons for these are legion – the implications potentially stark: hackers rely on poor implementations to create access to key data. And while zero-day exploits may legitimately be difficult to defend against, it is hard to explain why other, known vulnerabilities have not been addressed.
A challenge to risk management orthodoxy is that it is the system owner’s call if they want to run
out-of-date software or machines. This may not be a big issue if the system is segregated off the network behind its own firewall, but it cannot be assumed that these defensive actions are taken routinely. In such cases as these, the risks being (tacitly) accepted by the organisation may be significantly higher than what might be included on the risk register.
If I cannot build a wall high enough, what do I do then?
There regulations recognise that an organisation cannot operate at zero risk. Yet there is little guidance on what is an appropriate level of residual risk – and the application of 20/20 regulatory hindsight in the event of a breach likely means that any breach should have been preventable, and falling victim to a breach, risk managed or otherwise, is unacceptable. Published statements about risk appetite are often at variance to the realities of stakeholder risk tolerance – it is ok to take the dividends when things are going well, but in the event of a breach the company will be criticised for not investing enough in protecting their critical systems.
It is not sensible to think that your organisation will not be successfully attacked: your firewalls and users will be attracting spam and phishing attempts from the moment they log in. While you cannot stop the threats, you can do something about the vulnerabilities. To withstand the glare of forensic hindsight, it is vital that companies have the documentary evidence of the steps they have taken to reduce the impact of a cyber-attack as far as is reasonably practicable. It is important for companies to understand what systems and services are critical for their business, and the steps they will need to take to minimise the impact of a successful attack on those critical systems. Being able to respond effectively and recover quickly are critical success factors. The solution does not need to be elegant – it needs to be good enough to weather the storm.
So what do I need to do then?
The first thing is not to panic.
Secondly, you need to get an understanding from the Board and the Divisions about what matters most to them; upon which systems they most critically depend and the impacts that failures in those systems could generate. You also need to ensure that the company leadership recognise that cyber risk is a risk that should matter to them as a Board, and also personally.
Third, you need to work with your external advisers and suppliers to ensure they and you are on the same page: whether it be systems integrators, network providers, outsourced SOC providers – you need to understand what you can rely on if things go wrong. Seek advice from your Government about best practices and the extent to which they can provide you with help and support.
Fourth, you need an agreed plan in place to deal with any contingencies, which you develop with your people and strategic partners.
Taking a programmatic approach to cyber is fine, so long as you have the resources available to provide early surge support in the event of an incident. Ensure you know what your providers will do in the event of an incident. And repeat the mantra to the Board that their leadership is critical, their attention welcome and their participation mandatory.
It is our role as advisers and supporters of companies working in critical infrastructure to give our customers the best support possible to help them understand the choices they face. Neither we nor they can see the future. But we can help protect what really matters, and plan for events. Cyber risk is often hard to define. But it is manageable.