The following is adapted from Fire Doesn’t Innovate.
The rising tide of cyberattacks on businesses demands that every organization – from the small town dentist office to the multinational bank – implement an effective cyber risk management program. Think of this program like a four-cylinder car engine.
You count on all four pistons firing in order and on time to give you the power you need to drive your company. If any of those cylinders is out of sync, your whole journey will be unbalanced and underpowered. In cyber risk management, those four cylinders are:
Each one is just as important as the other, but they each pose unique obstacles in protecting your company from sophisticated, and even simple, cyberattacks.
Cylinder #1: People
If your people are too technologically dependent and your computer systems go down, they will no longer operate as efficiently as possible. People will scramble to invent ways to manually accomplish what they used to do with technology.
When the costliest cyberattack in history – a $10 billion disaster caused by a piece of malicious code called NotPetya – took down the computers of the largest shipping container company in the world, Maersk, they resorted to using pen and paper. This led to inconsistencies because their process was not standardized. Without the people cylinder firing properly, you will have a group of individuals each operating without consistency.
Erie County Medical Center in Buffalo was hit with a piece of ransomware in 2017 that wiped out their computer systems for weeks. They chose not to pay the ransom, which was the right choice, but it cost them $10 million to recover from the attack. When they recovered, they had stacks of inconsistent, manually created medical records that they had to be input into their system – all because they weren’t prepared for a cyberattack.
Cylinder #2: Process
If you don’t have robust processes documented, people won’t know how to get their work done without technology. Lack of process leads to inconsistent results during a cyberattack. Without a process, your employees only create additional problems.
With Erie County Medical Center, a lack of documented process could result in inadequate care being delivered and patients getting hurt, which opens them up to lawsuits.
One way to mitigate the procedural risk of a cyberattack is to keep hard copies of your company’s procedures on hand so that you can use manual procedures at a moment’s notice, for an indefinite period. Your processes should be thorough.
In the medical facility, for example, they should have had a physical checklist to ensure the medical staff delivered the full, necessary treatments to patients.
By not providing these processes for people, you’re leaving the health of your company up to chance. In Erie County Medical Center’s case, the safest route would have been to stop seeing patients. For Maersk, it would’ve been to stop accepting new shipments. If you’re ever forced to make that choice, it will seriously harm your business.
The most reliable way to put this into practice is to go old school: keep your manual processes—with preprinted forms—in three-ring binders, and use pencils and paper.
In the case of the medical facility, one innovative thing they did was have the staff use their own phones and personal computers when the company computers went down. Normally this would increase the cyber risks they faced, but the medical center had been securely sharing its medical records with a clearinghouse, so their doctors and nurses were able to access those records securely from their personal devices.
It’s important to practice these emergency cyberattack procedures the same way you’d run a fire drill. Choose a department in your company and pretend something terrible has happened and they have to do everything off-line.
Ask them: “Can you get your work done using these alternate manual procedures?”
See what they’re able to accomplish without the aid of technology, and use that information to help build out your cyberattack processes.
Cylinder #3: Management
It is management’s responsibility to know that cyber risks exist and to create and test plans that are designed to keep the organization running if these risks materialize. If management doesn’t create binders with preprinted forms, or cardboard cash registers, or find alternate ways to access records offline, then it’s your failure as an executive.
Management is a cylinder, but it’s also the master computer inside the car. The computer contained in every car that controls how well the engine runs can turn cylinders on and off to save fuel, and can decide what the fuel mixture should be when the engine is operating. Without that master controller—management—there is chaos and mayhem. The engine can’t run, or it runs so poorly that it damages itself.
You don’t have to be a cyber risk expert to become a good cyber risk manager. In fact, when technology fails, all the technological expertise in the world will not help you. As a leader, you have to anticipate a technology failure and run your business without it.
Cylinder #4: Technology
When I say that technology is one of the cylinders of your cyber risk management plan, I don’t mean you have to understand all of the bits and bytes of your company’s tech. Not at all. What you do have to understand is exactly how technology can fail you and how to be prepared for those failures with no advance notice.
You should focus on ensuring you have a reasonable cybersecurity framework so that you can identify the major risks to your digital assets. Prevention is important, but in case something bad does happen, you need to detect the compromise, respond to it, and recover as quickly as possible. That is what you need to be focused on with regard to technology, rather than becoming an expert in technology itself.
For more advice on cyber risk management, you can find Fire Doesn’t Innovate on Amazon.
Kip Boyle is founder and CEO of Cyber Risk Opportunities, whose mission is to enable executives to become more proficient cyber risk managers. His customers have included the U.S. Federal Reserve Bank, Boeing, Visa, Intuit, Mitsubishi, DuPont, and many others. A cybersecurity expert since 1992, he was previously the director of wide area network security for the Air Force’s F-22 Raptor program and a senior consultant for Stanford Research Institute (SRI).