This article was first published by Oliver Wyman here.
After two years of battling the coronavirus, many health experts believe the crisis will recede only when COVID-19 becomes endemic. In other words, we can’t eliminate the virus, but we can hope to reduce its impact to that of a manageable disease like the flu.
That’s the way public- and private-sector leaders should address the wave of cyberattacks plaguing our societies. In the past year, the US government and corporations have scrambled to contain the damage from the hack of network management software provider SolarWinds, which compromised nine federal agencies and dozens of companies. In the same period, ransomware attacks increased in frequency and severity, and disrupted operations at a major US fuel pipeline and meat processor; and a vulnerability in a widely used piece of open-source software left thousands of companies – including providers of software as a service and cloud services – open to attack.
The ever-increasing spread of technology and connectedness in our economies and societies makes the risk of a cyber incident a question of when, not if. Across the planet, a ransomware attack hits a business, government agency, hospital, school, tech service provider, or other entity every 11 seconds. Fortunately, we’ve learned enough to know what the playbook for good cybersecurity looks like today, and how that can reduce the threat to a manageable level. And there is a strong push coming from regulatory and market forces spurring everyone to up their cyber game.
The executive order on cybersecurity issued by President Joe Biden in May 2021 has elevated the issue across the US economy by setting clear standards and targets for the federal government, and requiring companies doing business with the government to meet those standards. The order embraces Zero Trust Architecture, which designs procedures on the assumption that attackers already may be present in computer networks. It aims to improve supply-chain security through measures like providing buyers with a software bill of materials detailing product components. And it standardizes the government’s playbook for responding to attacks. In the near future, the European Union aims to enact a Digital Operational Resilience Act that would require financial institutions to meet new standards for cyber risk management, testing, incident reporting, and disaster recovery.
Commercial pressures are reinforcing those regulatory moves. Cybersecurity insurance rates more than doubled, on average, in the first nine months of 2021, according to Marsh, and insurers increasingly are demanding that companies meet higher standards in order to obtain coverage, including such steps as requiring multifactor authentication for remote computer access and having secured, encrypted, and tested backups in place.
There remains a lot to get done, and organizations should take four broad steps to gird themselves against this technological scourge.
Mobilize the Entire Organization
The days of treating the Chief Information Security Officer’s team like they are the fire department for cybersecurity and incident response are long gone. The risks are so great, ranging from ransomware to intellectual property theft to systemic attacks from state-sponsored actors, that it demands the attention of the CEO and senior management as well as close Board oversight. Arguably, cyber is like climate change: You can’t wait to address the risks until floods, landslides, or wildfires are disrupting your professional life and the way you, your team, and employees work.
Leaders also need to create and sustain a strong cyber culture across the organization, enlisting everybody in the associated vigilance and defense, and, when needed, response effort. Management needs to set the tone from the top about the importance of cybersecurity as a competitive differentiator – a mark of “how things get done around here.” This involves having a clear and current understanding of threats, conducting regular exercises accordingly, then sharing insights regarding response performance and lessons learned. Executives need to ensure that good cyber practices are instilled, sustained, and rewarded across the workforce, at all career stages. They also should create mechanisms for workers to raise any cyber concerns or vulnerability observations and give positive recognition to those that do so. Critically, in case of an attack, the organization needs to be able to rapidly and effectively explore the root causes of how and why the attack was impactful – without getting into a blame game – and then distill the postmortem findings into positive action plans. These steps make a big difference. They can be measured, and leaders need to make sure someone is keeping score.
Set Clear Priorities to Buy Down Cyber Risk
Like any risk, the threat of cyberattack needs to be managed. That starts with assessing an organization’s greatest points of vulnerability and its most valuable assets, and then prioritizing defensive efforts accordingly.
Mission-critical functions need to get the greatest attention and best defense. Companies can transition to biometrics-based control capabilities to significantly reduce the potential of cyberattacks enabled by compromised passwords. Cyber vaults can preserve immutable copies of essential data or apps and enable companies to minimize the disruption, downtime, and cost of a ransomware attack. The return on any particular investment will vary depending on an organization’s mix of legacy and new technology, the balance of domestic and international operations, the spectrum of third parties, and other factors. Firms need to focus on taking practical yet strategically significant steps to buy down cyberrisk.
No organization can address every potential vulnerability at once, and as the industry continues to suffer from a shortage of cybersecurity professionals. covering all the bases is that much harder. But that’s all the more reason to have a clear plan, and review and update it regularly.
Test Your Response Capabilities and Find Weaknesses
In a “when, not if” world, every organization needs to have practical, proven, and up to date playbooks that will work as expected. In the case of ransomware, for instance, management needs to have thought through whether or in what circumstances they would pay ransom. And if the answer is yes, they should know how they would obtain the demanded cryptocurrency, what prudent legal steps to take, and how to communicate internally and externally. This is not a solo sport. Organizations need to involve suppliers, Information Sharing and Analysis Centers (ISACs) or other industry associations, law enforcement, and independent advisors in their exercises, and learn, share best practices, and build muscle memory for when a real incident or crisis occurs.
Firms also need to have tested plans in place to restore computer services in an agile way. The inability to access data, communicate with staff and clients, and even keep the company website up can impose huge costs on an organization. The average time taken for companies to restore normal service after an attack rose 16% in the third quarter of 2021 from a year earlier, to 22 days.
Engage With Suppliers and Bring Them Inside Your Circle of Trust
No organization is a cyber island. Extensive interconnected supply chains give bad actors more ways to compromise networks, and the recently discovered vulnerability in a ubiquitous piece of open-source software, Log4j, has put even technology giants at risk.
Given supply chains are only as strong as their weakest link, companies need to screen suppliers rigorously, ensure their cyber defenses are sufficient, and that they themselves know what to do when the worse happens. Organizations also need to scan for vulnerabilities deep in their software supply chains. This work is as painstaking as it is essential; many widely used software products contain coding that is years if not decades old. Most importantly, there needs to be proven, tested, and well understood playbooks in place ready for when a supply chain is compromised so that all participants know what they will do, how they will communicate, and how they will recover in a sufficiently clean and elegant manner together.
This cyber agenda demands real effort and commitment. It’s also open-ended: No one will be able to say they have solved for cybersecurity.
Yet, one thing is certain: To quote Benjamin Franklin, by failing to prepare you are preparing to fail.